Information Security Blog

7/12, 2016

Recommended Audit Policy Settings

The following recommended settings are based on Microsoft and industry best practices. Note that these settings are basic, and more advanced audit configuration settings exist beginning with Windows 7 and Windows Server 2008 R2. See "Advanced Security Audit Policy Step-by-Step Guide" https://technet.microsoft.com/en-us/library/cc778162(v=ws.10).aspx for more information.

Audit Policies

Audit policies can be set using the Group Policy Manager, where you can find them at: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy

Default Domain Policy

Default Domain Policy applies to all computers on your domain. Configure the following in the Default Domain Policy:



Audit account logon events
Success, Failure
Audit account management
Success, Failure
Audit logon events
Success, Failure
Audit policy change
Success, Failure
Audit system events
Success, Failure


Default Domain Controllers Policy

The Domain Controllers will get the above audit log settings through the default domain policy, unless inheritance is blocked. Configure the following additional settings in the Default Domain Controllers Policy:



Audit directory service access
Success, Failure
Audit object access
Failure
Audit privilege use
Failure


Note that we didn't configure Audit process tracking in either policy. The Audit processing tracking setting allows you to monitor processes, and will log a large volume of events - potentially overwhelming your logging resources. While processing tracking can be useful, it is typically not a part of basic audit settings.

Audit Policy Definitions

Audit account logon events
Logon events represent instances of users logging on to or logging off from a computer that is logging those events. Account logon events are specifically related to domain logon events and are logged in the security log for the related domain controller.

Audit account management
Account management events are the "change management" events on a computer. These events include all changes made to users, groups and machines.

Audit directory service access
The Audit directory service access policy provides a low-level audit trail of changes to objects in AD. The policy tracks the same activity as Audit account management events, but at a much lower level. By using this policy, you can identify exactly which fields of a user account or any other AD object were accessed. Audit account management events provides better information for monitoring maintenance to user accounts and groups, but Audit directory service access is the only way to track changes to OUs and GPOs, which can be important for change-control purposes.

Audit logon events
Logon events represent instances of users logging on to or logging off from a computer that is logging those events. Events in this category are logged in the security log of the local computer onto which the user is logging, even when the user is actually logging onto the domain using their local computer.

Audit object access
Object access events track users accessing objects that have their own system access control lists. Such objects include files, folders and printers.

Audit policy change
Policy change events represent instances in which local or group policy is changed. These changes include changes to user rights assignments, audit policies and trust policies.

Audit privilege use
Privilege use events track users accessing objects based on their level of privilege to do so. Such objects include files, folders and printers, or any object that has its own system access control list defined.

Audit process tracking
Process tracking logs all instances of process, service and program starts and stops. This can be useful to track both wanted and unwanted processes such as AV services and malicious programs, respectively.

Audit system events
System events include start up and shut down events on the computer logging them, along with events that affect the system's security. These are operating system events and are only logged locally.

Sources



PDF Icon ImageBlog PDF Download