Hi Luis, You don't need to buy new machines for auditing (unless you deploy an audit collection product which requires separate machines). Auditing will impact performance, but usually only slightly. However, it can have a substantial impact on servers that perform a large number of auditable actions. For instance, if you turn on auditing on a workstation, but do not deploy SACLs, the impact will be minimal. If you turn on logon/logoff, account logon, or DS access auditing on a busy domain controller, then performance will be impacted noticably. There are several things to consider: 1) Have a threat model before enabling auditing. Don't just turn it on to have it on. 2) Don't enable "Privilege Use" auditing. Too noisy. 3) Don't enable CrashOnAuditFail- turns a repudiation threat into a denial-of-service. (aka "Halt the system if unable to log security audits") 4) Don't enable AuditBaseObjects- too noisy. (aka "Audit access to global system objects") 5) Don't enable FullPrivilegeAuditing- too noisy. (aka "Audit the use of the Backup & Restore Privilege") 6) Don't enable failure auditing unless you have to (and by have to I mean that you have a plan of what to do with them). Some failure audits are normal. For instance, Explorer tries to open ACLs with full control, if that operation fails, an audit might be generated, but Explorer will know to re-try the operation with less access, and will disable the "apply" control in the ACL editor. Additionally, failure auditing could be used as a denial-of-service attack against the log in some cases; I'll leave it to your imagination since posts to this list show up in Google searches. 7) Don't audit for reads. Too noisy. If you must audit for reads, try to audit a single object rather than a set of objects. For instance, if you want to audit whether someone installed Word from your share, audit WinWord.exe, not all the files on the share. 8) Enable auditing on a test system that mirrors your production environment, to measure its impact. Hope this helps; as Rainer said, I need more information for a more detailed answer. Eric -----Original Message----- From: loganalysis-bouncesat_private [mailto:loganalysis-bouncesat_private] On Behalf Of Luis Toloza Sent: Wednesday, July 30, 2003 8:05 AM To: 'loganalysisat_private' Subject: [logs] Windows Logs Auditing Hi Eric, I'm sorry if I bother you with a question, but I do need to evaluate the impact over the network of the activation of the auditting logs for the domain machines: I do need to answer questiomns like: do we need to buy new servers and workstations, do we need any new machines?, more hard drives?, do we need to buy a software for the processing of the logs to obtain reports?... I know may be may question is not precisaly specific, but if can give me some help I'll be very glad to take it ;-) Waiting thankfully your response, Luis Toloza R. pf_ltolozaat_private Phone: (56)(2)670 29 10 Fax: (56)(2)670 22 28 ******************************************************************************** ******************************************************************************** "La información contenida en esta transmisión es confidencial y no puede ser usada o difundida por personas distintas a su(s) destinatario(s). El uso no autorizado de la información contenida en esta transmisión puede ser sancionado criminalmente de conformidad con la ley chilena. Si ha recibido esta transmisión por error, por favor destrúyala y notifique al remitente. Atendido que no existe certidumbre que el presente mensaje no será modificado como resultado de su transmisión por correo electrónico, el Banco Central de Chile no será responsable si el contenido del mismo ha sido modificado" _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 09:35:36 PDT