5. Getting started: Analyzing the security scan results : Detailed scan results: Analyzing security audit policy settings
Detailed scan results: Analyzing security audit policy settings
An important part of any security plan is the ability to monitor and audit events happening on your network. These event logs are frequently referenced in order to identify security holes or breaches. Identifying attempts and preventing them from becoming successful breaches of your system security is critical. In Windows, you can use ‘Group Policies’ to set up an audit policy that can track user activities or system events in specific logs.
In order to help you keep track of your system’s auditing policy GFI LANguard N.S.S. collects the security audit policy settings from scanned target computers and includes in the scan results. This information is accessed by click on the Security Audit Policy sub-node.
NOTE: GFI recommends that you set up the audit policy settings of your network computers as follows:
Auditing Policy
Success
Failure
Account logon events
Yes
Yes
Account management
Yes
Yes
Directory service access
Yes
Yes
Logon events
Yes
Yes
Object access
Yes
Yes
Policy change
Yes
Yes
Privilege use
No
No
Process tracking
No
No
System events
Yes
Yes
Apart from gaining knowledge on the current audit policy settings, you can also use GFI LANguard N.S.S. 8 to access and modify the audit policy settings of your target computers. To achieve this:
1. From the ‘Scanned Computers’ (middle) pane, right-click on the respective target computer and select:
Enable auditing on > This computer to configure the audit policy settings of that particular computer.
Enable auditing on > Selected computers to configure the audit policy settings of multiple computers.
Enable auditing on > All computers to configure the audit policy settings of all scanned computers.
Screenshot 39 - The audit policy administration wizard
2. Select/unselect the check boxes of the auditing policies that you wish to set up on the selected target(s). For example, to log successful events, select the ‘Successful’ check box of the relevant auditing policy. Click on Next to deploy the audit policy configuration settings on the target computer(s).
Screenshot 40 - Results dialog in audit policy wizard
3. At this stage, a dialog will show whether the deployment of audit policy settings was successful or not. You can choose to re-deploy settings on failed computers by clicking on the Back button. To proceed to the next stage click Next.
4. Click Finish to finalize your settings and close the ‘Audit Policy Administration Wizard’.