Best practices for auditing
To minimize the risk of security threats, there are a number of auditing steps you can take. The following table lists various events that you should audit, as well as the specific security threat that the audit event monitors.
| Audit Event | Potential Threat |
Failure audit for logon/logoff | Random password hack |
Success audit for logon/logoff | Stolen password break-in |
Success audit for privilege use, user and group management, security change policies, restart, shutdown, and system eventss | Misuse of privileges |
Success and failure audit for file-access and object-access events. File Manager success and failure audit of Read/Write access by suspect users or groups for the sensitive files. | Improper access to sensitive files |
Success and failure audit for file-access printers and object-access events. Print Manager success and failure audit of print access by suspect users or groups for the printers. | Improper access to printers |
Success and failure write access auditing for program files (with .exe and .dll extensions). Success and failure auditing for process tracking. Run suspect programs; examine security log for unexpected attempts to modify program files or create unexpected processes. Run only when actively monitoring the system log. | Virus outbreak |
For more information, see Audit policy
Set, view, change, or remove auditing for a file or folder
