Audit Settings

By and large, the default audit settings on Windows Server 2003 are fine. However, on Windows 2000, they could use a little adjusting. Well, actually, they are basically turned off on Windows 2000 by default.

We recommend that you tweak the audit policies as follows:

• Account logon events Success and failure
• Account management Success and failure
• Logon events Success and failure
• Object access Success and failure
• Policy change Success
• Privilege use Success and failure
• System events Success

You should also adjust the log sizes; however, do not just increase sizes blindly. There are some practical limits on event log sizes. Event logs are loaded in services.exe, along with several other things. They are also memory-mapped files, and each process can only have 1 GB of those. That means that the log files have to share the 1 GB of available memory in the services.exe process with everything else in there. In addition, event logs cannot be fragmented in memory, so the system has to find sufficient contiguous memory. It is pretty likely that these issues will constrain you to about 300 MB as a practical limit on total event log size (not 300 MB each). Take that into account when setting log sizes. Of course, you must also analyze the logs, but that is a different topic.