Value of Auditing Workstations

by Mitch Tulloch [Published on 25 Oct. 2005 / Last Updated on 25 Oct. 2005]

Why you might consider enabling auditing on workstations...

Most admins only audit events taking place on servers, not workstations. The simple reason is that there are usually few servers but many workstations, plus servers are more valuable than workstations, which you can blow away and re-image in a pinch.

It can be a good idea however to enable certain types of auditing on Windows workstations. For example, you might consider enabling logon/logoff auditing and process tracking on workstations to keep track of which users use the workstation and what processes are executed on it. But why would you do this if you don't have the time to regularly collect workstation security logs and review them?

Well, consider if a user is suspected of doing something bad like trying to hack into you servers from inside the network. If an investigation is initiated, security logs containing such audit information could be extremely valuable in either convicting the user of an offense or clearning his name. So even if you don't review such audit logs regularly, they can still be useful.

Mitch Tulloch

See Also

The Author — Mitch Tulloch

Mitch Tulloch is a well-known expert on Windows Server administration and cloud computing technologies. He has published over a thousand articles on information technology topics and has written, contributed to or been series editor for over 50 books.

Featured Links