Value of Auditing Workstations

by Mitch Tulloch [Published on 25 Oct. 2005 / Last Updated on 25 Oct. 2005]

Why you might consider enabling auditing on workstations...

Most admins only audit events taking place on servers, not workstations. The simple reason is that there are usually few servers but many workstations, plus servers are more valuable than workstations, which you can blow away and re-image in a pinch.

It can be a good idea however to enable certain types of auditing on Windows workstations. For example, you might consider enabling logon/logoff auditing and process tracking on workstations to keep track of which users use the workstation and what processes are executed on it. But why would you do this if you don't have the time to regularly collect workstation security logs and review them?

Well, consider if a user is suspected of doing something bad like trying to hack into you servers from inside the network. If an investigation is initiated, security logs containing such audit information could be extremely valuable in either convicting the user of an offense or clearning his name. So even if you don't review such audit logs regularly, they can still be useful.

Mitch Tulloch

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see .

Latest Contributions

Featured Links