Microsoft® Windows® Security Resource Kit, Second Edition

Determine which events should be recorded. Work with business and technical decision makers to ensure that all actions and operations that should be audited are audited. Because auditing does result in performance degradation, you should audit only for events to which you believe you might need to refer in the future.
Synchronize the time on all computers and network devices To correlate events that take place on different computers and network devices, you must ensure that the time is synchronized. Ideally, all computers and devices should be synchronized with the same time source.
Create a baseline of events Create a baseline of security events under normal conditions that can be used later for comparisons with possibly suspicious ...

Get Microsoft® Windows® Security Resource Kit, Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Microsoft® Windows® Security Resource Kit, Second Edition by Ben Smith, Brian Komar, The Microsoft Security Team