Security Auditing

Applies To: Windows Server 2008, Windows Server 2008 R2

This navigation topic for the IT professional describes the documentation available to plan, implement, and monitor events by using features found in Windows Security Auditing.

Security auditing is one of the most powerful tools that you can use to maintain the security of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.

Getting started

• Advanced Security Auditing Walkthrough

  This step-by-step guide uses Windows Server 2008 R2 and Windows 7 to demonstrate the process of setting up an advanced audit policies infrastructure in a test environment. During this process, you will create an Active Directory domain, install Windows Server 2008 R2 on a member server, install Windows 7 on a client computer, and configure two advanced audit policies.

• Advanced Security Auditing FAQ

  This topic lists common questions and their answers about understanding, deploying, and managing security audit policies.

• Which Editions of Windows Support Advanced Audit Policy Configuration

  This topic provides information about the versions of Windows that support advanced audit policy configuration, in addition to special considerations that apply to various tasks associated with auditing enhancements.

Deployment

• Planning and Deploying Advanced Security Audit Policies

  This topic explains the options that security policy planners must consider and the tasks they must complete to deploy an effective security audit policy in a network. Advanced security audit policies were introduced in Windows 7 and Windows Server 2008 R2, but they also apply to other versions. This topic also lists the supported versions.

Technical reference

• Security Audit Policy Reference

  This topic provides information about the auditing settings available in Windows Server 2008 R2 and Windows 7 and the audit events that they generate.

  For information about the Advanced Security Policy settings that are included in other versions of Windows, see Advanced Security Audit Policy Settings.

Installed Help

• Auditpol

  This topic provides syntax and examples for using the Auditpol command-line tool. Auditpol can be used to display information about audit policies and to perform functions to manipulate them.

Additional resources

• Security Audit Events for Windows 7 and Windows Server 2008 R2

• Security audit events for Windows Server 2008 and Windows Vista

• AD DS: Auditing

  This topic describes new auditing capabilities in Active Directory Domain Services (AD DS).

• AD DS Auditing Step-by-Step Guide

  This topic shows how to log old and new values when changes are made to Active Directory objects and their attributes.

• Security Monitoring and Attack Detection Planning Guide

  This guide describes how to plan a security monitoring system in Windows-based networks.

• How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain

  In Windows Vista and Windows Server 2008, you can manage audit policies at a more detailed level by using audit policy subcategories. This topic describes a procedure that administrators can use to deploy a custom audit policy that applies detailed security auditing settings for computers that are running Windows Vista or Windows Server 2008.