Security Best Practices Guide for Cisco Unified ICM/Contact Center Enterprise & Hosted Release 9.0
Auditing
Downloads: This chapterpdf (PDF - 373.0KB) The complete bookPDF (PDF - 3.48MB) | Feedback

Auditing

Auditing

You can set auditing policies to track significant events, such as account logon attempts. Always set Local policies.


Note


Domain auditing policies always overwrite local auditing policies. Make the two sets of policies identical where possible.

To set local auditing policies, select Start > Programs > Administrative Tools > Local Security Policies.

View auditing policies

Procedure
    Step 1   Choose Start > Programs > Administrative Tools > Local Security Policies.

    The Local Security Settings window opens.

    Step 2   In the tree in the left pane, select and expand Local Policies.
    Step 3   In the tree under Local Policies, select Audit Policy.

    The different auditing policies appear in the left pane.

    Step 4   View or change the auditing policies by double-clicking the policy name.

    View security log

    After setting auditing policies, it is recommended that you view the security log once a week. You need to look for unusual activity such as Logon failures or Logon successes with unusual accounts.

    To view the Security Log:

    Procedure
    Choose Start > Programs > Administrative Tools > Event Viewer.

    Real-Time alerts

    MSFT Windows provides the SNMP Event Translator facility, which lets you translate events in the Windows eventlog into real-time alerts by converting the event into an SNMP trap. Use evntwin.exe or evntcmd.exe to configure SNMP traps.

    For additional information about configuring the translation of events to traps, see Microsoft TechNet: http://technet.microsoft.com/en-us/library/cc759390(WS.10).aspx.

    Refer to the Cisco SNMP Installation and Basic Configuration guide for information about configuring SNMP trap destinations.

    SQL Server auditing policies

    For general SQL Server auditing policies, see SQL server Auditing at Microsoft.

    SQL Server C2 Security auditing

    C2 security is a government rating for security in which the system has been certified for discretionary resource protection and auditing capability.

    Cisco does not support C2 auditing for SQL Server in the Unified ICM/ Unified CCE environment. Cisco cannot guarantee that enabling C2 auditing on SQL Server will not have significant negative impact on the system. For more information on C2 Auditing, see C2 Audit Mode Option.

    Active Directory auditing policies

    It is recommended that you audit Active Directory account management and logins, and monitor audit logs for unusual activity.

    The following table contains the recommended and default DC Audit policies.

    Table 1 Active Directory Audit Policy Recommendations

    Policy

    Default Setting

    Recommended Setting

    Comments

    Audit account logon events

    No auditing

    Success and Failure

    Account logon events are generated when a domain user account is authenticated on a Domain Controller.

    Audit account management

    Not defined

    Success

    Account management events are generated when security principal accounts are created, modified, or deleted.

    Audit directory service access

    No auditing

    Success

    Directory services access events are generated when an Active Directory object with a System Access Control List (SACL) is accessed.

    Audit logon events

    No auditing

    Success and Failure

    Logon events are generated when a domain user interactively logs onto a Domain Controller or when a network logon to a Domain Controller is performed to retrieve logon scripts and policies.

    Audit object access

    No auditing

    (No change)

     

    Audit policy change

    No auditing

    Success

    Policy change events are generated for changes to user rights assignment policies, audit policies, or trust policies.

    Audit privilege use

    No auditing

    (No change)

     

    Audit process tracking

    No auditing

    (No change)

     

    Audit system events

    No auditing

    Success

    System events are generated when a user restarts or shuts down the Domain Controller or when an event occurs that affects either the system security or the security log.