A couple of weeks ago, our Windows NT 4.0 administrators had a heated discussion about the baseline configuration of the NT audit settings. We all had our opinions about which events we should and shouldn't audit. Can you give us some general guidelines about how to set up auditing?
Table 2 provides some general guidelines for the baseline configuration of the NT auditing settings on your NT workstations, servers, and domain controllers (DCs). I don't recommend selecting Use of User Rights and User and Group Management for workstations and servers because events in these categories are rare on these machines. I don't recommend selecting File and Object Access, Use of User Rights (on DCs), and Process Tracking because these categories generate many events that are of little use if you don't have special event-log analysis software. For the same reason (i.e., because you'll generate too many events), I don't recommend that you set the following auditing-related registry options (even though some books recommend that you do so on DCs):
- Full privilege auditing—By default, when the Use of User Rights auditing option is set, the system ignores the use of the following user rights: bypass traverse checking, generate security audits, create a token object, replace a process-level token, and backup and restore files and directories. To enable full privilege auditing, set the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl-Set\Control\LSA\FullPrivilegeAuditing registry subkey (of type REG_ DWORD) to 1. I recommend using the subkey's default value, which is 0.
- Auditing of base objects—Base objects are internal NT objects that are invisible to the user and that other NT services and applications access. To enable auditing of base objects, add the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\AuditBaseObjects registry subkey (of type REG_DWORD) and set it to 1. I recommend using the subkey's default value, which is 0.