|
Posted by Roger Abell [MVP] on October 30, 2006, 12:49 am
Please log in for more thread options
Audit policy can be overused. Whether that presents a drain
on capacity of the system really depends on what one audits.
The example you mention, policy change, is not a big hit at all.
The real problems come when one uses logon success (on
webservers, DCs, etc. that see high rates of login), file auditing
such as many of the "compliance auditing" guidelines recommend
and/or mandate where one records the expected and allowed, and
process tracking.
On the other hand, using audit for events that would be of interest
if they happen but which should not be happening has very low
overhead for the value. On my webservers for example, that are
multihosting for diverse authors/owners and are implemented to
isolate the content each from the other, I set a NTFS audit for
Everyone Full Failure - that is, any failed file access in the gigs
of web content triggers a record in the security log (pair actually);
and I see very few records and they are always of interest.
> is it very resource hungry if I use the audit policy for Win2003???
>
> what happened was that the strong password was enabled apparently and now
> it is gone.
> Can I view who has changed it from enabled to disabled? How??
>
> Thanks
>
| 
XML Sitemap