IN THIS CHAPTER
Discovering how auditing works and why to use it
Configuring policies for auditing
Examining the audit reports
Enabling auditing—effective strategies for specific scenarios
Auditing provides a means of tracking all events in Windows Server 2008 to monitor system access and ensure system security. It is a critical tool for ensuring security, but it can overwhelm a server if not configured and used correctly. This chapter explains how and why you should implement auditing, and provides some specific tips on how to configure and use auditing for different situations. As you read through the chapter, keep in mind that auditing is just one weapon in your security arsenal. Locking down the server, using firewalls, and other security-management tools are even more important. This chapter also covers Active Directory auditing. If you are not familiar with security policy settings you can also use the Security Configuration Wizard (SCW), discussed in Chapter 16, to set up auditing. It provides a quick Wizard-based model for audit configuration. The SCW contains its audit settings in an audit policy.
In Windows Server 2008, auditing provides a means of tracking events. It is an important facet of security for individual computers as well as the enterprise. Microsoft defines an event as any significant occurrence in the operating system or an application that requires users (particularly administrators) to be notified. Events ...