Local Policies/ Audit Policy | Audit account logon events | Enable audit success for all computers, as this event records who accessed the machine. Enable audit failure with caution as an attacker with network access but with no credentials could cause a denial of service (DoS) attack, as the computer consumes resources to generate these events. Enable audit success with caution as this setting can cause DoS attacks if computers shut down when audit logs are full. Correlate any administrator logons with any other suspicious entries. |
Local Policies/ Audit Policy | Audit account management | Enable both success and failure. Correlate all successful audit entries with administrator authorizations. Treat all failures as suspicious. |
Local Policies/ Audit Policy | Audit directory service access | The Default Domain Controllers Group Policy enables this setting by default. Configure audit settings on sensitive directory objects by use of System access control lists (SACLs) in Active Directory Users and Computers or Active Directory Services Interface Editor (ADSI Edit). You should plan your SACL implementation, and you should test your SACLs in a realistic lab environment before deploying them to a production environment. This approach prevents overload of the security logs from too much data. |
Local Policies/ Audit Policy | Audit logon events | Enable audit success for all computers as this event records who accessed the computer. Enable audit failure with caution as an attacker with network access but with no credentials could still cause your computer to consume resources to generate these events. |
Local Policies/ Audit Policy | Audit object access | Use caution when enabling this setting as it can result in very high audit volume. Configure audit settings only on high-value folders through SACLs and audit only the minimum number of types of accesses that you are interested in. Audit writes only (and no read accesses) if your threat model allows this. |
Local Policies/ Audit Policy | Audit policy change | Enable both success and failure event auditing. Cross-reference any successes with administrator authorizations. Treat all failures as suspicious. |
Local Policies/ Audit Policy | Audit privilege use | Do not enable auditing for privilege use due to the high volume of events that this generates. |
Local Policies/ Audit Policy | Audit process tracking | Do not enable this setting on Common Gateway Interface (CGI) Web servers, test computers, servers that run batch processes, or developer workstations. Enable this setting on vulnerable computers, and immediately act upon unexpected application activity, through physical isolation of the computer if necessary. This setting can cause events to fill up event logs. |
Local Policies/ Audit Policy | Audit system events | Enable both success and failure event auditing. |
Local Policies/ User Rights Assignment | Generate security audits | This setting is assigned by default to Local System, Local Service, and Network Service. This right should not apply to any accounts other than service accounts. An attacker can use this setting to generate spurious or inaccurate events in the security log. |
Local Policies/ User Rights Assignment | Manage auditing and security log | Use this setting to restrict the administrators who can make changes to audit settings on files, folders, and registry settings. Consider creation of a security group for administrators who can change audit settings and remove the administrators group from the Local Security Policy settings. Only members of the new security group should be able to configure auditing. |
Local Policies/ Security Options | Audit: Audit the access of global system objects | This setting adds SACLs to named system objects such as mutexes (mutually exclusive events), semaphores, and MS-DOS devices. Default settings on Windows Server 2003 do not enable this option. Do not enable this setting as it results in a very high volume of events. |
Local Policies/ Security Options | Audit: Audit the use of Backup and Restore privilege | Backup and restore operations provide the opportunity to steal data that ACLs protect. Do not enable this setting as it results in a very high volume of events. |
Local Policies/ Security Options | Audit: Shut down system immediately if unable to log security audits | Enable this setting after careful consideration on very high-value computers only, as attackers can use this feature for DoS attacks. |
Event Log | Maximum security log size | The maximum security log size must be a multiple of 64 kB. The average event size is 0.5 kB. Recommended settings depend on projected event volumes and settings for retention of security logs. For high event volume environments, set the log file size as large as possible, even up to 250 MB. The total size of all event logs cannot exceed 300 MB, so do not attempt to exceed this figure. |
Event Log | Prevent local guests group from accessing security log | Windows Server 2003 enables this setting by default — do not change. |
Event Log | Retain security log | Enable this setting only if you select the retention method "Overwrite events by days." If you use an event correlation system that polls for events, ensure that the number of days is at least three times the poll frequency to allow for failed poll cycles. |
Event Log | Retention method for security log | For high security environments, enable the Do not overwrite events setting. In this case, establish procedures to empty and archive logs regularly, particularly if the computer shuts down when the security log fills up. |
