Incidentally, unlike other Group Policy settings, Microsoft have not created an 'Explain' tab for these policies, however, if you right click and select 'Help', there
is a comprehensive explanation of each policy setting.
Trap: If you are intending to set Local Policies for your actual Windows Server 2003 Domain
Controller, then you should go to the All Programs, Administrative Tools,
Domain CONTROLLER policy. (Audit policies for Member Servers and XP
clients can be set at the Domain or OU level).
Watch out for two similar and potentially confusing policies, 'Audit Account Logon events' and 'Audit
Logon events'. The difference is that Audit Logon events (the shorter
one) means
that you are checking who is pressing Ctrl Alt, Del at the domain controller
(or desktop); whereas the Audit Account Logon
events (the longer one) generates an event every
time a user connects to that server across the network.
In terms of strategy, decide whether you simply want to record logon failures -
possible illegal access attempts, or whether you also need to audit success.
Once you enable security policies, check Microsoft's Event Viewer's
Security Log (not system log) for user activity. Another tip: once you become serious about security,
increase the size of the log from 512 K to at least 10 Mb.
If you need to record who is accessing shares, or who is deleting files,
then first you must enable, * 'Audit Object
Access'. Only when you have thrown the Object Access 'master
switch', can you start checking who is doing what to your folders and
printers.
I have lumped together, account management, privilege use and directory service access.
These are three settings that only big companies need to audit. It is all well and
good recording lots of events, but ask yourself, 'Who will have the time to
scour through zillions of events?' Better to record only essential
settings, that way, you will easily spot security breaches.
If you enable process tracking you should get the sack! Stern words to make a serious point.
My point is that Auditing eats up CPU cycles, in fact, process tracking is so intensive that your
server will grind to a halt. Perhaps you can see why I would forbid
process tracking. People
then ask me 'Why would Microsoft include process tracking if it's so crippling?'.
The answer
is so that developers can troubleshoot their new programs.
Guy Recommends: Solarwinds' Log & Event Management Tool
LEM will alert you to problems such as when a key
application on a particular server is unavailable. It can also
detect when services have stopped, or if there is a
network latency problem. Perhaps this log and event management
tool's most interesting ability is to take corrective action, for
example by
restarting services, or isolating the source of a maleware attack.
Yet perhaps the killer reason why people
use LEM is for its
compliance capability, with a little help from you, it will ensure that your organization complies with industry
standards such as CISP or FERPA. LEM is a really smart
application that can make correlations between data in different logs,
then use its built-in logic to take corrective action, to restart services,
or thwart potential security breaches.
Note: The following account logon events are recorded
in the event logs
on domain controllers for domain account activity, but on local computers
for local account attempts.
528 A user successfully logged on to a computer. (Will also record a
logon type, for instance, 2= Interactive, 3=Network.
529 Logon failure. A logon attempt was made with an unknown user name
or a known user name with a bad password.
Here we have the classic Group Policies to track who does what on the servers or local computers. Some audit settings need to be
all the time, while other you need just for troubleshooting. Configuring the Group Policy settings is not difficult, provided you have an action plan based on the appropriate security classification of
your organization.
If you like this page then please share it with your friends
*
Custom Search
Guy Recommends: Orion's NPM - Network Performance Monitor
Orion's performance monitor is designed for detecting network outages. NPM makes it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps. It also helps troubleshooting by indicating whether the root cause is faulty equipment, or resource overload.
