​Auditing with Advanced Audit Policy Configuration

Within the confines of the Windows Server environment lies the group policy settings, which are the security configuration powerhouses controlling every security event. The​ legacy audit settings and advanced audit settings — subsets of the group policy settings — are the lifelines that help administer many events and their permissions. These security settings must be configured with the utmost caution and monitored at all times to ensure the Windows Server fort is strong against malicious intruder and insider attacks. When an attack happen, an ​instant alert is emailed with event history to the configured mail IDs.

Read on to learn why we recommend the advanced audit policy settings to ensure the best of Windows security auditing.

Image: ​Advanced Audit Policy Settings

The legacy audit settings and the advanced audit settings are different in their depth of audit events filtering and yet similar in their coverage of events. Legacy audit has nine settings under Windows Settings  Security Settings Local Policies Audit Policy, whereas the advanced audit policy has 53 settings under Windows Settings Security Settings Advanced Audit Policy Configuration.

Legacy Audit Policy Settings Advanced Audit Policy Settings
​Audit account logon events
Account Logon

Audit Credential Validation
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events

Audit account management
Account Management

Audit Application Group Management
Audit Computer Account Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management

Audit directory service access
DS Access

Audit Detailed Directory Service Replication
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication

Audit logon events

Audit Account Lockout
Audit IPsec Extended Mode
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff
Audit Logon
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon

Audit object access
Object Access

Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit SAM

Audit policy change
Policy Change

Audit Audit Policy Change
Audit Authentication Policy Change
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events

Audit privilege use
Privilege Use

Audit Non Sensitive Privilege Use
Audit Other Privilege Use Events
Audit Sensitive Privilege Use

Audit process tracking
Detailed Tracking

Audit DPAPI Activity
Audit Process Creation
Audit Process Termination
Audit RPC Events

Audit system events

Audit IPsec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity

Benefits of Advanced Audit Settings

​You might ask if 53 settings are better than nine settings. In most cases, the answer is yes!

In the advanced audit settings, for instance, the account management setting would provide six audit options, whereas the legacy audit settings provides one. With advanced audit policy, administrators can be even more selective in what type of events to audit.

Event Log Filtering: 6 Settings vs. 1 Setting

Image: Advanced Audit Policy: Account Management Settings

Let’s say you are interested in auditing Account Management. In advanced audit settings, you would configure the individual audit settings within Account Management and choose which events you want to audit and which events you want to ignore. You can configure success for one event, failure for another, success and failure for yet another, and no auditing at all for a fourth audit setting. This ability to isolate events and record is not possible in Legacy audit settings, where by default all the above events are recorded.​ In turn, you would be performing a lot of unwanted event monitoring and filling precious disk space with a lot of needless event logs.

Image: Legacy Audit Policy: Account Management Settings

Enable Subcategory Override

While the legacy audit settings can be applied to all Windows versions, the advanced audit settings can be applied only to Windows Vista and above, and Windows 2008 and above.

Implementing both the legacy and advanced audit policy settings will cause unexpected outcomes due to conflicts between similar settings in the two groups of policy settings. The below setting will ensure the legacy audit settings are ignored.

Navigate to Computer Configuration Policies Windows Settings Security Settings Local Policies Security Options. Then enable the override policy, i.e., Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.

View the below documentation to learn about the required advanced audit policy configurations for a secure Windows Server environment audit setting.

​For more information, visit our how-to videos and documentation.

About ManageEngine ADAudit Plus

ADAudit Plus is a web based Windows Active Directory & Servers Change Reporting Software that audits-tracks-reports on Windows [Active Directory, Workstations Logon / Logoff, File Servers & Servers] to help meet the most-needed security, audit and compliance demands. Track authorized / unauthorized access of users, GPO, Groups, Computer, OU changes with 150+ detailed event specific reports and instant email alerts and also, export the results to xls, html, pdf and csv formats to assist in interpretation and computer forensics!

You Can Learn More About the ManageEngine Product Line By Going to www.ManageEngine.ca

The original article/video can be found at ​Auditing with Advanced Audit Policy Configuration

About the Author: Shannon Lewis

Leave a Reply Cancel reply