search

What is Advanced audit policy Configuration?

1 anos atrás
Comentários: 0
Visualizações: 189

There are two methods of setting up your audit policy:

Show
  • Basic security audit policy in Windows (also referred as local Windows security settings) allows you to set auditing by on a per-event-type basis. Basic policies can be found under Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy.
  • Advanced security audit policy address same issues, as basic audit policies, but let you to set up auditing granularly within each event category. These settings are found in Computer Configuration -> Policies -> Windows Security Settings -> Advanced Audit Policy Configuration -> System Audit Policies. They appear to overlap (not override) basic security audit policies.

Microsoft advises organizations not to use both the basic audit policy settings and the advanced settings simultaneously for same category, because when advanced audit policy is configured, it will always override basic audit policies, which in result can cause “unexpected results in audit reporting”.

You can view the Security log with the Event Viewer.

Before changing any settings, you should:

  • Determine which types of events you want to audit from the list below, and specify the settings for each one. The settings you specify constitute your audit policy. Note that some event types are audited by default.
  • Decide how you will collect, store and analyze the data. There is little value in amassing large volumes of audit data if there is no underlying plan to manage and use it.
  • Specify the maximum size and other attributes of the Security log using the Event Logging policy settings. An important consideration is the amount of storage space that you can allocate to storing the data collected by auditing. Depending on the setting you choose, audit data can quickly fill up available disk space.
  • Remember that audit settings can affect computer performance. Therefore, you should perform performance tests before you deploy new audit settings in your production environment.
  • If you want to audit directory service access or object access, configure the Audit directory service access and Audit object access policy settings.

Types of events you can audit

Here are the basic security audit policy categories:

  • Audit account logon events. User logon auditing is the only way to detect all unauthorized attempts to log in to a domain. It is vital to audit logon events — both successful and failed — to detect intrusion attempts. Logoff events are not tracked on domain controllers.
  • Audit account management. Carefully monitoring all user account changes helps minimize the risk of business disruption and system unavailability.
  • Audit directory service access. Monitor this only when you need to see when someone accesses an AD object that has its own system access control list (for example, an OU).
  • Audit logon events. Seeing successful and failed attempts to log on or off a local computer is useful for intruder detection and post-incident forensics.
  • Audit object access. Audit this only when you need to see when someone used privileges to access, copy, distribute, modify or delete files on file servers.
  • Audit policy change. Improper changes to a GPO can greatly damage the security of your environment. Monitor all GPO modifications to reduce the risk of data exposure.
  • Audit privilege use. Turn this policy on when you want to track each instance of userprivileges being used. It is recommended to setup this function granularly in Sensitive Privilege Use of the advanced audit policies.
  • Audit process tracking. Auditing process-related events, such as process creation, process termination, handle duplication and indirect object access, can be useful for incident investigations.
  • Audit system events. Configuring the system audit policy to log startups, shutdowns and restarts of the computer, and attempts by a process or program to do something that it does not have permission to do, is valuable because all such events are very significant. For example, if malicious software tries to change a setting on your computer without your permission, system event auditing would record that action.

The following advanced security audit policy settings are recommended:

Account Logon

  • Audit Credential Validation: Success and Failure

Account Management

  • Audit Computer Account Management: Success and Failure
  • Audit Other Account Management Events: Success and Failure
  • Audit Security Group Management: Success and Failure
  • Audit User Account Management: Success and Failure

DS Access (Directory Service Access)

  • Audit DirectoryService Access: Success and Failure on DC
  • Audit Directory Service Changes: Success and Failure on DC

Logon/Logoff

  • Audit Account Lockout: Success
  • Audit Logoff: Success
  • Audit Logon: Success and Failure
  • Audit Special Logon: Success and Failure

Object Access 

  • Enable these settings only if you have a specific use for the data that will be logged, because they can cause a large volume of entries to be generated in your Security logs.

Policy Change

  • Audit Audit Policy Change: Success and Failure
  • Audit Authentication Policy Change: Success and Failure

Privilege Use

  • Enable these settings only if you have a specific use for the data that will be logged, because they can cause a large volume of entries to be generated in your Security logs.

Process Tracking

  • Audit Process Creation: Success
    Enable these settings only if you have a specific use for the information  that will be logged, because they can cause a large volume of entries to be generated in your Security logs.

System

  • Audit Security State Change: Success and Failure
  • Audit Other System Events: Success and Failure
  • Audit System Integrity: Success and Failure

Windows audit policy defines what types of events are written to the Security logs of your Windows servers. Establishing an effective audit policy helps you spot potential security problems, ensure user accountability and provide evidence in the event of a security breach. 

The recommended audit policy settings provided here are intended as a baseline for system administrators starting to define AD audit policies. You should be sure to consider the cybersecurity risks and compliance requirements of your organization. In addition, test and refine your policies before implementing them in your production environment.

To capture security and operational events on Windows servers, you must configure audit policies for each domain to generate events in the Windows Event Log. In Windows Server 2008 R2 and newer, the default auditing policies combined with the Arctic Wolf® recommended settings generate events that give your Concierge Security® Team (CST) visibility into your Windows environment.

This document describes how to configure a Group Policy Object (GPO) with a default set of Advanced Audit Policy Configuration settings and Arctic Wolf-recommended settings to ensure that your Windows host produces the expected set of audit events.

The Arctic Wolf GPO Advanced Audit Policy applies advanced security audit policy settings to all computers in your domain.The Arctic Wolf GPO Advanced Audit Policy applies advanced security audit policy settings to all computers in your domain.

To configure your Arctic Wolf GPO Advanced Audit Policy:

  1. Click Start > Group Policy Management.

  2. In the navigation pane, expand Forest: <DomainName>, where <DomainName> is the name of your domain, and then expand the Domains folder.

  3. If you already have an Arctic Wolf GPO Advanced Audit Policy, complete the following steps; otherwise, proceed to the next step:

  4. If you do not have an existing Arctic Wolf GPO Advanced Audit Policy, complete the following:

    1. Right-click the domain name and select Create a GPO in this domain, and Link it here.

      The New GPO dialog box appears.

    2. In the Name field, enter AWN Audit Policy.

    3. From the Source Starter GPO list, select (none).

    4. Click OK.

    5. Right-click the new GPO and select Edit.

    6. Proceed to Configure Advanced Audit Policy Settings.

  1. Verify that the Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting is Enabled.

    To enable this setting:

    1. In the left pane of the Group Policy Management Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
    2. Locate and then right-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, and then select Properties.
    3. Click the Security Policy Setting tab.
    4. Select the Define this policy setting checkbox, and then select Enabled.
    5. Click OK.

  2. In the left pane of the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

    Tip: Resize the window and tree view to completely view the policy tree.


    What is Advanced audit policy Configuration?

  3. Edit the audit policy settings:

    1. Under Audit Policies, select the category. For example, Account Logon.
    2. Double-click the corresponding subcategory. For example, Audit Credential Validation.
    3. Edit the policy setting as indicated in the table.
    4. Verify that each setting has these checkboxes selected:
      • Configure the following audit events
      • Success or Failure according to the Audit Events listed in the table.

    This table lists the policy setting checkboxes to select:

    Category Subcategory Audit event settings
    Account Logon Audit Credential Validation Success and Failure
    Account Logon Audit Kerberos Authentication Service Success and Failure
    Account Logon Audit Kerberos Service Ticket Operations Success and Failure
    Account Logon Audit Other Account Logon Events Success and Failure
    Account Management Audit Computer Account Management Success and Failure
    Account Management Audit Other Account Management Events Success and Failure
    Account Management Audit Security Group Management Success and Failure
    Account Management Audit User Account Management Success and Failure
    Detailed Tracking Audit DPAPI Activity Success
    Detailed Tracking Audit Process Creation Success
    Detailed Tracking Audit Process Termination Success
    Detailed Tracking Audit Token Right Adjusted Success
    DS Access Audit Directory Service Access Success
    DS Access Audit Directory Service Changes Success
    Logon/Logoff Audit Account Lockout Success and Failure
    Logon/Logoff Audit Logoff Success and Failure
    Logon/Logoff Audit Logon Success and Failure
    Logon/Logoff Audit Network Policy Server Success and Failure
    Logon/Logoff Audit Other Logon/Logoff Events Success and Failure
    Logon/Logoff Audit Special Logon Success and Failure
    Policy Change Audit Audit Policy Change Success and Failure
    Policy Change Audit Authentication Policy Change Success and Failure
    Policy Change Audit Authorization Policy Change Success and Failure
    Policy Change Audit MPSSVC Rule-Level Policy Change Success
    Privilege Use Audit Sensitive Privilege Use Success and Failure
    System Audit IPsec Driver Success
    System Audit Other System Events Success and Failure
    System Audit Security State Change Success and Failure
    System Audit Security System Extension Success and Failure
    System Audit System Integrity Success and Failure

  4. In the same Group Policy, enable these command-line policies:

    • Navigate to Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation, and then set Include command line in process creation events to Enabled.

      What is Advanced audit policy Configuration?

    • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell, and then set Turn on PowerShell Script Block Logging to Enabled.

      What is Advanced audit policy Configuration?

  5. Close the Group Policy Management Editor window after completing all audit and command-line policy changes.

  6. In the navigation pane, select AWN Audit Policy.

  7. Click the Settings tab.

  8. Compare the policy configuration settings to the audit policy settings you edited earlier in this procedure.

    Note: Even if the settings here are correct, they may not have been applied yet.

  9. Verify that the AD audit settings were applied by running auditpol.exe /get /category:* on every domain controller in your environment. Review the results of the command against the settings from above. If the results are incorrect or return No Auditing:

    1. Run gpupdate /force, followed by auditpol.exe /get /category:* again. If the results are still incorrect, proceed to the next step.
    2. Navigate back to Audit Policies and complete the following steps for those that did not update:

      Note: You do not need to follow this procedure for every policy. You only need to do this for one policy.

      1. Deselect the applicable checkboxes, and then click Apply.
      2. Reselect the appropriate checkboxes, and then click Apply.
      3. Run gpupdate /force.
      4. Run auditpol.exe /get /category:* again. If the results are still incorrect, proceed to the next step.
    3. Run gpresult /h auditsettings.html and send the HTML file that is created to Arctic Wolf for further investigation.

  1. Right-click your Arctic Wolf GPO Audit Policy, and select Enforced if it is not already selected.

  2. Verify that a lock overlay appears in the policy icon.

    This confirms that the Audit Policy is enforced on the domain.

The Arctic Wolf GPO requires precedence over other GPOs.

  1. In the navigation pane, click Forest: <DomainName>, where <DomainName> is the name of your domain.
  2. Click the Group Policy Inheritance tab.
  3. In the GPO column, locate your GPO, and then click and drag it to the top of the list.
  4. In the Precedence column, verify that your GPO is 1 (Enforced).
  5. Close the Group Policy Management window.

  1. Click Start > Windows PowerShell or Command Prompt.

  2. Run the following command:

    Note: If you are prompted to sign off or restart after the user and computer policy updates complete, press N and then press Enter.

  3. Close Windows PowerShell or the Command Prompt. The audit settings are now successfully applied with Group Policy.

After updating audit settings, review log settings to ensure that they align with your company best practices. Microsoft recommends specific settings for:

  • Newer versions of Windows
  • Older versions of Windows

Q&A What

Postagens relacionadas

What is the difference between job engagement and organizational commitment?
What is the difference between job engagement and organizational commitment?

How to check balance on Wellcare Flex Card
How to check balance on Wellcare Flex Card

What are the relationship between the zeroes and coefficients of the quadratic polynomial ax2 bx c?
What are the relationship between the zeroes and coefficients of the quadratic polynomial ax2 bx c?

When two cubes of edges 3 cm are joined end to end what is the shape of the resulting solid?
When two cubes of edges 3 cm are joined end to end what is the shape of the resulting solid?

What is gene flow in evolution
What is gene flow in evolution

What does 2 long blasts of a ship horn mean?
What does 2 long blasts of a ship horn mean?

What could your supervisor manager do to support you in doing your job and accomplishing these goals?
What could your supervisor manager do to support you in doing your job and accomplishing these goals?

What are 3 strategies to prevent errors of miscommunication when receiving telephone orders?
What are 3 strategies to prevent errors of miscommunication when receiving telephone orders?

A circle centered at the origin has a radius of 1/2 what is the equation of the circle
A circle centered at the origin has a radius of 1/2 what is the equation of the circle

What is the energy of an electron of 3rd Bohrs orbit in a hydrogen atom?
What is the energy of an electron of 3rd Bohrs orbit in a hydrogen atom?

Best way to season ribs for the oven
Best way to season ribs for the oven

Where to buy sk8 the infinity manga
Where to buy sk8 the infinity manga

Esqueci de tomar o antibiótico na hora certa o que fazer
Esqueci de tomar o antibiótico na hora certa o que fazer

What is the correct order in which sound waves are transmitted through the ear I tympanic membrane II ossicles III external auditory canal IV cochlea?
What is the correct order in which sound waves are transmitted through the ear I tympanic membrane II ossicles III external auditory canal IV cochlea?

Which is the correct order of events of sound transmission through the ear 1 sound waves strike the eardrum?
Which is the correct order of events of sound transmission through the ear 1 sound waves strike the eardrum?

2022 mazda cx-5 grand touring reserve vs signature
2022 mazda cx-5 grand touring reserve vs signature

How do you make glasses on little alchemy?
How do you make glasses on little alchemy?

What is the 5 benefits in planting trees?
What is the 5 benefits in planting trees?

The Nine Lives of Chloe King Alek
The Nine Lives of Chloe King Alek

Where can I watch Rick and Morty
Where can I watch Rick and Morty

Publicidade

ÚLTIMAS NOTÍCIAS

How many factors of 400 are not multiples of 2
1 anos atrás . por WhisperedBaker
A relatively new discipline, motion graphics began with
1 anos atrás . por EnhancedSolitude
A policy loan is made possible by
1 anos atrás . por AffirmativeBonus
Its a small world meaning
1 anos atrás . por PollutedTossing
Which of the following nutrients yield energy?
1 anos atrás . por Blue-grayWarmth
What was the significance of the first continental congress in 1774?
1 anos atrás . por AtmosphericTyrant
When was Fairfield CA founded?
1 anos atrás . por IntermediateApparatus
When assessing the intensity of a patients pain, which question by the nurse is appropriate
1 anos atrás . por Door-to-doorHamburger
How many liters of water must be added to 16 liters of milk and water contains 10% water to make it 20% water in it?
1 anos atrás . por BogusMorale
How many spectral lines are obtained when an electron drops from 4th Shell to ground shell?
1 anos atrás . por BadAllegiance

Toplistas

#1
Top 8 mensagem de 30 anos de aniversário 2022
1 anos atrás
#2
Top 7 jogo do bicho palpite do dia de hoje 2022
1 anos atrás
#3
Top 7 melhor comprimido para dor de cabeça 2022
1 anos atrás
#4
Top 6 explique a influência da corrente do golfo no atlântico norte sobre a europa ocidental 2022
1 anos atrás
#5
Top 7 como é o nome da música 2022
1 anos atrás
#6
Top 7 cloridrato de meclizina para que serve 2022
1 anos atrás
#7
Top 4 existe outra regionalização que é utilizado para dividir o país em três partes 2022
1 anos atrás
#8
Top 7 500g de presunto preço 2022
1 anos atrás
#9
Top 8 o país que mais emite gases de efeito estufa atualmente é há uma grande probabilidade 2022
1 anos atrás
#10
Top 8 um elemento químico da família dos halogênios (7 elétrons na camada de valência) 2022
1 anos atrás

Publicidade

Populer

Token Data

Publicidade

Sobre

Jurídica

Ajuda

Social

homeendefrjakoptzhhi
direito autoral © 2024 cemle Inc.