Value of Auditing Workstations

Most admins only audit events taking place on servers, not workstations. The simple reason is that there are usually few servers but many workstations, plus servers are more valuable than workstations, which you can blow away and re-image in a pinch.

It can be a good idea however to enable certain types of auditing on Windows workstations. For example, you might consider enabling logon/logoff auditing and process tracking on workstations to keep track of which users use the workstation and what processes are executed on it. But why would you do this if you don’t have the time to regularly collect workstation security logs and review them?

Well, consider if a user is suspected of doing something bad like trying to hack into you servers from inside the network. If an investigation is initiated, security logs containing such audit information could be extremely valuable in either convicting the user of an offense or clearning his name. So even if you don’t review such audit logs regularly, they can still be useful.

Mitch Tulloch

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top