A key component of Windows auditing is Windows changing auditing, sometimes referred to as file integrity monitoring, which entails the detection of changes within systems, most notably, Active Directory, Exchange, SQL, and file systems.
Through the analysis of Windows security and systems events, Windows auditing can identify steps to improve security management and reduce the risk of unauthorized access and unwanted changes to your systems. Thorough Windows auditing helps organizations remain compliant with data protection requirements, identify potential threats (such as unwanted changes) early, and help to reduce the risk of a data breach. Often, Windows auditing and security tools will also allow the rollback of changes to an earlier, more desirable configuration.
The Windows Audit Policy defines the specific events you want to log, and what particular behaviors are logged for each of these events. For example, your audit policy may determine that you want to log any remote access to a Windows machine, but that you do not need to audit login attempts from someone on your business premises.
Windows auditing can generate vast amounts of data, so it pays off to diligently first scope out the key information you need to gather to make informed security policy decisions.
Typically, you will want to focus auditing policies around behaviors that could cause a risk to your Windows environment, such as a misconfiguration that that causes operational dysfunction, or a change that results in provisioning users with excessive privileged access, which increases the risk surface. There are many Windows events that take place every day for legitimate access and business reasons, and it will be important to eliminate false positives
Examples of events that you can log for auditing include:
Logon and logoff events: Attempts to access and login to a particular device, whether those attempts are successful or not.
Account management: Changes to user profiles and accounts on Windows machines.
Active Directory: Changes to Active Directory configurations or user profiles.
Server access and logins: Client-server access from a remote machine to a Windows server.
Object access: When Windows machines access specific devices or objects on the network including files, folders, or printers.
Registry access: Changes to a Windows machine’s registry. Registry keys are normally updated when applications are installed, changed, or removed.
Policy changes: Amendments to access rights or other IT policies.
Systems events: Starting up and shutting down machines and other system status updates.
This is just a sampling of all the areas that you can monitor and capture. Some of these auditing areas are useful in specialized circumstances, like debugging software or for understanding how specific devices are accessed. Other areas, such as Active Directory auditing are more central to securing your overall Windows environment.
Ultimately, the types of Windows events you choose to log, analyze, and audit depends on your organizational priorities. Generally, too much security data is better than too little. It’s easier to “over-log” and then drill down into the specific data you need, than to suffer a problem and then find out you didn’t capture the right events to identify and resolve the issue.
Take into account the type of data your organization manages, your overall risk management profile, the resources you have available, and the software you’re using for auditing and analysis. Bear in mind that you can always tweak what you’re capturing as you analyze information so that you can get the right mix of logged events.
Active Directory is typically used to provide a way for users to access specific applications, folders, and files, based on their identity. Because it is a centralized that is used extensively in authentication and authorization of users across a business, Active Directory is often a prime target of cyber attackers. As a result, monitoring and auditing Active Directory changes should be considered an essential component for Active Directory security.
Another area you’ll want to track is Windows Policy changes. Group Policy Objects are used to manage various access and administration rights across the Windows network, so oversight of the changes is essential to rooting out potential abuse of access and privileges, and homing in on any suspicious actors and actions.
While Windows has some native auditing capabilities, they fall short of what most organizations will require. Windows native auditing capabilities is underpowered when it comes to log analysis and rolling back changes. Enterprise Windows auditing solutions, on the other hand, can provide real-time change auditing/file integrity monitoring, simplified log-analysis, pinpoint precision recovery, advanced alerting, and centralized reporting, along with many other features that make administration far easier—especially when it comes to zeroing in on and reversing changes, or in providing quick, clean information to auditors.