Value of Auditing Workstations

by Mitch Tulloch [Published on 25 Oct. 2005 / Last Updated on 25 Oct. 2005]

Why you might consider enabling auditing on workstations...

Most admins only audit events taking place on servers, not workstations. The simple reason is that there are usually few servers but many workstations, plus servers are more valuable than workstations, which you can blow away and re-image in a pinch.

It can be a good idea however to enable certain types of auditing on Windows workstations. For example, you might consider enabling logon/logoff auditing and process tracking on workstations to keep track of which users use the workstation and what processes are executed on it. But why would you do this if you don't have the time to regularly collect workstation security logs and review them?

Well, consider if a user is suspected of doing something bad like trying to hack into you servers from inside the network. If an investigation is initiated, security logs containing such audit information could be extremely valuable in either convicting the user of an offense or clearning his name. So even if you don't review such audit logs regularly, they can still be useful.

Mitch Tulloch

Featured Links