Auditing Your Workstation

While Auditing is normally in place on servers, it isn’t usually performed on workstations unless there is a high risk of data theft. However, enabling a few auditing events locally on a workstation may prevent a larger problem in the future.

By selectively auditing a few key actions, you’ll have a place to start investigating theft or destruction of data if someone ever does compromise your workstation. Set up auditing on the following actions:

  • Account logon events (success and failure)
  • Account management (success and failure)
  • Logon events (success and failure)
  • Object access (success)
  • Policy change (success and failure)
  • Privilege use (success and failure)
  • System events (success and failure)

[Diana Huggins]