Best Practice for auditing Active Directory

[snootalope]

Anyone know if there's a guide, or information that's apart of another guide, that sets the best practices for what and where to audit events in active directory?

I currently audit success and failure logon events of course, but I'd like to see what's recommend to see if I should be capturing privileged use, privileged escalation attempts, and so forth..

Thanks for any info!

 

[snootalope]

I did find this link;

http://www.windowsecurity.com/articles/Windows-Active-Directory-Auditing.html

which has plenty of reference to what is a best practice, but is it really a best practice when it's not Microsoft saying so.

 

[PScottC]

Check out SANS. They have a lot of resources on auditing in general. [URL unfurl="true"]http://www.sans.org/reading_room/whitepapers/auditing/[/url]

The SANS organization is closely linked with the CISSP certification.

PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers