[Previous] [Next]

Lesson 2: Planning an Audit Policy

When you plan an audit policy, you need to determine what you want to audit and the computers on which to configure auditing.

After this lesson, you will be able to

• Plan an audit strategy and determine which events to audit.

Estimated lesson time: 5 minutes

Audit Policy Guidelines

When you plan an audit policy, you must determine the computers on which to set up auditing. Auditing is turned off by default. As you are determining which computers to audit, you must also plan what to audit on each computer. Windows 2000 records audited events on each computer separately.

The types of events that you can audit include the following:

• Accessing files and folders
• Logging on and off
• Shutting down and restarting a computer running Windows 2000
• Changing user accounts and groups
• Attempting to make changes to objects in directory services based on Active Directory technology (only if your Windows 2000 computer is part of a domain)

After you have determined the types of events to audit, you must also determine whether to audit the success of events, the failure of events, or both. Tracking successful events can tell you how often Windows 2000 or users gain access to specific files, printers, or other objects. You can use this information for resource planning.

Tracking failed events can alert you to possible security breaches. For example, if you notice a lot of failed logon attempts by a certain user account, especially if these attempts are occurring outside normal business hours, you can assume that an unauthorized person is attempting to break in to your system.

Other guidelines in determining your audit policy include the following:

• Determine whether you need to track trends of system use. If so, plan to archive event logs. Archiving these logs will allow you to view how use changes over time and will allow you to plan to increase system resources before they become a problem.
• Review security logs frequently. You should set a schedule and regularly review security logs because configuring auditing alone doesn't alert you to security breaches.
• Define an audit policy that is useful and manageable. Always audit sensitive and confidential data. Audit only those events that will provide you with meaningful information about your network environment. This will minimize use of the computer's resources and make essential information easier to locate. Auditing too many types of events can create excess overhead for Windows 2000.
• Audit resource access by using the Everyone group instead of the Users group. This will ensure that you audit anyone who can connect to the network, not just the users for whom you create user accounts in the domain.

In this lesson, you learned that in planning an audit policy, you must determine the computers on which to set up auditing and what to audit on each computer. The types of events that you can audit include the following: accessing files and folders, logging on and off, shutting down and restarting a computer running Windows 2000 Professional, and changing user accounts and groups.

You also learned that you can audit the success of events, the failure of events, or both. You track successful events to determine how often Windows 2000 or users gain access to specific files or printers. You can use this information for resource planning. You track failed events to look for possible security breaches. You can also archive the logs to track trends of system use.