Once you’ve covered the basics, you can move on to start addressing more advanced concerns. Don’t assume that covering the basics once is enough. Auditing the status of your security controls and planning to fix any problems you find is an ongoing, necessary process. The Deming cycle provides a simple model on which to base your security administration. Auditing is a critical part of the cycle. The Deming cycle is also known as the Plan-Do-Check-Act (PDCA) process. The name comes from each of the four steps in the process:

• Plan—Establish your objectives and processes to meet a stated goal. In the context of routine auditing, the goal should be to assess specific security controls.

• Do—Implement the process you planned in the previous step.

• Check—Measure the effectiveness of the new process and compare the results against the expected results from your plan. You’ll compare the expected results of your auditing information with a baseline.

• Act—Analyze the differences between expected results and measured results. Determine the cause of any differences. Then, proceed to the Plan process to develop a plan to improve the performance.

Being able to routinely validate security settings depends on proper use of auditing. These auditing best practices will cover most general environments:

• Maintain current backups of all audit information so, you can recover historical audit information in the case of a disaster.

• Do not enable Read or List auditing on any object unless you really need the information. Read/List access auditing can create a tremendous amount of information.

• Do not enable Execute auditing on binary files except for administrative utilities that attackers commonly use. Do turn auditing on for these utilities to help monitor their use.

• Limit enabling all auditing actions to files, folders, programs, and other resources that are important to your business functions. Don’t be afraid to enable auditing for any object—just ensure you need the information you’ll be saving.

• Enable auditing for all change actions for your Windows install folder and any folders you use in normal business operation. It is also a good idea to audit changes to the Program Files folder.

• Audit all printer actions. You may need to know who printed a document that found its way into the wrong hands.

• Ignore Read and Write actions for temporary folders but audit Change Permissions, Write Attributes, and Write Extended Attributes actions. These actions can help identify attacker activities.

• Develop Windows policies and Group Policy Objects (GPOs) that are as simple as possible and still satisfy your security policy. Complex policies are difficult to verify.

• Develop clear guidelines to evaluate each element of your security policy. An audit should be a structured process to verify your security policy, not an unorganized hunt for problems. Know what you will be looking for before you search through lots of audit data.