Windows Audit Policy Basics

Windows Audit Policy

This is a basic guide for configuring your Audit Policies in Windows, such that when we emit these logs to a SIEM, we can make good use of them in alarming, reporting, compliance and general awareness from a security perspective. We have been publishing this guide for a few years and we regularly refine it as our experience with the resultant logs in various SIEM platforms grows. This is a very different document from the original we drafted in early 2015, so check back once a month or so to see any changes.

 

Current version - Oct 2020

Basic vs Advanced Security Policy

Basic Audit policy in blue, Advanced in Green:

Anything in Green overrides anything in Blue, thus it is possible to only edit the Green section

We think editing both makes sense

 

What is the current Policy set to audit?

To see what auditing policy is actually set on a machine.

From admin command prompt, you run:

auditpol /get /category:*


Example output (not what is recommended), we will save this to review later when we force the GPO updates out to check if our changes took place

System 

Security System Extension               No Auditing 

System Integrity                        Success and Failure 

IPsec Driver                            No Auditing 

Other System Events                     Success and Failure 

Security State Change                   Success

Logon/Logoff 

Logon                                   Success and Failure 

Logoff                                  Success 

Account Lockout                         Success 

IPsec Main Mode                         Success 

IPsec Quick Mode                        Success 

IPsec Extended Mode                     Success 

Special Logon                           Success 

Other Logon/Logoff Events               Success 

Network Policy Server                   Success and Failure 

User / Device Claims                    Success

Object Access 

File System                             No Auditing 

Registry                                No Auditing 

Kernel Object                           No Auditing 

SAM                                     No Auditing 

Certification Services                  No Auditing 

Application Generated                   No Auditing 

Handle Manipulation                     No Auditing 

File Share                              No Auditing 

Filtering Platform Packet Drop          No Auditing 

Filtering Platform Connection           No Auditing 

Other Object Access Events              No Auditing 

Detailed File Share                     No Auditing 

Removable Storage                       No Auditing 

Central Policy Staging                  No Auditing

Privilege Use 

Non Sensitive Privilege Use             No Auditing 

Other Privilege Use Events              No Auditing 

Sensitive Privilege Use                 No Auditing

Detailed Tracking 

Process Creation                        No Auditing 

Process Termination                     No Auditing 

DPAPI Activity                          No Auditing 

RPC Events                              No Auditing

Policy Change 

Authentication Policy Change            Success 

Authorization Policy Change             Success 

MPSSVC Rule-Level Policy Change         Success 

Filtering Platform Policy Change        Success 

Other Policy Change Events              Success 

Audit Policy Change                     Success

Account Management 

User Account Management                 Success 

Computer Account Management             Success 

Security Group Management               Success 

Distribution Group Management           Success 

Application Group Management            Success 

Other Account Management Events         Success

DS Access 

Directory Service Changes               No Auditing 

Directory Service Replication           No Auditing 

Detailed Directory Service Replication  No Auditing 

Directory Service Access                Success

Account Logon 

Kerberos Service Ticket Operations      Success 

Other Account Logon Events              Success 

Kerberos Authentication Service         Success

 

Note that your level of user permissions matter, you may very well be checking the local audit policy with the UI but see different results, thus the CLI is the method to ensure you are viewing what is accurate.

But what happens if your Audit Policy results do NOT match the GPO you are editing?

You can try the deprecated tool rsop.msc  this will generate an audit policy for you, however the results may be wrong with respect to the settings, BUT, they will show you which GPO Policy is in effect, and that matters!

 

The Audit Policy

Feel free to enable as many as you like, though there are ramifications for doing so.

We are looking at Value over Volume here, and this is especially true in the age of SaaS based SIEM models. However, as we all move to UEBA systems, there will be differences and we can and should collect more logs!

 

Advanced

Account logon

  • Enable only these where you have limits on EPS and/or storage, or are on a SIEM 1.0 style platform
  • Please see Castra for information on moving to a UEBA/SOAR platform!

  • Hopefully you have a UEBA or UBA system, please enable all here

Account Management

  • Regardless of SIEM version, we need to Audit everything here

 

Detailed Tracking

  • This is where we can play a bit, while the starting point is shown below, some settings like DPAPI or the Process Creation/Termination might be advisable for varying scenarios.
  • We can help walk you through those as it depends on your SIEM.
  • For UEBA and UBA systems, we prefer monitoring more as shown.

DS Access

If you use SACL we can discuss rationale, but these tend to be more operational in nature, thus for the starting point, lets leave this Not Configured for now

 

Logon/Logoff

 

 

Object Access

  • Note that we set some to “No Auditing”, this is so the end server admin can enable for troubleshooting the but they don’t stay that way.
  • You can do this by Selecting Configure, then not selecting either Success or Failure.  
  • Detailed File Share, this is a MUST in a UEBA system, but one we should consider on a case by case basis for other SIEMs

 

 

  • Audit File share does add value, but will be VERY high volume on File Servers, enable with caution
  • Audit File System will be very verbose during patching
  • Disabled for Windows Firewall, Windows will write a log for everything it sends, thus the act of emitting these logs to a SIEM via tools like nxlog or other agents can introduce race conditions

 

Policy Change

 

 

  • 4703 events will be robust and frequent when WMI is used and end points consist of Win10 and Server 2016 forward, especially when remote endpoint monitoring tools make frequent connections.
  • We would like to formally request that Policy Change > Audit Authorization Policy Change, be moved from Success and Failure, to just Failure

 

Privilege use

  • Non-Sensitive and Sensitive Privilege Use have their place, though much of this will be windows rights changing based on user or account permissions “per action”.
  • For a starting point, we can leave these off, but once your SIEM is post Implementation, lets review usage and rationale on a server by server basis. For example, we might want to enable auditing for Sensitive Privilege for high risk to monitor driver loading and unloading or file restoring and backup scenarios.
  • Note Audit Sensitive Privilege Use is set to NO Auditing (for now)

 

 

System

These events matter!

 

 

Global Object Access Auditing

Global means Custom