Jul 30

MSW S2003 bare minimum auditing settings

Tag: Informática Legal,SystemsJoaquim Anguas @ 12:54 pm

Once and again I work in cases where proof is compromised because there were no minimum auditing policies in place.

Microsoft Windows Server 2003 (the most common environment nowadays) does not consider this to be necessary, as it does not set these setting by default, but if you happen to have an incident, you will wish you had some auditing policies set.

If you are running on a Microsoft based typical network (Active Directory domain + Exchange), based on my experience I consider the following settings the bare minimum you should set to minimally know and proof in case of a misuse:

System changes

Open “Group Policy Editor” and set all these but maybe “Audit process tracking”.

Filesystem

Open Windows Explorer and right click over the folder you want to audit (where your company files go). Select “Properties”, “Security”, “Advanced”, “Auditing” and set all these (at least).

 

Exchange

Open “System Manager” and browse to “Administrative groups”, “First Administrative group”, “Servers” and right click the server(s) you want to audit. Select “Properties”, “Diagnostic Logging” and set (at least) all these at «Mailbox» and «Public Folder»: