Can someone recommend Window Security Auditing Best Practices?

By Dshute70 ·
I've been asked to provide upper management with details of when users log on and off the network. I know that this information is contained in the security event logs. But is there any specific event ID's I should be looking for? Also what auditing should I turn on? Should I only turn on auditing on the domain controllers? Is there any reason not to turn on all the auditing in Group Policy? How much of a performance hit would this create? Sorry for so many questions just want to make sure I do this correctly. Thanks in advance for any help that can be provided.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

These are good questions..

by philldmc In reply to Can someone recommend Win ...

What size is your organization? Running mutilple servers, domains, etc? When you turn on auditing you could/will slow down your server(s) and logs files will get large.

Are you looking to lock down your system? Prevent users from logging on durning certian times? if so this can be set per user in the AD at the per user level and / or the group policy level.

Collapse -

Its a very small environment

by Dshute70 In reply to These are good questions. ...

It is a very small environment about 100 users. One Domain with two domain controllers. Basically I just want to know who is logging in and when. Also want to be sure I'm collecting as much data as possible in the event that I might need it later.

Collapse -

Auditing Active Directory Logon Events

Firstly, Logon and Logoff audit 'events' are saved in the Security log and there are two steps to performing auditing.
You create an audit policy in AD, then enable auditing on the object.
"Audit logon events" makes a log entry when a user logs on interactively (i.e., at the local keyboard and screen) or remotely (i.e., from over the network). The Logon Type field in the event's description contains a number that specifies the logon's nature: interactive (2), network (3), batch (4), service (5), unlocked workstation (7), network logon using a cleartext password (8), or impersonated logons (9).
The "Audit Account Logon Event" generates an event every time a user connects to that server across the network.
For this reason, it must be set on "every" DC and the log size set to approx 10-20Mb.
It is easier (and best practise) to just audit unsuccessful account logon events as these will show where unauthorised logons are being attempted, or where a user is forgetting their password.

Turning on ALL auditing will be counter-productive unless you really need it. The log files can grow out of control very quickly.

Related Discussions

Related Forums