Within the confines of the Windows Server environment lies the group policy settings, which are the security configuration powerhouses controlling every security event. The legacy audit settings and advanced audit settings — subsets of the group policy settings — are the lifelines that help administer many events and their permissions. These security settings must be configured with the utmost caution and monitored at all times to ensure the Windows Server fort is strong against malicious intruder and insider attacks. When an attack happen, an instant alert is emailed with event history to the configured mail IDs.
Read on to learn why we recommend the advanced audit policy settings to ensure the best of Windows security auditing.
Image: Advanced Audit Policy Settings
The legacy audit settings and the advanced audit settings are different in their depth of audit events filtering and yet similar in their coverage of events. Legacy audit has nine settings under Windows Settings Security Settings Local Policies Audit Policy, whereas the advanced audit policy has 53 settings under Windows Settings Security Settings Advanced Audit Policy Configuration.
|Legacy Audit Policy Settings||Advanced Audit Policy Settings|
|Audit account logon events||
Audit Credential Validation
|Audit account management||
Audit Application Group Management
|Audit directory service access||
Audit Detailed Directory Service Replication
|Audit logon events||
Audit Account Lockout
|Audit object access||
Audit Application Generated
|Audit policy change||
Audit Audit Policy Change
|Audit privilege use||
Audit Non Sensitive Privilege Use
|Audit process tracking||
Audit DPAPI Activity
|Audit system events||
Audit IPsec Driver
Benefits of Advanced Audit Settings
You might ask if 53 settings are better than nine settings. In most cases, the answer is yes!
In the advanced audit settings, for instance, the account management setting would provide six audit options, whereas the legacy audit settings provides one. With advanced audit policy, administrators can be even more selective in what type of events to audit.
Event Log Filtering: 6 Settings vs. 1 Setting
Image: Advanced Audit Policy: Account Management Settings
Let’s say you are interested in auditing Account Management. In advanced audit settings, you would configure the individual audit settings within Account Management and choose which events you want to audit and which events you want to ignore. You can configure success for one event, failure for another, success and failure for yet another, and no auditing at all for a fourth audit setting. This ability to isolate events and record is not possible in Legacy audit settings, where by default all the above events are recorded. In turn, you would be performing a lot of unwanted event monitoring and filling precious disk space with a lot of needless event logs.
Image: Legacy Audit Policy: Account Management Settings
Enable Subcategory Override
While the legacy audit settings can be applied to all Windows versions, the advanced audit settings can be applied only to Windows Vista and above, and Windows 2008 and above.
Implementing both the legacy and advanced audit policy settings will cause unexpected outcomes due to conflicts between similar settings in the two groups of policy settings. The below setting will ensure the legacy audit settings are ignored.
Navigate to Computer Configuration Policies Windows Settings Security Settings Local Policies Security Options. Then enable the override policy, i.e., Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
View the below documentation to learn about the required advanced audit policy configurations for a secure Windows Server environment audit setting.
About ManageEngine ADAudit Plus
ADAudit Plus is a web based Windows Active Directory & Servers Change Reporting Software that audits-tracks-reports on Windows [Active Directory, Workstations Logon / Logoff, File Servers & Servers] to help meet the most-needed security, audit and compliance demands. Track authorized / unauthorized access of users, GPO, Groups, Computer, OU changes with 150+ detailed event specific reports and instant email alerts and also, export the results to xls, html, pdf and csv formats to assist in interpretation and computer forensics!
The original article/video can be found at Auditing with Advanced Audit Policy Configuration