Windows Audit Policy Basics

Windows Audit Policy

This is a basic guide for configuring your Audit Policies in Windows, such that when we emit these logs to a SIEM, we can make good use of them in alarming, reporting, compliance and general awareness from a security perspective. We have been publishing this guide for a few years and we regularly refine it as our experience with the resultant logs in various SIEM platforms grows. This is a very different document from the original we drafted in early 2015, so check back once a month or so to see any changes.

 

Current version - June 2019

Basic vs Advanced Security Policy

Basic Audit policy in blue, Advanced in Green:

Anything in Green overrides anything in Blue, thus it is possible to only edit the Green section

We think editing both makes sense

 

What is the current Policy set to audit?

To see what auditing policy is actually set on a machine.

From admin command prompt, you run:

auditpol /get /category:*


Example output (not what is recommended), we will save this to review later when we force the GPO updates out to check if our changes took place

System 

Security System Extension               No Auditing 

System Integrity                        Success and Failure 

IPsec Driver                            No Auditing 

Other System Events                     Success and Failure 

Security State Change                   Success

Logon/Logoff 

Logon                                   Success and Failure 

Logoff                                  Success 

Account Lockout                         Success 

IPsec Main Mode                         Success 

IPsec Quick Mode                        Success 

IPsec Extended Mode                     Success 

Special Logon                           Success 

Other Logon/Logoff Events               Success 

Network Policy Server                   Success and Failure 

User / Device Claims                    Success

Object Access 

File System                             No Auditing 

Registry                                No Auditing 

Kernel Object                           No Auditing 

SAM                                     No Auditing 

Certification Services                  No Auditing 

Application Generated                   No Auditing 

Handle Manipulation                     No Auditing 

File Share                              No Auditing 

Filtering Platform Packet Drop          No Auditing 

Filtering Platform Connection           No Auditing 

Other Object Access Events              No Auditing 

Detailed File Share                     No Auditing 

Removable Storage                       No Auditing 

Central Policy Staging                  No Auditing

Privilege Use 

Non Sensitive Privilege Use             No Auditing 

Other Privilege Use Events              No Auditing 

Sensitive Privilege Use                 No Auditing

Detailed Tracking 

Process Creation                        No Auditing 

Process Termination                     No Auditing 

DPAPI Activity                          No Auditing 

RPC Events                              No Auditing

Policy Change 

Authentication Policy Change            Success 

Authorization Policy Change             Success 

MPSSVC Rule-Level Policy Change         Success 

Filtering Platform Policy Change        Success 

Other Policy Change Events              Success 

Audit Policy Change                     Success

Account Management 

User Account Management                 Success 

Computer Account Management             Success 

Security Group Management               Success 

Distribution Group Management           Success 

Application Group Management            Success 

Other Account Management Events         Success

DS Access 

Directory Service Changes               No Auditing 

Directory Service Replication           No Auditing 

Detailed Directory Service Replication  No Auditing 

Directory Service Access                Success

Account Logon 

Kerberos Service Ticket Operations      Success 

Other Account Logon Events              Success 

Kerberos Authentication Service         Success

 

Note that your level of user permissions matter, you may very well be checking the local audit policy with the UI but see different results, thus the CLI is the method to ensure you are viewing what is accurate.

But what happens if your Audit Policy results do NOT match the GPO you are editing?

You can try the deprecated tool rsop.msc  this will generate an audit policy for you, however the results may be wrong with respect to the settings, BUT, they will show you which GPO Policy is in effect, and that matters!

 

The Audit Policy

Feel free to enable as many as you like, though there are ramifications for doing so.

We are looking at Value over Volume here, and this is especially true in the age of SaaS based SIEM models. However, as we consider UEBA systems, there will be differences!

 

Note that we did not enable Process tracking in the Basic; this is by design. There are numerous cases where we want Process tracking on, however we will tackle those by server. For example, the Web or Mail or purpose-built server in the DMZ, we absolutely want those on! This is just a starting point and we can always refine as we move forward

Advanced

Account logon

Enable these for your SaaS based SIEM or where you have limits on EPS and/or storage.

However, if you have a UEBA system, lets go for the full Monty

Account Management

Regardless of SIEM version, we need to Audit everything here

 

Detailed Tracking

This is where we can play a bit, while the starting point is shown below, some settings like DPAPI or the Process Creation/Termination might be advisable for varying scenarios. We can help walk you through those

DS Access

If you use SACL we can discuss rationale, but these tend to be more operational in nature, thus for the starting point, lets leave this Not Configured for now

 

Logon/Logoff

 

 

Object Access

Note that we set some to “No Auditing”, this is so the end server admin can enable for troubleshooting the but they don’t stay that way. You can do this by Selecting Configure, then not selecting either Success or Failure.  Detailed File Share, this is a MUST in a UEBA system, but one we should consider on a case by case basis for other SIEMs

 

 

  • Audit File share does add value, but will be VERY high volume on File Servers, enable with caution
  • Audit File System will be very verbose during patching
  • disabled for Windows Firewall, Windows will write a log for everything it sends, thus the act of emitting these logs to a SIEM via tools like nxlog or OSSEC can introduce race conditions

 

Policy Change

 

Privilege use

Non-Sensitive and Sensitive Privilege Use have their place, though much of this will be windows rights changing based on user or account permissions “per action”. For a starting point, we can leave these off, but once your SIEM is post Implementation, lets review usage and rationale on a server by server basis. For example, we might want to enable auditing for Sensitive Privilege for high risk to monitor driver loading and unloading or file restoring and backup scenarios.

 

 

System

These events matter!

 

 

Global Object Access Auditing

Global means Custom

 

 

Win 2003 and Older Accepted settings

This is our default auditing policy to help prevent rapid log bloat. The key settings that should be set to "No auditing" are Audit object access and Audit process tracking.  A better idea is to toss any Windows 2003 machines and upgrade. I mean seriously……the server is more of a liability than worrying about auditing it, right?

 DO NOT ENABLE OBJECT ACCESS ON Win 2003 and Older