June 13, 2019
Windows Audit Policy
This is a basic guide for configuring your Audit Policies in Windows, such that when we emit these logs to a SIEM, we can make good use of them in alarming, reporting, compliance and general awareness from a security perspective. We have been publishing this guide for a few years and we regularly refine it as our experience with the resultant logs in various SIEM platforms grows. This is a very different document from the original we drafted in early 2015, so check back once a month or so to see any changes.
Current version - June 2019
Basic vs Advanced Security Policy
Basic Audit policy in blue, Advanced in Green:
Anything in Green overrides anything in Blue, thus it is possible to only edit the Green section
We think editing both makes sense
What is the current Policy set to audit?
To see what auditing policy is actually set on a machine.
From admin command prompt, you run:
auditpol /get /category:*
Example output (not what is recommended), we will save this to review later when we force the GPO updates out to check if our changes took place
Security System Extension No Auditing
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events Success and Failure
Security State Change Success
Logon Success and Failure
Account Lockout Success
IPsec Main Mode Success
IPsec Quick Mode Success
IPsec Extended Mode Success
Special Logon Success
Other Logon/Logoff Events Success
Network Policy Server Success and Failure
User / Device Claims Success
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Removable Storage No Auditing
Central Policy Staging No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Sensitive Privilege Use No Auditing
Process Creation No Auditing
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Authentication Policy Change Success
Authorization Policy Change Success
MPSSVC Rule-Level Policy Change Success
Filtering Platform Policy Change Success
Other Policy Change Events Success
Audit Policy Change Success
User Account Management Success
Computer Account Management Success
Security Group Management Success
Distribution Group Management Success
Application Group Management Success
Other Account Management Events Success
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access Success
Kerberos Service Ticket Operations Success
Other Account Logon Events Success
Kerberos Authentication Service Success
Note that your level of user permissions matter, you may very well be checking the local audit policy with the UI but see different results, thus the CLI is the method to ensure you are viewing what is accurate.
But what happens if your Audit Policy results do NOT match the GPO you are editing?
You can try the deprecated tool rsop.msc this will generate an audit policy for you, however the results may be wrong with respect to the settings, BUT, they will show you which GPO Policy is in effect, and that matters!
The Audit Policy
Feel free to enable as many as you like, though there are ramifications for doing so.
We are looking at Value over Volume here, and this is especially true in the age of SaaS based SIEM models. However, as we consider UEBA systems, there will be differences!
Note that we did not enable Process tracking in the Basic; this is by design. There are numerous cases where we want Process tracking on, however we will tackle those by server. For example, the Web or Mail or purpose-built server in the DMZ, we absolutely want those on! This is just a starting point and we can always refine as we move forward
Enable these for your SaaS based SIEM or where you have limits on EPS and/or storage.
However, if you have a UEBA system, lets go for the full Monty
Regardless of SIEM version, we need to Audit everything here
This is where we can play a bit, while the starting point is shown below, some settings like DPAPI or the Process Creation/Termination might be advisable for varying scenarios. We can help walk you through those
If you use SACL we can discuss rationale, but these tend to be more operational in nature, thus for the starting point, lets leave this Not Configured for now
Note that we set some to “No Auditing”, this is so the end server admin can enable for troubleshooting the but they don’t stay that way. You can do this by Selecting Configure, then not selecting either Success or Failure. Detailed File Share, this is a MUST in a UEBA system, but one we should consider on a case by case basis for other SIEMs
- Audit File share does add value, but will be VERY high volume on File Servers, enable with caution
- Audit File System will be very verbose during patching
- disabled for Windows Firewall, Windows will write a log for everything it sends, thus the act of emitting these logs to a SIEM via tools like nxlog or OSSEC can introduce race conditions
Non-Sensitive and Sensitive Privilege Use have their place, though much of this will be windows rights changing based on user or account permissions “per action”. For a starting point, we can leave these off, but once your SIEM is post Implementation, lets review usage and rationale on a server by server basis. For example, we might want to enable auditing for Sensitive Privilege for high risk to monitor driver loading and unloading or file restoring and backup scenarios.
These events matter!
Global Object Access Auditing
Global means Custom
Win 2003 and Older Accepted settings
This is our default auditing policy to help prevent rapid log bloat. The key settings that should be set to "No auditing" are Audit object access and Audit process tracking. A better idea is to toss any Windows 2003 machines and upgrade. I mean seriously……the server is more of a liability than worrying about auditing it, right?
DO NOT ENABLE OBJECT ACCESS ON Win 2003 and Older