The big question is: which audit settings should you enable? If you turned on everything, your server would start flooding your Security event log and ultimately it wouldn’t be very useful. In fact, there are no hard and fast rules for which settings you should enable.

All audit settings have three possible configurations: not configured, Success, and Failure. Not configured means auditing isn’t enabled for the setting, Success means log any applicable event that was successful, and Failure means log any applicable event that failed. Often, it is more useful to log Failure events since you want to discover someone who is attempting to perform an activity surreptitiously, which may mean doing it several times until successful.

With some settings, simply enabling Success or Failure won’t actually cause any events to be logged. You also have to enable auditing on specific objects, such as a particular file, before events will be audited. This is useful because in some cases, such as files and folders, you may only want to audit certain ones. If auditing were enabled for all files, the amount of events would render auditing unfeasible.

Using a graphical user interface

1. Open the Local Security Policy snap-in.

2. In the left pane, expand Local Policies -> Audit Policy.

3. In the right pane, double-click the setting you want to enable, and check the box beside Success and/or Failure depending on the types of events you want to audit.

You can force new auditing settings to be applied by running the secedit command on Windows 2000 or the gpupdate command on Windows Server 2003.

Run the following command on Windows 2000:

> secedit /refreshpolicy machine_policy

And run this command on Windows Server 2003:

> gpupdate /target:computer

MBSA has both a graphical and command-line interface. The MBSA graphical interface allows you to scan a single or multiple computers at one time (up to 10,000).

The MBSA command-line interface, mbsacli.exe, has the same functionality as the graphical interface. With it, you can easily automate periodic scans of your servers.

For more information on MBSA, including download instructions, see http://www.microsoft.com/technet/security/tools/mbsahome.mspx.

MBSA keeps itself up to date with the latest vulnerabilities and security updates by automatically polling Microsoft when you start the program. As of Version 1.2, you can alternately point MBSA at a SUS server to download the update catalog. This lets you determine what servers in your network are up to date according to your internal SUS server.