Chapter 10. Auditing Windows Server 2008

IN THIS CHAPTER

  • Discovering how auditing works and why to use it

  • Configuring policies for auditing

  • Examining the audit reports

  • Enabling auditing—effective strategies for specific scenarios

Auditing provides a means of tracking all events in Windows Server 2008 to monitor system access and ensure system security. It is a critical tool for ensuring security, but it can overwhelm a server if not configured and used correctly. This chapter explains how and why you should implement auditing, and provides some specific tips on how to configure and use auditing for different situations. As you read through the chapter, keep in mind that auditing is just one weapon in your security arsenal. Locking down the server, using firewalls, and other security-management tools are even more important. This chapter also covers Active Directory auditing. If you are not familiar with security policy settings you can also use the Security Configuration Wizard (SCW), discussed in Chapter 16, to set up auditing. It provides a quick Wizard-based model for audit configuration. The SCW contains its audit settings in an audit policy.

Auditing Overview

In Windows Server 2008, auditing provides a means of tracking events. It is an important facet of security for individual computers as well as the enterprise. Microsoft defines an event as any significant occurrence in the operating system or an application that requires users (particularly administrators) to be notified. Events ...

Get Windows Server® 2008 Bible now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.