Networking / Beginners

Audit Settings

By and large, the default audit settings on Windows Server 2003 are fine. However, on Windows 2000, they could use a little adjusting. Well, actually, they are basically turned off on Windows 2000 by default.

We recommend that you tweak the audit policies as follows:

  • Account logon events Success and failure
  • Account management Success and failure
  • Logon events Success and failure
  • Object access Success and failure
  • Policy change Success
  • Privilege use Success and failure
  • System events Success

You should also adjust the log sizes; however, do not just increase sizes blindly. There are some practical limits on event log sizes. Event logs are loaded in services.exe, along with several other things. They are also memory-mapped files, and each process can only have 1 GB of those. That means that the log files have to share the 1 GB of available memory in the services.exe process with everything else in there. In addition, event logs cannot be fragmented in memory, so the system has to find sufficient contiguous memory. It is pretty likely that these issues will constrain you to about 300 MB as a practical limit on total event log size (not 300 MB each). Take that into account when setting log sizes. Of course, you must also analyze the logs, but that is a different topic.

[Previous] [Contents] [Next]

In this tutorial:

  1. Protecting Hosts
  2. Security Configuration Myths
  3. Myth 1: Security Guides Make Your System Secure
  4. Myth 2: If We Hide It, they Not Find It
  5. Myth 3: The More Tweaks, the Better
  6. Myth 4: Tweaks Are Necessary
  7. Myth 5: All Environments Should At Least Use <Insert Favorite Guide Here>
  8. Myth 6: "High Security" Is an End Goal for All Environments
  9. Myth 7: Start Securing Your Environment by Applying a Security Guide
  10. Myth 8: Security Tweaks Can Fix Physical Security Problems
  11. Myth 9: Security Tweaks Will Stop Worms/Viruses
  12. Myth 10: An Expert Recommended This Tweak as Defense in Depth
  13. Server Security Tweaks
  14. Software Restriction Policies
  15. Do Not Store LAN Manager Hash Value
  16. Anonymous Restrictions
  17. Security Identifiers (SIDs)
  18. Password Policies
  19. SMB Message Signing
  20. Networking LAN Manager Authentication Level
  21. TCP Hardening
  22. Restricted Groups
  23. Audit Settings
  24. Client Security Tweaks
  25. Firewalls
  26. IPsec Filters
  27. SafeDllSearchMode
  28. Local Administrator Account Control
  29. Limit Local Account Use of Blank Passwords to Console Logon Only
  30. Logon Events
  31. Allowed to Format and Eject Removable Media
  32. The Caution ListChanges You Should Not Make
  33. Crash on Audit Failure
  34. Clear Virtual Memory Page File
  35. Security Configuration Tools