Windows Server 2008 R2 Updates to Security Monitoring
"...There are a number of auditing enhancements in Windows Server 2008 R2 and Windows 7 that increase the level of detail in security auditing logs and simplify the deployment and management of auditing policies. These enhancements include:
- Global Object Access Auditing. In Windows Server 2008 R2 and Windows 7, administrators can define computer-wide system access control lists (SACLs) for either the file system or registry. The specified SACL is then automatically applied to every single object of that type. This can be useful both for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs.
- "Reason for access" reporting. This list of access control entries (ACEs) provides the privileges on which the decision to allow or deny access to the object was based. This can be useful for documenting the permissions, such as group memberships, that allow or prevent the occurrence of a particular auditable event.
- Advanced audit policy settings. These 53 new settings can be used in place of the nine basic auditing settings under Local Policies\Audit Policy to allow administrators to more specifically target the types of activities they want to audit and eliminate the unnecessary auditing activities that can make audit logs difficult to manage and decipher..."
For more details on what's new and improved in security auditing in Windows Server 2008 R2, check out:
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer