Best practices for Security Audit

Before reading this topic, it is recommended that you first refer to the following topics:

When managing Windows devices, an important priority is the safety and security of the devices. It is often stated that a chain is only as strong as its weakest link, and a large network may have many links. At its most fundamental level, the challenge of ensuring device security can be summarized by the following two questions:

  • What is the ideal security policy for my network?
  • How many devices deviate from the ideal policy?

In order to help you answer these questions, Datto RMM provides a Security Audit component and Monitoring policy set intended to pinpoint common security concerns on Windows devices. These concerns are raised both in the StdOut from the component run and within the Windows Event Log. This information can then be caught by the Monitoring policy and filtered. If you are linking into a PSA solution, workflow rules can also be applied to tickets.

The tools

The component is called Security Audit [WIN]. It runs on Windows 7 SP1 and up (including Windows Server builds) of any language. The Monitoring policy is called Windows: Security Audit Component. It is configured to look for Event Log entries raised by the component.

The component is available in the ComStore. The Monitoring policy is available in Policies > Best Practices. Refer to Best Practices (ComStore policies).

Security Audit

The Security Audit [WIN] component inspects the following criteria:

Monitoring policy

As part of a typical run, the component logs noteworthy discoveries in the Windows Event Log. As follows are the codes used to log the events. These are all included as part of the Windows: Security Audit Component Monitoring policy. Please consult the following chart to help you decide which events are important to you.

Component feedback

The Datto RMM Product Management team is happy to hear suggestions for features to add to a component. Please submit any suggestions via the Send Feedback button in the upper-right corner of any page.