July 12th, 2016
Recommended Audit Policy Settings
The following recommended settings are based on Microsoft and industry best practices. Note that these settings are basic, and more advanced audit configuration settings exist beginning with Windows 7 and Windows Server 2008 R2. See"Advanced Security Audit Policy Step-by-Step Guide" https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc778162(v=ws.10)?redirectedfrom=MSDN for more information.
Understanding Audit Policies
Audit policies can be set using the Group Policy Manager, where you can find them at: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy
Implementing the Default Domain Policy: Universal Security Measures
Default Domain Policy applies to all computers on your domain. Configure the following in the Default Domain Policy:
Audit account logon events | Success, Failure |
Audit account management | Success, Failure |
Audit logon events | Success, Failure |
Audit policy change | Success, Failure |
Audit system events | Success, Failure |
Default Domain Controllers Policy: Specific Settings for Added Security
The Domain Controllers will get the above audit log settings through the default domain policy, unless inheritance is blocked. Configure the following additional settings in the Default Domain Controllers Policy:
Audit directory service access | Success, Failure |
Audit object access | Failure |
Audit privilege use | Failure |
Note that we didn't configure Audit process tracking in either policy. The Audit processing tracking setting allows you to monitor processes, and will log a large volume of events - potentially overwhelming your logging resources. While processing tracking can be useful, it is typically not a part of basic audit settings.
Exploring Audit Policy Definitions: Decoding the Terms
Examining 'Audit Account Logon Events'
Logon events represent instances of users logging on to or logging off from a computer that is logging those events. Account logon events are specifically related to domain logon events and are logged in the security log for the related domain controller.
Unpacking 'Audit Account Management'
Account management events are the"change management" events on a computer. These events include all changes made to users, groups and machines.
Dissecting 'Audit Directory Service Access'
The Audit directory service access policy provides a low-level audit trail of changes to objects in AD. The policy tracks the same activity as Audit account management events, but at a much lower level. By using this policy, you can identify exactly which fields of a user account or any other AD object were accessed. Audit account management events provides better information for monitoring maintenance to user accounts and groups, but Audit directory service access is the only way to track changes to OUs and GPOs, which can be important for change-control purposes.
Grasping 'Audit Logon Events'
Logon events represent instances of users logging on to or logging off from a computer that is logging those events. Events in this category are logged in the security log of the local computer onto which the user is logging, even when the user is actually logging onto the domain using their local computer.
Delving into 'Audit Object Access'
Object access events track users accessing objects that have their own system access control lists. Such objects include files, folders and printers.
Understanding 'Audit Policy Change'
Policy change events represent instances in which local or group policy is changed. These changes include changes to user rights assignments, audit policies and trust policies.
Comprehending 'Audit Privilege Use'
Privilege use events track users accessing objects based on their level of privilege to do so. Such objects include files, folders and printers, or any object that has its own system access control list defined.
Deducing 'Audit Process Tracking'
Process tracking logs all instances of process, service and program starts and stops. This can be useful to track both wanted and unwanted processes such as AV services and malicious programs, respectively.
Navigating 'Audit System Events'
System events include start up and shut down events on the computer logging them, along with events that affect the system's security. These are operating system events and are only logged locally.
Sources
Authored by: David Matt