No matter the size of your company or the size of your engineering team, it is always important to maintain visibility into what’s happening in your infrastructure. As your company grows, however, and you start to need to meet compliance standards like the SOC2 and FedRAMP frameworks, keeping detailed, specific audit logs becomes a must-have. The first step in implementing good audit practices is to start with what the Operating System (OS) gives you. Let’s take a look at some best practices for the OS native audit logging present for the Windows operating system.
Log events
There are many different kinds of logging events that can be recorded on a Windows operating system. Understanding the differences between them and which you need to pay attention to can be a daunting task. Luckily Microsoft provides an in-depth guide to event log configuration in their online documentation.
General best practices
Capture audit logging on both workstations AND servers.
Attacks often occur on workstations first which malicious actors then use to pivot to server access or domain controllers.
Workstations audit logs often offer the earliest sign that something is wrong
Balance performance and audit granularity.
It is important to know that more granular audit logs will impact performance on both servers and individual workstations so it is important to run performance tests after you change logging settings
Don’t compromise on security to enhance performance but also avoid capturing extraneous log data noise.
Use Advanced Audit Policy Configuration when possible.
Advanced audit policy located under `Security Settings\Advanced Audit Policy Configuration` will give you a lot more options over log level, allowing you to avoid noise.
Do not combine basic policy settings with advanced ones. Basic policy settings are found under `Security Settings\Local Policies\Audit Policy`. According to Microsoft this can produce “unexpected results” as the two levels of settings override each other.
Centralize your logs.
Use an external tool, SIEM, or service to extricate all of your logs to a central location. This helps you better format them, organize them and store them for longer-term record keeping.
Typically logs on the Windows machine themselves are only meant for short-term retention and will quickly be overwritten.
Configure your event log size and retention settings to match the needs of your individual setup.
Viewing the security event log
Each event will be recorded to the security log according to the audit policies you have in place.
In order to view the security log:
Open the Event Viewer
Press [⊞ Win + R] to open the run dialog box
Type in `eventvwr` and select `OK`
Next in the side panel expand Windows Logs then click Security.
This will list all individual security events
For more details on each event, click the event
This will help you get a sense of what is being recorded currently on your system.
Staying alert
Overall if you follow the above guidelines as well as the specific logging policy implementations Microsoft provides, you will have much deeper insight into your Windows infrastructure.
This is only the first step however in maintaining a secure and compliant network. A good third-party SIEM tool like Splunk or Datadog in conjunction with a Zero-Trust Identity-Native Infrastructure Access platform like Teleport will help you take that extra step to reach your compliance and security goals. Teleport provides audit logs and session playback for Windows RDP sessions. You can try Teleport for free today.