No matter the size of your company or the size of your engineering team, it is always important to maintain visibility into what’s happening in your infrastructure. As your company grows, however, and you start to need to meet compliance standards like the SOC2 and FedRAMP frameworks, keeping detailed, specific audit logs becomes a must-have. The first step in implementing good audit practices is to start with what the Operating System (OS) gives you. Let’s take a look at some best practices for the OS native audit logging present for the Windows operating system.
There are many different kinds of logging events that can be recorded on a Windows operating system. Understanding the differences between them and which you need to pay attention to can be a daunting task. Luckily Microsoft provides an in-depth guide to event log configuration in their online documentation.
General best practices
Viewing the security event log
Each event will be recorded to the security log according to the audit policies you have in place.
In order to view the security log:
This will help you get a sense of what is being recorded currently on your system.
Overall if you follow the above guidelines as well as the specific logging policy implementations Microsoft provides, you will have much deeper insight into your Windows infrastructure.
This is only the first step however in maintaining a secure and compliant network. A good third-party SIEM tool like Splunk or Datadog in conjunction with a Zero-Trust Identity-Native Infrastructure Access platform like Teleport will help you take that extra step to reach your compliance and security goals. Teleport provides audit logs and session playback for Windows RDP sessions. You can try Teleport for free today.