Operating System Audit and Logging
To determine whether adequate detective controls have been configured and that the information generated by these controls is being reviewed and followed upon:
1. Using the User Manager utility, review the Audit Policy options in effect for the domain (and server, if applicable). Normally, all failure conditions should be audited.
2. Using the Event Viewer utility, review the audit log for suspicious events and follow up on these events with the security administrator.