October 1, 2020
Windows Audit Policy
This is a basic guide for configuring your Audit Policies in Windows, such that when we emit these logs to a SIEM, we can make good use of them in alarming, reporting, compliance and general awareness from a security perspective. We have been publishing this guide for a few years and we regularly refine it as our experience with the resultant logs in various SIEM platforms grows. This is a very different document from the original we drafted in early 2015, so check back once a month or so to see any changes.
Current version - Oct 2020
Basic vs Advanced Security Policy
Basic Audit policy in blue, Advanced in Green:
Anything in Green overrides anything in Blue, thus it is possible to only edit the Green section
We think editing both makes sense
What is the current Policy set to audit?
To see what auditing policy is actually set on a machine.
From admin command prompt, you run:
auditpol /get /category:*
Example output (not what is recommended), we will save this to review later when we force the GPO updates out to check if our changes took place
System
Security System Extension No Auditing
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events Success and Failure
Security State Change Success
Logon/Logoff
Logon Success and Failure
Logoff Success
Account Lockout Success
IPsec Main Mode Success
IPsec Quick Mode Success
IPsec Extended Mode Success
Special Logon Success
Other Logon/Logoff Events Success
Network Policy Server Success and Failure
User / Device Claims Success
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Removable Storage No Auditing
Central Policy Staging No Auditing
Privilege Use
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Sensitive Privilege Use No Auditing
Detailed Tracking
Process Creation No Auditing
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Policy Change
Authentication Policy Change Success
Authorization Policy Change Success
MPSSVC Rule-Level Policy Change Success
Filtering Platform Policy Change Success
Other Policy Change Events Success
Audit Policy Change Success
Account Management
User Account Management Success
Computer Account Management Success
Security Group Management Success
Distribution Group Management Success
Application Group Management Success
Other Account Management Events Success
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access Success
Account Logon
Kerberos Service Ticket Operations Success
Other Account Logon Events Success
Kerberos Authentication Service Success
Note that your level of user permissions matter, you may very well be checking the local audit policy with the UI but see different results, thus the CLI is the method to ensure you are viewing what is accurate.
But what happens if your Audit Policy results do NOT match the GPO you are editing?
You can try the deprecated tool rsop.msc this will generate an audit policy for you, however the results may be wrong with respect to the settings, BUT, they will show you which GPO Policy is in effect, and that matters!
The Audit Policy
Feel free to enable as many as you like, though there are ramifications for doing so.
We are looking at Value over Volume here, and this is especially true in the age of SaaS based SIEM models. However, as we all move to UEBA systems, there will be differences and we can and should collect more logs!
Advanced
Account logon
- Enable only these where you have limits on EPS and/or storage, or are on a SIEM 1.0 style platform
- Please see Castra for information on moving to a UEBA/SOAR platform!
- Hopefully you have a UEBA or UBA system, please enable all here
Account Management
- Regardless of SIEM version, we need to Audit everything here
Detailed Tracking
- This is where we can play a bit, while the starting point is shown below, some settings like DPAPI or the Process Creation/Termination might be advisable for varying scenarios.
- We can help walk you through those as it depends on your SIEM.
- For UEBA and UBA systems, we prefer monitoring more as shown.
DS Access
If you use SACL we can discuss rationale, but these tend to be more operational in nature, thus for the starting point, lets leave this Not Configured for now
Logon/Logoff
Object Access
- Note that we set some to “No Auditing”, this is so the end server admin can enable for troubleshooting the but they don’t stay that way.
- You can do this by Selecting Configure, then not selecting either Success or Failure.
- Detailed File Share, this is a MUST in a UEBA system, but one we should consider on a case by case basis for other SIEMs
- Audit File share does add value, but will be VERY high volume on File Servers, enable with caution
- Audit File System will be very verbose during patching
- Disabled for Windows Firewall, Windows will write a log for everything it sends, thus the act of emitting these logs to a SIEM via tools like nxlog or other agents can introduce race conditions
Policy Change
- 4703 events will be robust and frequent when WMI is used and end points consist of Win10 and Server 2016 forward, especially when remote endpoint monitoring tools make frequent connections.
- We would like to formally request that Policy Change > Audit Authorization Policy Change, be moved from Success and Failure, to just Failure
Privilege use
- Non-Sensitive and Sensitive Privilege Use have their place, though much of this will be windows rights changing based on user or account permissions “per action”.
- For a starting point, we can leave these off, but once your SIEM is post Implementation, lets review usage and rationale on a server by server basis. For example, we might want to enable auditing for Sensitive Privilege for high risk to monitor driver loading and unloading or file restoring and backup scenarios.
- Note Audit Sensitive Privilege Use is set to NO Auditing (for now)
System
These events matter!
Global Object Access Auditing
Global means Custom