Best Practices for Audit Policies
The following are the best practices for audit policies:
Create an audit plan. Decide what you want to audit. Consider the available resources for collecting and reviewing an audit log.
Collect and archive security logs across the organization. Archives can be useful in the event of an intrusion.
Audit success and failure events in the System Events category. This audit allows you to see unusual activity that may indicate that an intruder is attempting to gain access to your computer or your network.
Audit success events in the Policy Change event category on domain controllers.If an event is logged in this category, someone has changed the Local Security
Authority (LSA) security policy configuration.
Audit success events in the Account Management event category. This audit allows you to verify changes that are made to account properties and group properties.
Audit success events in the Logon Events category. This audit provides a record of when each user logs on or off a computer. If a user’s password is stolen and an unauthorized person logs on, you can find out when the breach of security occurred.
Audit success events in the Account Logon Events event category. This audit allows you to see when users log on or off a domain.
Set an appropriate size for the security log. Consider the number of events that your audit policy settings will generate and make adjustments as necessary.
When the Apply These Auditing Entries To Objects And/Or Containers Within This Container Only check box is selected, auditing is applied only to the selection in the Apply Onto list and its applicable child 70-680 test questions objects “within the tree.
6.Click OK to return to the Advanced Security Settings dialog box for the file or folder.
7.To prevent changes that are made to a parent folder from applying to the currently selected file or folder, clear the Allow Inheritable Auditing Entries From Parent To Propagate To This Object And All Child Objects check box. If the check boxes under Access are shaded in the Auditing Entry For dialog box for the file or folder,or if the Remove button is unavailable in the Access Control Settings For dialog box for the file or folder, auditing has been inherited from the parent folder.
Click OK.
To configure a printer for auditing, complete the following steps:
1.Click Start, and then click Printers And Faxes.
2.In the Printers And Faxes system folder, right-click the printer you want to audit,and then click Properties.
3.In the Properties dialog box for the printer, click the Security tab, and then click Advanced.
4.In the Advanced Security Settings For dialog box for the printer, in the Auditing tab, click Add, select the appropriate users or groups for whom you want to audit printer access, click Add, and then click OK.
5.In the Auditing Entry For dialog box for the printer, select the Successful check box, the Failed check box, or both check boxes for the events that you want to audit.
Table 13-6 describes audit events for printers and explains mcts windows server 2008 what action triggers the event to occur.