​Auditing with Advanced Audit Policy Configuration

Within the confines of the Windows Server environment lies the Group Policy settings, which are the security configuration powerhouses controlling every security event. The​ legacy audit settings and advanced audit settings—subsets of the Group Policy settings—are the lifelines that help administer many events and their permissions. These security settings must be configured with the utmost caution and monitored at all times to ensure the Windows Server fort is strong against malicious intruder and insider attacks. When an attack happens, an alert containing the event history is emailed to the configured email addresses instantly.

Read on to learn why we recommend the Advanced Audit Policy Configuration settings to ensure the best Windows security auditing.

[caption id="attachment_40234" align="aligncenter" width="751"]Advanced Audit Policy Configuration Figure 1: Advanced Audit Policy Configuration settings[/caption]

The legacy audit settings and the advanced audit settings are different in their depth of audit event filtering and yet similar in their coverage of events. Legacy audit has nine settings under Windows Settings > Security Settings > Local Policies > Audit Policy, whereas the advanced audit policy has 53 settings under Windows Settings > Security Settings > Advanced Audit Policy Configuration.

Legacy audit policy settingsAdvanced audit policy settings
​Audit account logon events
Account Logon
Audit Credential Validation Audit Kerberos Authentication Service Audit Kerberos Service Ticket Operations Audit Other Account Logon Events
Audit account management
Account Management
Audit Application Group Management Audit Computer Account Management Audit Distribution Group Management Audit Other Account Management Events Audit Security Group Management Audit User Account Management
Audit directory service access
DS Access
Audit Detailed Directory Service Replication Audit Directory Service Access Audit Directory Service Changes Audit Directory Service Replication
Audit logon events
Logon/Logoff
Audit Account Lockout Audit IPsec Extended Mode Audit IPsec Main Mode Audit IPsec Quick Mode Audit Logoff Audit Logon Audit Network Policy Server Audit Other Logon/Logoff Events Audit Special Logon
Audit object access
Object Access
Audit Application Generated Audit Certification Services Audit Detailed File Share Audit File Share Audit File System Audit Filtering Platform Connection Audit Filtering Platform Packet Drop Audit Handle Manipulation Audit Kernel Object Audit Other Object Access Events Audit Registry Audit SAM
Audit policy change
Policy Change
Audit Audit Policy Change Audit Authentication Policy Change Audit Authorization Policy Change Audit Filtering Platform Policy Change Audit MPSSVC Rule-Level Policy Change Audit Other Policy Change Events
Audit privilege use
Privilege Use
Audit Non Sensitive Privilege Use Audit Other Privilege Use Events Audit Sensitive Privilege Use
Audit process tracking
Detailed Tracking
Audit DPAPI Activity Audit Process Creation Audit Process Termination Audit RPC Events
Audit system events
System
Audit IPsec Driver Audit Other System Events Audit Security State Change Audit Security System Extension Audit System Integrity
Benefits of the advanced audit settings

​You might ask if 53 settings are better than nine settings. In most cases, the answer is yes!

In the advanced audit settings, for instance, the account management setting would provide six audit options, whereas the legacy audit settings provides one. With the Advanced Audit Policy Configuration, administrators can be even more selective in what type of events to audit.

Event log filtering: 6 settings vs. 1 setting

[caption id="attachment_40237" align="aligncenter" width="784"]Advanced Audit Policy: Account Management Settings Figure 2: Advanced audit policy: Account Management settings[/caption]

Let's say you are interested in auditing Account Management. In the advanced audit settings, you would configure the individual audit settings within Account Management and choose which events you want to audit and which events you want to ignore. You can configure success for one event, failure for another, success and failure for yet another, and no auditing at all for a fourth audit setting. This ability to isolate events and record is not possible in the legacy audit settings, where by default all the above events are recorded.​ In turn, you would be performing a lot of unwanted event monitoring and filling precious disk space with many needless event logs.

[caption id="attachment_40241" align="aligncenter" width="788"]Audit Policy Configuration Figure 3: Legacy audit policy: Account Management settings[/caption]

Enable subcategory override

While the legacy audit settings can be applied to all Windows versions, the advanced audit settings can be applied only to Windows Vista and above, and Windows 2008 and above.

Implementing both the legacy and advanced audit policy settings will cause unexpected outcomes due to conflicts between similar settings in the two groups of policy settings. The below setting will ensure the legacy audit settings are ignored. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options. Then enable the override policy, i.e., Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.

View the documentation below to learn about the required advanced audit policy configurations for a secure Windows Server environment audit setting. ​For more information, visit our how-to videos and documentation.About ManageEngine ADAudit PlusADAudit Plus is web-based Windows Active Directory and Windows Server change reporting software. It audits, tracks, and reports on Active Directory, workstation logons and logoffs, file servers, and other types of servers to help meet the most-needed security, audit, and compliance demands. Track authorized or unauthorized access of users, GPOs, groups, and computers, as well as OU changes, with over 150 detailed, event-specific reports and instant email alerts, and export the results to XLS, HTML, PDF, and CSV formats to assist in interpretation and computer forensics.