Windows Auditing

Windows auditing is the process of tracking, analyzing, and understanding events that take place on Windows-based computer systems. Windows auditing can reveal important contextual information about the who, what, when, and where of system events. Administrators and security specialists can set up Windows auditing across various desktops, servers, and other devices on a Microsoft Windows-based network. Windows auditing watches for certain events taking place on Windows machines and logs those events. Security experts can then use computer forensic analysis to review these events and identify unusual or risky access or behavior.

A key component of Windows auditing is Windows change auditing, sometimes referred to as file integrity monitoring, which entails the detection of changes within systems, most notably, Active Directory, Exchange, SQL, and file systems.

Through the analysis of Windows security and systems events, Windows auditing can identify steps to improve security management and reduce the risk of unauthorized access and unwanted changes to your systems. Thorough Windows auditing helps organizations remain compliant with data protection requirements, identify potential threats (such as unwanted changes) early, and help to reduce the risk of a data breach. Often, Windows auditing and security tools will also allow the rollback of changes to an earlier, more desirable configuration.

The Windows Audit Policy defines the specific events you want to log and what particular behaviors are logged for each of these events. For example, your audit policy may determine that you want to log any remote access to a Windows machine, but that you do not need to audit login attempts from someone on your business premises.

Windows auditing can generate vast amounts of data, so it pays off to diligently first scope out the key information you need to gather to make informed security policy decisions.

Typically, you will want to focus auditing policies around behaviors that could cause a risk to your Windows environment, such as a misconfiguration that causes operational dysfunction, or a change that results in provisioning users with excessive privileged access, which increases the risk surface. There are many Windows events that take place every day for legitimate access and business reasons, and it will be important to eliminate false positives.

Examples of events that you can log for auditing in Windows include:

• Logon and logoff events: Attempts to access and log in to a particular device, whether those attempts are successful or not.

• Account management: Changes to user profiles and accounts on Windows machines.

• Active Directory: Changes to Active Directory configurations or user profiles.

• Server access and logins: Client-server access from a remote machine to a Windows server.

• Object access: When Windows machines access specific devices or objects on the network, including files, folders, or printers.

• Registry access: Changes to a Windows machine’s registry. Registry keys are normally updated when applications are installed, changed, or removed.

• Policy changes: Amendments to access rights or other IT policies.

• Systems events: Starting up and shutting down machines and other system status updates.

This is just a sampling of all the areas that you can monitor and capture. Some of these auditing areas are useful in specialized circumstances, such as for debugging software or understanding how specific devices are accessed. Other areas, such as Active Directory auditing, are more central to securing your overall Windows environment.

Ultimately, the types of Windows events you choose to log, analyze, and audit depend on your organizational priorities. Generally, too much security data is better than too little. It’s easier to “over-log” and then drill down into the specific data you need than to suffer a problem and then find out you didn’t capture the right events to identify and resolve the issue.

Take into account the type of data your organization manages, your overall risk management profile, the resources you have available, and the software you’re using for auditing and analysis. Bear in mind that you can always tweak what you’re capturing as you analyze information so that you can get the right mix of logged events.

However, many organizations can benefit from auditing the following two areas as part of their Windows security auditing process:

• Active Directory: AD is typically used to provide a way for users to access specific applications, folders, and files, based on their identity. Because it is a centralized system that is used extensively in the authentication and authorization of users across a business, Active Directory is often a prime target of cyber attackers. As a result, monitoring and auditing Active Directory changes should be considered an essential component for Active Directory security.

• Windows Policy changes: Group Policy Objects are used to manage various access and administration rights across the Windows network, so oversight of the changes is essential to rooting out potential abuse of access and privileges, and homing in on any suspicious actors and actions.

While Windows has some native auditing technologies, they fall short of what most organizations will require. Windows native auditing capabilities are underpowered when it comes to analyzing logs and rolling back changes. Enterprise Windows auditing solutions, on the other hand, can provide real-time change auditing/file integrity monitoring, simplified log-analysis, pinpoint precision recovery, advanced alerting, and centralized reporting, along with many other features that make administration far easier—especially when it comes to zeroing in on and reversing changes, or in providing quick, clean information to auditors.