There are two methods of setting up your audit policy: Show
Microsoft advises organizations not to use both the basic audit policy settings and the advanced settings simultaneously for same category, because when advanced audit policy is configured, it will always override basic audit policies, which in result can cause “unexpected results in audit reporting”. You can view the Security log with the Event Viewer. Before changing any settings, you should:
Types of events you can auditHere are the basic security audit policy categories:
Recommended Windows Auditing SettingsThe following advanced security audit policy settings are recommended: Account Logon
Account Management
DS Access (Directory Service Access)
Logon/Logoff
Object Access
Policy Change
Privilege Use
Process Tracking
System
Windows audit policy defines what types of events are written to the Security logs of your Windows servers. Establishing an effective audit policy helps you spot potential security problems, ensure user accountability and provide evidence in the event of a security breach. The recommended audit policy settings provided here are intended as a baseline for system administrators starting to define AD audit policies. You should be sure to consider the cybersecurity risks and compliance requirements of your organization. In addition, test and refine your policies before implementing them in your production environment.
Overview of Arctic Wolf GPO Advanced Audit Policy Configuration Direct link to this sectionTo capture security and operational events on Windows servers, you must configure audit policies for each domain to generate events in the Windows Event Log. In Windows Server 2008 R2 and newer, the default auditing policies combined with the Arctic Wolf® recommended settings generate events that give your Concierge Security® Team (CST) visibility into your Windows environment. This document describes how to configure a Group Policy Object (GPO) with a default set of Advanced Audit Policy Configuration settings and Arctic Wolf-recommended settings to ensure that your Windows host produces the expected set of audit events. Configure your Arctic Wolf GPO Advanced Audit Policy Direct link to this sectionThe Arctic Wolf GPO Advanced Audit Policy applies advanced security audit policy settings to all computers in your domain.The Arctic Wolf GPO Advanced Audit Policy applies advanced security audit policy settings to all computers in your domain. To configure your Arctic Wolf GPO Advanced Audit Policy: Open or create an Arctic Wolf GPO Advanced Audit Policy Direct link to this section
Configure Advanced Audit Policy settings Direct link to this section
Enforce the Arctic Wolf GPO Advanced Audit Policy Direct link to this section
Set the precedence of an Advanced Audit Policy Direct link to this sectionThe Arctic Wolf GPO requires precedence over other GPOs.
Update the domain controller Group Policy Direct link to this section
Review your log settings Direct link to this sectionAfter updating audit settings, review log settings to ensure that they align with your company best practices. Microsoft recommends specific settings for:
|