BluSapphire
Search…
Windows Advanced Auditing Recommendations
Advanced Audit Logging for better visibility using Domain Group Policy (Preferred)
As with all security settings, the best practice is to use Group Policy to centrally manage your audit policy. Using local settings can be risky: A group policy could override the local policy settings. Microsoft warns you of this behavior on each policy’s Local Security Setting tab shown below.
To configure audit settings on all domain clients:
· Go to Start Menu → Administrative Tools → Group Policy Management.
· In the left pane, navigate to Forest → Domains → Domain Name. Expand it.
· You can select either ‘Default Domain Policy’ or create a new Group Policy Object.
· Right-click on ‘Default Domain Policy’ or other Group Policy Object.
· Click ‘Edit’ in the context menu. It shows ‘Group Policy Management Editor’.
· Go to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies.
· Check Configure the following audit events -> Success -> OK.
Continue to follow similar steps to enable all the settings listed in Appendix A.

Advanced Audit Logging for better visibility – using Local Security Policy

(To be used only if configuring a Domain GPO is not an option)
A Windows system's audit policy determines which type of information about the system you'll find in the Security log. Windows uses nine audit policy categories and 50 audit policy subcategories to give you more-granular control over which information is logged.
Ø Open the Start Menu and type: gpedit.msc
Ø OR use the keyboard shortcut Windows Key + R and type: gpedit.msc in the Run line and hit Enter.
Ø To view a system’s audit policy settings, you can open the MMC Local Security Policy console on the system and drill down to gpedit Group Policy Editor, navigate to Windows Settings >> Security Settings >> Local Policy >> Audit Policy as shown below.
Ø From there, check the boxes to audit successful or failed audit attempts and click OK.
Alternatively, you may also use Auditpol (Command line utility) to determine which subcategories are being audited. If you are performing a baseline of a system, Auditpol gives you the ability to see what is really happening. Take a look at an example of what you will see when you use the auditpol /get /category:* command.
Below are the list of commands that should be run in order to enable the Audit policies using auditpol utility.
:: CAPTURE THE SETTINGS - BEFORE they have been modified
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /get /category:* > AuditPol_BEFORE_%computername%.txt
::
:: To Track Account Logon Activities
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
Auditpol /set /subcategory:"Kerberos Authentication Service" /success:disable /failure:disable
Auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:disable /failure:disable
Auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
::
:: To Track Account Management
:: ------------------------------------------------------------------------------------------------------------------------------
:: Sets - the entire category - Auditpol /set /category:"Account Management" /success:enable /failure:enable
::
Auditpol /set /subcategory:"Application Group Management" /success:disable /failure:disable
Auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
Auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable
Auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
Auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
Auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
::
:: Detailed Tracking
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable
Auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable
Auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable
Auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
::
:: To Track Directory Service Access
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
Auditpol /set /subcategory:"Directory Service Access" /success:disable /failure:disable
Auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
Auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable
::
:: To Track Logon/Logoff Activities
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"Account Lockout" /success:enable /failure:disable
Auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
Auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
Auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
Auditpol /set /subcategory:"Logoff" /success:enable /failure:disable
Auditpol /set /subcategory:"Logon" /success:enable /failure:enable
Auditpol /set /subcategory:"Network Policy Server" /success:disable /failure:disable
Auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
Auditpol /set /subcategory:"Special Logon" /success:enable /failure:disable
::
:: To Track Object Access
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable
Auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
Auditpol /set /subcategory:"Detailed File Share" /success:enable
:: Note: Will generate a lot of events if Files and Reg keys are audited so only audit locations that are not noisy
Auditpol /set /subcategory:"File Share" /success:enable /failure:enable
Auditpol /set /subcategory:"File System" /success:enable /failure:enable
Auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable
::
:: To Track Policy Changes
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
Auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:disable
Auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
::
:: Note: Enable if you use Windows Firewall to monitor changes
::
Auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
Auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
Auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:disable
:: To Track Privilege Use
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable
Auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable
Auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable
:: To Track SYSTEM events
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
Auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable
Auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
Auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
Auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
:: CAPTURE THE SETTINGS - AFTER they have been modified
:: ------------------------------------------------------------------------------------------------------------------------------
Auditpol /get /category:* > AuditPol_AFTER_%computername%.txt