Wednesday, June 06, 2007

Recommended Windows Audit Logging Policy

Here is a great post from Randy Smith on preferred Windows logging policy. This is indeed a very common question we face: what logging to enable (my guide on what logging to enable to assist with PCI compliance is coming soon)

So, here is the essence of what Randy says (but do read the whole post):

"System Events - S/F
Policy Change - S/F
Account Management - S/F
Privilege Use - Disabled
Logon/Logoff - S/F"

('S' is a success audit and 'F' is failure audit)

It is indeed true that even though it sounds important, "privilege use" logging will cause a flood of noise which will be pretty darn hard to map to something relevant in the real world ... What can you say, its Windows logging world :-)

Dr Anton Chuvakin