As with all security settings, the best practice is to use Group Policy to centrally manage your audit policy. Using local settings can be risky: A group policy could override the local policy settings. Microsoft warns you of this behavior on each policy’s Local Security Setting tab shown below.

To configure audit settings on all domain clients:

· Go to Start Menu → Administrative Tools → Group Policy Management.

· In the left pane, navigate to Forest → Domains → Domain Name. Expand it.

· You can select either ‘Default Domain Policy’ or create a new Group Policy Object.

· Right-click on ‘Default Domain Policy’ or other Group Policy Object.

· Click ‘Edit’ in the context menu. It shows ‘Group Policy Management Editor’.

· Go to Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies.

· Check Configure the following audit events -> Success -> OK.

Continue to follow similar steps to enable all the settings listed in Appendix A.

Advanced Audit Logging for better visibility – using Local Security Policy

(To be used only if configuring a Domain GPO is not an option)

A Windows system's audit policy determines which type of information about the system you'll find in the Security log. Windows uses nine audit policy categories and 50 audit policy subcategories to give you more-granular control over which information is logged.

Ø Open the Start Menu and type: gpedit.msc

Ø OR use the keyboard shortcut Windows Key + R and type: gpedit.msc in the Run line and hit Enter.

Ø To view a system’s audit policy settings, you can open the MMC Local Security Policy console on the system and drill down to gpedit Group Policy Editor, navigate to Windows Settings >> Security Settings >> Local Policy >> Audit Policy as shown below.

Ø From there, check the boxes to audit successful or failed audit attempts and click OK.

Alternatively, you may also use Auditpol (Command line utility) to determine which subcategories are being audited. If you are performing a baseline of a system, Auditpol gives you the ability to see what is really happening. Take a look at an example of what you will see when you use the auditpol /get /category:* command.

Below are the list of commands that should be run in order to enable the Audit policies using auditpol utility.