How do I configure advanced audit policy?
This group is new as of Server 2008 R2 which you can find in "Advanced Audit Policy Configuration". Under that you will find “System Audit Policies – Local Group Policy Object”. From this point you can use group policies to configure the settings.If configured it can override Local Policy audit settings. Show
User Account Management Sub-CategoryThis Sub-Category can be set by Group Policy with Windows Server 2008 R2 or later. It records events having to do with security groups in Active Directory and on the local computer. With the ever-increasing need to meet industry or governmental compliance mandates, the ability to properly audit and report on what is happening in our environments is crucial. In Windows Vista, Microsoft divided the original nine auditing categories into subcategories and added some new events that weren’t previously possible to audit, such as the ability to track access to remote storage devices, which increased the total number of events that can be audited to 53. Starting in Windows Server 2008 R2 and Windows 7, Advanced Audit Policy Configuration in Group Policy allows administrators to configure the new granular audit settings without the need to use auditpol.exe at the command line. Advanced auditing allows for more granular audit configuration, so that only events you are interested in capturing are written to the Event Log. The new settings can be found in Group Policy under Computer Configuration\Policies\Security Settings\Advanced Audit Policy Configuration, and the original audit settings can be found here: Security Settings\Local Policies\Audit Policy. You’ll see that in the basic audit settings, it’s possible to switch account logon auditing on or off, but in the new advanced configuration there are four different account logon events that can be audited:
Enabling Advanced Audit Policy ConfigurationBasic and advanced audit policy configurations should not be mixed. As such, it’s best practice to enable Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings in Group Policy to make sure that basic auditing is disabled. The setting can be found under Computer Configuration\Policies\Security Settings\Local Policies\Security Options, and sets the SCENoApplyLegacyAuditPolicy registry key to prevent basic auditing being applied using Group Policy and the Local Security Policy MMC snap-in. Configuring Advanced Audit Policy settingsNow that you’ve disabled basic auditing, you can navigate to the Advanced Audit Policy Configuration node and enable auditing for any of the subcategories. Bear in mind that Group Policy can’t be used to enable advanced auditing on Windows Vista or Server 2008, but instead you can use the auditpol.exe command line tool in a logon script. To see which audit policies are enabled, run auditpol.exe /get /Category:* at the command line. This will list all the subcategories and show their status. In this example I’m going to set success and failure auditing for the Sensitive Privilege Use subcategory: auditpol.exe /set /subcategory:”Sensitive Privilege Use” /failure:enable /success:enable To capture security and operational events on Windows servers, you must configure audit policies for each domain to generate events in the Windows Event Log. In Windows Server 2008 R2 and newer, the default auditing policies combined with the Arctic Wolf® recommended settings generate events that give your Concierge Security® Team (CST) visibility into your Windows environment. This document describes how to configure a Group Policy Object (GPO) with a default set of Advanced Audit Policy Configuration settings and Arctic Wolf-recommended settings to ensure that your Windows host produces the expected set of audit events. The Arctic Wolf GPO Advanced Audit Policy applies advanced security audit policy settings to all computers in your domain.The Arctic Wolf GPO Advanced Audit Policy applies advanced security audit policy settings to all computers in your domain. Notes:
To configure your Arctic Wolf GPO Advanced Audit Policy: Open or create an Arctic Wolf GPO Advanced Audit Policy
Configure Advanced Audit Policy settings
Enforce the Arctic Wolf GPO Advanced Audit Policy
Set the precedence of an Advanced Audit PolicyThe Arctic Wolf GPO requires precedence over other GPOs.
Update the domain controller Group Policy
Review your log settingsAfter updating audit settings, review log settings to ensure that they align with your company best practices. Microsoft recommends specific settings for: Where in the Advanced audit policy Configuration can the audit PNP activity policy be configured?Choose Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
What is the difference between audit policy and Advanced audit policy Configuration?The settings available in Security Settings\Advanced Audit Policy Configuration address similar issues as the nine basic settings in Local Policies\Audit Policy, but they allow administrators to be more selective in the number and types of events to audit.
Which versions of Windows Support Advanced audit policy Configuration?Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista. There's no difference in security auditing support between 32-bit and 64-bit versions. Windows editions that can't join a domain, such as Windows 10 Home edition, don't have access to these features.
What are the ten advanced audit policies?Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network.. Audit Account Lockout.. Audit User/Device Claims.. Audit IPsec Extended Mode.. Audit Group Membership.. Audit IPsec Main Mode.. Audit IPsec Quick Mode.. Audit Logoff.. Audit Logon.. |