This article is a work-in-progress. Please help update and extend it. If you add new security auditing topics, please add a link to the new topic at the bottom of this page. It is the Wiki way!
Security auditing allows you to track the effectiveness of your network defenses and identify attempts to circumvent them. There are a number of auditing enhancements in Windows Server 2008 R2 and Windows 7 that increase the level of detail in security auditing
logs and simplify the deployment and management of auditing policies. These enhancements include:
What do these auditing enhancements do?
In Windows XP, administrators have nine categories of security auditing events that they can monitor for success, failure, or both success and failure. These events are fairly broad in scope and can be triggered by a variety of similar actions, some of which
can generate a large number of event log entries.
In Windows Vista® and Windows Server 2008, the number of auditable events is expanded from nine to 53, which enables an administrator to be more selective in the number and types of events to audit. However, unlike the nine basic Windows XP events, these
new audit events are not integrated with Group Policy and can only be deployed by using logon scripts generated with the Auditpol.exe command-line tool.
In Windows Server 2008 R2 and Windows 7, all auditing capabilities have been integrated with Group Policy. This allows administrators to configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in
for a domain, site, or organizational unit (OU). Windows Server 2008 R2 and Windows 7 make it easier for IT professionals to track when precisely defined, significant activities take place on the network.
Audit policy enhancements in Windows Server 2008 R2 and Windows 7 allow administrators to connect business rules and audit policies. For example, applying audit policy settings on a domain or OU basis will allow administrators to document compliance with
rules such as:
Auditing enhancements in Windows Server 2008 R2 and Windows 7 support the needs of IT professionals who are responsible for implementing, maintaining, and monitoring the ongoing security of an organization's physical and information assets.
These settings can help administrators answer questions such as the following:
Security awareness and the desire to have a forensic trail are significant motivators behind these questions. The quality of this information is required and evaluated by auditors in a growing number of organizations.
Are there any special considerations?
A number of special considerations apply to various tasks associated with auditing enhancements in Windows Server 2008 R2 and Windows 7:
Note: Advanced audit policy settings can also be applied to client computers running Windows Vista. However, the audit policies for these client computers must be created and applied separately by using Auditpol.exe logon scripts.
Important: Using both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should
not be combined.
Which editions include this feature?
All versions of Windows Server 2008 R2 and Windows 7 that can process Group Policy can be configured to use these security auditing enhancements. Versions of Windows Server 2008 R2 and Windows 7 that cannot join a domain do not have access to these features.
There is no difference in security auditing support between 32-bit and 64-bit versions of Windows 7.
For more information
To learn more about security audit policy, see the following resources: