Server Auditing Best Practices—Windows Server, SQL Server, and File Server Auditing

By Staff Contributor on June 6, 2020

One of the best ways to keep your data and network secure is with server auditing, which allows you to spot abnormalities or malicious activity early on and gives you time to address it before it becomes a serious problem.

To make the most of server audits, you need to know some best practices and what to look for in an auditing tool. This guide will get you started with what you need to know for Windows server, SQL Server, and file server auditing.

server auditing best practices

What Is Server Auditing?

Before getting into the best practices, it’s important to understand what server auditing is. Server auditing isn’t like a tax or compliance audit; instead, it’s a way of tracking and reviewing activities on your server.

The process starts with creating an audit policy. These policies define the events you want to monitor and record, which you can then examine for potential security threats. For example, if the policy looks for and logs failed login attempts, this allows you to spot hackers trying to access your network.

Companies should define the best audit policy for them based on the types of threats they face and their risk tolerance.

Why Is Server Auditing Important?

Server auditing is important for security, but it also helps keep operations running at your company. Servers are typically used for heavy workloads and large volumes of network traffic, and any impact to them can cause downtime, corrupt information, or a security breach, all of which can negatively impact your business.

With a defined audit policy, administrators can track changes or attempts to access critical information through Windows server auditing, Windows file server auditing, and SQL Server auditing. The results give administrators insight into the impact of the change—performance degradation, for example—and the ability to identify the level of the threat.

Auditing is also important from a compliance perspective. Many organizations use SQL Server to store sensitive information, and this data may be subject to HIPAA and SOX requirements, among others. If you have a SQL Server audit policy to monitor changes and modifications, you can create reports based on this information and demonstrate regulatory compliance.

Common Types of Audits

Although each business has its own audit needs, certain types of audits are commonly conducted. These include the following:

  • Account logins: Auditing account logins is essential to identify unauthorized login attempts. In addition, it’s important to track successful logins to ensure only valid users are logged in.
  • Account management: Account management audits identify changes to roles and user accounts, keeping you updated on which users are authorized.
  • Object changes: Auditing object changes is necessary to see when a database object has been created, copied, changed, or dropped.
  • Policy changes: Auditing policy changes allows you to identify changes to the audit policy itself and confirm whether those modifications are expected, which is critical for accurate audits.

Other areas you might audit include directory service access, privilege use, and process tracking.

You should also make sure you have audit policies for compliance needs. This includes having policies to meet requirements and policies capable of providing the required data if the compliance agency audits your company.

Server Auditing Best Practices

Windows server auditing best practices, SQL Server auditing best practices, and file server auditing best practices have much in common. When it comes to configuring and running audits, use the following best practices as a guide:

Best Practice #1: Data Volume and Storage

In all cases, once you define which audit policies to use, you need to know where to store the collected data. Since audits can generate large volumes of information, retaining the results requires a significant amount of storage. For example, if you monitor user access to a certain file, new audit data is stored each time a user goes to it. If 10 employees access it 10 times a day, this alone will result in saving 100 audits each day.

Data volume is something you need to account for when deciding on a location for storage, whether it’s a local server or in the cloud. Additionally, since the amount of information can impact performance, it’s a good idea to run performance tests before implementing new audit policies.

Best Practice #2: Archiving

Another best practice is to plan on archiving audit data. How frequently you archive and how long you keep the archived data will depend on your business practices, how much data you generate, and your compliance needs.

Best Practice #3: Testing

Before implementing audit policies across the board, you should test them with a small group. This will help you do the following:

  • Identify performance impacts
  • Validate the policy is working as intended
  • Confirm the amount of information needed

After a test, you may realize you don’t need to maintain the depth of information first identified. If this is the case, you can adjust the policy and storage requirements.

Best Practice #4: Data Access

It’s also critical to define who has access to the data. Most people don’t need this access, so it should be restricted to those who plan to review and analyze the data.

You should also create policies limiting employee access to files. Users should only be able to get into the folders and files they need to perform their jobs.

Best Practice #5: Reviewing

Finally, verify your auditing policies regularly to ensure everything is working as expected. Having this type of check will put you in the best standing if you have a compliance audit.

Best Practice #6: Server Auditing Tools

The final best practice for server auditing is to use a good monitoring tool, since these audits collect too much information for administrators to sort through on their own. When reviewing solutions for Windows server, SQL Server, or file server audits, there are several features you should look for:

  • A consolidated view: The best tools offer a consolidated view into the health of your server, allowing you to review information such as event logs, resource use, expensive queries, file changes, and user permissions. This functionality saves time for administrators by providing key metrics and alerts at a glance instead of requiring them to wade through multiple pages and views.
  • Customizable alerts: Each business has its own requirements for security and risk thresholds, and you need to be able to configure alerts to meet your business’s needs. This prevents administrators from getting flooded with unnecessary information, and it helps streamline issue resolution.
  • Reporting: Reports are a critical component of a good solution. Reports can be used internally to review information, and they’re necessary to show compliance with security and regulatory requirements.
  • A user-friendly interface: You should also look for a good user interface. Intuitive dashboards with easy-to-use functionality and visualization tools will help you save time and effort.

SolarWinds® Server & Application Monitor (SAM)

One example of an excellent monitoring solution is SolarWinds® Server & Application Monitor (SAM). SolarWinds software supports monitoring for Windows servers, SQL Server, and Windows file servers, and it allows you to review the details of your entire environment in a single interface. It has over 1,200 templates to monitor different servers, applications, infrastructures, and databases, and it offers out-of-the-box report templates. Read more about monitoring SQL Server here.

SAM is easy to use and supports high levels of automation. Additionally, it allows you to configure alerts with different trigger conditions. It also includes features to perform asset inventory, making it a first-rate solution for server auditing and more.

© 2021 SolarWinds Worldwide, LLC. All rights reserved.

SolarWinds® SQL Sentry

Another tool that can help you audit SQL Server performance is SolarWinds® SQL Sentry. SQL Sentry can allow you to more quickly identify long-running and high-impact queries, so you can resolve performance problems faster.


SQL Sentry SQL monitoring can help you with the following and more:

  • Identifying suspect statements running thousands of times in a short period of time
  • Defining alerting and automated remediation for known performance pitfalls
  • Knowing when a new release or data churn over time has changed the performance profile for one or more queries

SQL Sentry is available to try free for 14 days.

Implementing Server Auditing Best Practices

Server auditing is one of the best ways to keep your information secure, maintain server health, and stay in compliance. To make the most of these audits, be sure to follow best practices for audit policies, storage, archiving, and data access.

You also need to find a tool to help you manage all the information gathered, such as SolarWinds Server & Application Monitor. SAM is a great solution for all types of server audits, and it comes with many other beneficial features for network administrators.

If you follow the best practices and use the right solution, you’ll find server auditing strengthens security and improves your business.

Related Posts