Once and again I work in cases where proof is compromised because there were no minimum auditing policies in place.
Microsoft Windows Server 2003 (the most common environment nowadays) does not consider this to be necessary, as it does not set these setting by default, but if you happen to have an incident, you will wish you had some auditing policies set.
If you are running on a Microsoft based typical network (Active Directory domain + Exchange), based on my experience I consider the following settings the bare minimum you should set to minimally know and proof in case of a misuse:
Open “Group Policy Editor” and set all these but maybe “Audit process tracking”.
Open Windows Explorer and right click over the folder you want to audit (where your company files go). Select “Properties”, “Security”, “Advanced”, “Auditing” and set all these (at least).
Open “System Manager” and browse to “Administrative groups”, “First Administrative group”, “Servers” and right click the server(s) you want to audit. Select “Properties”, “Diagnostic Logging” and set (at least) all these at «Mailbox» and «Public Folder»:
Comentarios desactivados en MSW S2003 bare minimum auditing settings