Updating security procedures and scheduling security audits
The state of the operating system and applications on a computer is dynamic.
An SACL is a list of users and groups for which actions on an object are to be audited on a Windows 2000–based network.You should only configure these policy settings if you actually intend to use the information.Note that you can set an SACL on an object in Active Directory by using the Security tab in that object's properties.To respond to security incidents, it is critical that organizations be able to track who created, changed, or deleted an account.When the value is set to Failure, an audit entry is generated when any account management event fails.If no auditing is configured, or if the auditing is set too low on the computers in your organization, you will not have sufficient evidence to analyze after security incidents take place.
On the other hand, if too much auditing is enabled, the security log will fill up with meaningless entries.
Security auditing is extremely important for any enterprise system, because audit logs sometimes give the only indication that a security breach has occurred.
If the breach is discovered some other way, proper audit policy settings generate an audit log that contains important information about the breach.
In a case like this, the computer might no longer meet the requirements for enterprise security.
Regular analysis enables an administrator to track and ensure an adequate level of security on each computer as part of an enterprise risk-management program.
Often, failure logs are much more informative than success logs, because failures typically indicate an error.