Re: Too much auditing?

From: Eric Fitzgerald [MSFT] (ericf_at_online.microsoft.com)
Date: 06/28/03


Date: Fri, 27 Jun 2003 18:30:14 -0700


Hi Invisible,

1. Just like any security setting, it is typically unproductive to just pick
the highest setting. You need to examine the capabilities of audit, conduct
a threat exercise (determine what threats you want to defend against),
determine which audit categories would give you information which would help
mitigate that threat, and then enable only those categories. As an adjunct
you might want to enable categories that would provide supporting
information, such as process tracking.

2. If you log everything, set your logs to a much larger size, such as 64MB
or 256MB, depending on free space and how fast the machine logs events.

3. Process tracking is a very useful audit category- it allows you to
translate a PID (process ID) into a executable image name. Except on batch
servers or CGI web servers, it's generally very useful and not too verbose.

I have a couple of general recommendations:

1. Failure auditing is not useful for most people, esp. people who don't
look at their logs regularly. I use it, but then I look at my logs every
day and I know what I'm looking for. So don't turn on failure auditing
unless you have a specific goal in mind AND you have staffed and tasked a
position to review the failure audits regularly, with an action plan on what
to do about them.

2. Privilege use auditing generates too many audits to be useful; don't
enable it.

3. Don't audit reads on objects.

4. Don't enable CrashOnAuditFail or AuditBaseObjects (aka Halt the system if
unable to log security events, Audit the access of global system objects).
You're asking for trouble.

5. Set your log file size to something nice and big, say 64MB.

6. Don't set your log file size to something bigger than 256MB (sum total of
all logs on system, not each individual log).

Eric Fitzgerald

Program Manager, Windows Auditing

"Invisible" <orphi69@hotmail.com> wrote in message
news:0d4501c3365c$7002d1f0$a101280a@phx.gbl...
> Alright, so this isn't exactly a "security" question, it's
> an "auditing" question... but I wasn't quite sure where
> else to put it.
>
> Anyway, getting to the point... I see that the folks over
> at my company's American branch have put together a
> standard Group Policy for all AD domains. One of the more,
> um, "interesting" items was their auditing settings: they
> propose to overwrite event logs as needed, set the event
> log sizes to 512KB each, and audit EVERYTHING.
>
> Yes, you heard me: everything. Logon, logoff, GP change,
> account change, system events, process events, EVERYTHING.
>
> Now, I myself happen to think this is a fairly silly idea -
> especially since the event logs will probably only be
> looked at by a human being roughly once a year (unless
> something stops working - if you follow ;-).
>
> For starters, I'm told auditing Process events is only
> supposed to be used for debugging, and generates masses of
> very verbose events about just about anything any thread
> on the system ever does.
>
> In short, SURELY these people are just going to end up
> with event logs that only cover the last 7 minutes of
> sever activity and contain nothing of any value at all.
> (Or if they do, it's totally burried amoung all the junk!)
>
> Now, what I want to know is this: have I totally
> misunderstood how Windows 2000 works, or are my American
> friends actually air-heads?
>
> Thanks.
>



Relevant Pages

  • Re: Auditing in Sharepoint
    ... You can also get a certain amount of auditing by turning on your IIS logging ... You can audit many functions from IIS logs ... > audit Sharepoint or has Microsoft any plans to provide auditing facilities ...
    (microsoft.public.sharepoint.portalserver)
  • RE: MS Audit logs
    ... Because you enabled every audit option, ... agent that will extract your windows logs and forward ... them to an analysis server. ... logs, generate alerts, generate responses, etc. ...
    (Security-Basics)
  • Re: Auditing folders
    ... I'm not sure of the value of auditing successful file ... Those are going to fill up your logs, ... If you audit for a custom group that only ... >> problem is our event log files are huge by the end of the day because ...
    (microsoft.public.security)
  • RE: SAS70
    ... Security, HP Master ASE, CCNA, Security+ ... The SAS70 audit is all about the controls that you have in place and the ... Show me the logs of you doing this. ...
    (Security-Basics)
  • Re: Keep admins off of client machines
    ... entry when he changed or disabled the settings then there will be entries ... monitor the event logs and then do some action such as e-mail or page you. ... As part of your overall security you would have auditing on computer room ... >> servers and if they change the settings you catch them in the audit logs. ...
    (microsoft.public.windows.server.sbs)