Kickoff post: Windows auditing

  • Article

This blog is dedicated to those folks who've Google'd for Windows security event information and found newsgroup posts that I've made in the past.  I feel your pain.

"Windows Auditing" is what we call the security logging feature of the Windows OS.  In information security jargon, "audit" is an overloaded term.  It is most commonly used these days to refer to the process of evaluating the security posture of information systems, but it is also commonly used, as in the rainbow series of books, to refer to the establishment of a record ("audit trail") for auditors to use in investigations.  I will only be using it here in the latter sense.

When I first joined my team I suggested dropping the term "audit" in favor of "security logging", but was met first with blank stares and then with dismissal.  Oh well.  Since I lost that battle, when I use the word "audit", you can substitute "security event".

Anyway, I'm going to start off with a couple of common customer complaints and comments about Windows auditing.

Common Complaints & Comments:

  • Windows audit logs contain too much noise.  This is a valid complaint, and is due to the lack of granularity of our audit policy mechanism.  We hope to address this in some upcoming release (I'm not allowed to be more specific since our lawyers think that somebody might interpret it as a promise to deliver a feature).
  • Windows audit logs are difficult to interpret.  We're solving this in three ways: documentation, review and revision of the current event records, and improved tools.  It looks like Longhorn may have a new event logging service, which would expose event data to applications as XML.  This would enable a far better set of tools than say, Event Viewer.
  • Windows auditing sucks.  We're open to feedback, but we need something more actionable.

I wish I could tell you all the cool things we're working on, but suffice it to say, we're aware of the problems around the security log and are working to address them.  I'm always glad to receive email, however, if you have a suggestion.

Thanks

Eric