As I mentioned in Chapter 8, a secure environment not only consists of properly configured servers but also requires effective auditing to detect anomalies in application or user behavior. Auditing alone is of little value unless you also have a means of effectively monitoring these logs and flagging suspicious activity when it occurs. Unfortunately, most organizations are quick to implement the logging portion but rarely establish any effective method of monitoring these logs. As a result, the environment typically logs huge amounts of security information that is rarely ever even examined. The log files themselves are usually so small that information is quickly overwritten, eliminating any possibility of examining the security information even if a problem is detected.
Windows provides support for auditing in a number of different areas of the system; in this section I review these areas and provide suggestions on specific event auditing that can be useful to audit. Even if you do not plan to implement any real form of auditing in your environment (although I advise against this), understanding how auditing works can be an important tool when performing application integration (see Chapter 21 for more information on this) because it can help you to determine files or directories that may require modified security permissions in order to allow an application to function properly.
If you will implement security auditing, you need to consider carefully what events you actually want to audit. Although it is easy to simply configure your environment to audit all events, the resulting logs are difficult to review and manage, defeating the purpose of auditing in the first place. Finding the proper level of auditing for your environment requires a bit of work but is an exercise I highly recommend. My simple rule is if you are not planning on proactively monitoring an event, don't waste your time auditing it. People may disagree with this, but in most situations, by the time you discover there is a security problem, the pertinent log information very likely is gone.