Auditing Considerations

By Author: Shirley Green
Total Articles: 129
Comment this article

When analyzing auditing requirements, consider the following:
Auditing requirements 220-701(http://www.aplus-220-701.com) are different based on computer role. Choose an auditing policy that provides the information necessary for each computer role.
Auditing provides little value unless events are reviewed. A policy should be established to review security logs.
Auditing requirements can change over time. One example would be when specific users are suspected of unauthorized file access, tampering, or improper
access. In this situation, you could set up auditing on sensitive files for these users or the groups that they are in, record security events, and then analyze the information. When the information needed is accumulated, you would remove the
auditing requirements.
Centralizing the collection of auditing events is essential to sound security event record management and might be required by regulations or industry rules.
Auditing process activity is not a good idea, in general, for production servers. It is a sound strategy for periodic use on test systems.
Recording privilege ...
... access events will also generate a large number of events.
Weigh the need to manage logs that this will create comptia security+( www.securityplus-sy0-201.com) , and determine whether this is a worthwhile event.
Setting object access auditing on files, folders, registry keys, and Active Directory objects can be affected by inheritance rules. When setting object auditing, you can set the requirements on a parent object and require that audit settings are pushed to subobjects by inheritance. You can also prevent the inheritance of SACLs by clearing the Allow Inheritable Auditing Entries from the Parent to Propagate to This Object and All Child Objects. Include These With Entries Explicitly Defined Here check box. Figure 9-24 illustrates this concept. The Marketing folder has inheritance blocked. Setting auditing for parent folders will have no affect on the Marketing folders.
Example of Taking Ownership By default, administrators have the user right to take ownership. To protect confidential information, data owners might request that the IT administrator not have access privileges on sensitive files. This can easily be done by removing the administrator's group access permissions on the files. However, the admin-istrator can take ownership of the file and give herself any access she wants. Nothing can prevent her from doing so. However, you can audit files that are configured to block administrator access CompTIA(http://www.certtopper.com) by auditing for this event and tracking object access events.