3 Days Left to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

Intrusion Detection FAQ: What logging would you recommend for Windows NT?

Windows NT offers you a variety of categories for audit in the event of failure or success: account management, detailed tracking, logon/logoff, object access, policy change, privilege use, and system event. You probably log all system events anyway to be able to determine why your system fails to do some tasks.

For intrusion detection, you should consider enabling logging for both successful and failed logon/logoff attempts as a minimum measure. This way you see at least all connection attempts using Microsoft's authentication protocol. As a next step, you'll probably want to log account management, policy change, and privilege use. These events tell you, for example, whether an account was added or the account lockout value was modified. For maximum surveillance, you should enable detailed tracking and object access. Note, this can have a severe impact on your system's performance.

If you already use a host-based ID system, consult your ID system's manual to learn what logging must be enabled in order to get maximum results.

Dirk Lehmann
Siemens CERT