How do I configure advanced audit policy?

This group is new as of Server 2008 R2 which you can find in "Advanced Audit Policy Configuration". Under that you will find “System Audit Policies – Local Group Policy Object”. From this point you can use group policies to configure the settings.If configured it can override Local Policy audit settings.

User Account Management Sub-Category

This Sub-Category can be set by Group Policy with Windows Server 2008 R2 or later. It records events having to do with security groups in Active Directory and on the local computer.

With the ever-increasing need to meet industry or governmental compliance mandates, the ability to properly audit and report on what is happening in our environments is crucial. In Windows Vista, Microsoft divided the original nine auditing categories into subcategories and added some new events that weren’t previously possible to audit, such as the ability to track access to remote storage devices, which increased the total number of events that can be audited to 53.

Starting in Windows Server 2008 R2 and Windows 7, Advanced Audit Policy Configuration in Group Policy allows administrators to configure the new granular audit settings without the need to use auditpol.exe at the command line.

Advanced auditing allows for more granular audit configuration, so that only events you are interested in capturing are written to the Event Log. The new settings can be found in Group Policy under Computer Configuration\Policies\Security Settings\Advanced Audit Policy Configuration, and the original audit settings can be found here: Security Settings\Local Policies\Audit Policy.

You’ll see that in the basic audit settings, it’s possible to switch account logon auditing on or off, but in the new advanced configuration there are four different account logon events that can be audited:

• Audit Credential Validation
• Audit Kerberos Authentication Service
• Audit Kerberos Service Ticket Operations
• Audit Other Account Logon Events

Enabling Advanced Audit Policy Configuration

Basic and advanced audit policy configurations should not be mixed. As such, it’s best practice to enable Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings in Group Policy to make sure that basic auditing is disabled. The setting can be found under Computer Configuration\Policies\Security Settings\Local Policies\Security Options, and sets the SCENoApplyLegacyAuditPolicy registry key to prevent basic auditing being applied using Group Policy and the Local Security Policy MMC snap-in.

Configuring Advanced Audit Policy settings

Now that you’ve disabled basic auditing, you can navigate to the Advanced Audit Policy Configuration node and enable auditing for any of the subcategories. Bear in mind that Group Policy can’t be used to enable advanced auditing on Windows Vista or Server 2008, but instead you can use the auditpol.exe command line tool in a logon script.

To see which audit policies are enabled, run auditpol.exe /get /Category:* at the command line. This will list all the subcategories and show their status. In this example I’m going to set success and failure auditing for the Sensitive Privilege Use subcategory: auditpol.exe /set /subcategory:”Sensitive Privilege Use” /failure:enable /success:enable

To capture security and operational events on Windows servers, you must configure audit policies for each domain to generate events in the Windows Event Log. In Windows Server 2008 R2 and newer, the default auditing policies combined with the Arctic Wolf® recommended settings generate events that give your Concierge Security® Team (CST) visibility into your Windows environment.

This document describes how to configure a Group Policy Object (GPO) with a default set of Advanced Audit Policy Configuration settings and Arctic Wolf-recommended settings to ensure that your Windows host produces the expected set of audit events.

The Arctic Wolf GPO Advanced Audit Policy applies advanced security audit policy settings to all computers in your domain.The Arctic Wolf GPO Advanced Audit Policy applies advanced security audit policy settings to all computers in your domain.

Notes:

• These instructions apply to Server 2008 R2 and newer.

• If you already have a policy with basic audit policy settings configured under Computer Management > Policies > Windows Settings > Security Settings > Local Policies > Security Policies, this procedure replaces that policy with advanced settings.

• Audit policies, for each domain, must be configured to generate events in the Windows Event Log. This enables Arctic Wolf to monitor security and operational events on your Windows server.

  Note: Auditing additional items can cause delays in observations, for example, enabling auditing of object access.

• To prevent a conflict with the Arctic Wolf Advanced Audit Policy controls, ensure that there are no other auditing policies linked to the domain, site, or other organizational units defined at the Domain Controller.

  See the following for more information:

To configure your Arctic Wolf GPO Advanced Audit Policy:

Open or create an Arctic Wolf GPO Advanced Audit Policy

1. Click Start > Group Policy Management.

2. In the navigation pane, expand Forest: , where is the name of your domain, and then expand the Domains folder.

3. If you already have an Arctic Wolf GPO Advanced Audit Policy, complete the following steps; otherwise, proceed to the next step:

4. If you do not have an existing Arctic Wolf GPO Advanced Audit Policy, complete the following:

   1. Right-click the domain name and select Create a GPO in this domain, and Link it here.

      The New GPO dialog box appears.

   2. In the Name field, enter AWN Audit Policy.

   3. From the Source Starter GPO list, select (none).

   4. Click OK.

   5. Right-click the new GPO and select Edit.

   6. Proceed to Configure Advanced Audit Policy Settings.

Configure Advanced Audit Policy settings

1. Verify that the Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting is Enabled.

   To enable this setting:

   1. In the left pane of the Group Policy Management Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
   2. Locate and then right-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, and then select Properties.
   3. Click the Security Policy Setting tab.
   4. Select the Define this policy setting checkbox, and then select Enabled.
   5. Click OK.

2. In the left pane of the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

   Tip: Resize the window and tree view to completely view the policy tree.

   
   
   

3. Edit the audit policy settings:

   1. Under Audit Policies, select the category. For example, Account Logon.
   2. Double-click the corresponding subcategory. For example, Audit Credential Validation.
   3. Edit the policy setting as indicated in the table.
   4. Verify that each setting has these checkboxes selected:
      • Configure the following audit events
      • Success or Failure according to the Audit Events listed in the table.

   This table lists the policy setting checkboxes to select:

   CategorySubcategoryAudit event settingsAccount LogonAudit Credential ValidationSuccess and FailureAccount LogonAudit Kerberos Authentication ServiceSuccess and FailureAccount LogonAudit Kerberos Service Ticket OperationsSuccess and FailureAccount LogonAudit Other Account Logon EventsSuccess and FailureAccount ManagementAudit Computer Account ManagementSuccess and FailureAccount ManagementAudit Other Account Management EventsSuccess and FailureAccount ManagementAudit Security Group ManagementSuccess and FailureAccount ManagementAudit User Account ManagementSuccess and FailureDetailed TrackingAudit DPAPI ActivitySuccessDetailed TrackingAudit Process CreationSuccessDetailed TrackingAudit Process TerminationSuccessDetailed TrackingAudit Token Right AdjustedSuccessDS AccessAudit Directory Service AccessSuccessDS AccessAudit Directory Service ChangesSuccessLogon/LogoffAudit Account LockoutSuccess and FailureLogon/LogoffAudit LogoffSuccess and FailureLogon/LogoffAudit LogonSuccess and FailureLogon/LogoffAudit Network Policy ServerSuccess and FailureLogon/LogoffAudit Other Logon/Logoff EventsSuccess and FailureLogon/LogoffAudit Special LogonSuccess and FailurePolicy ChangeAudit Audit Policy ChangeSuccess and FailurePolicy ChangeAudit Authentication Policy ChangeSuccess and FailurePolicy ChangeAudit Authorization Policy ChangeSuccess and FailurePolicy ChangeAudit MPSSVC Rule-Level Policy ChangeSuccessPrivilege UseAudit Sensitive Privilege UseSuccess and FailureSystemAudit IPsec DriverSuccessSystemAudit Other System EventsSuccess and FailureSystemAudit Security State ChangeSuccess and FailureSystemAudit Security System ExtensionSuccess and FailureSystemAudit System IntegritySuccess and Failure

4. In the same Group Policy, enable these command-line policies:

   • Navigate to Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation, and then set Include command line in process creation events to Enabled.

     

   • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell, and then set Turn on PowerShell Script Block Logging to Enabled.

     

5. Close the Group Policy Management Editor window after completing all audit and command-line policy changes.

6. In the navigation pane, select AWN Audit Policy.

7. Click the Settings tab.

8. Compare the policy configuration settings to the audit policy settings you edited earlier in this procedure.

   Note: Even if the settings here are correct, they may not have been applied yet.

9. Verify that the AD audit settings were applied by running auditpol.exe /get /category:* on every domain controller in your environment. Review the results of the command against the settings from above. If the results are incorrect or return No Auditing:

   1. Run gpupdate /force, followed by auditpol.exe /get /category:* again. If the results are still incorrect, proceed to the next step.
   2. Navigate back to Audit Policies and complete the following steps for those that did not update:

      Note: You do not need to follow this procedure for every policy. You only need to do this for one policy.

      1. Deselect the applicable checkboxes, and then click Apply.
      2. Reselect the appropriate checkboxes, and then click Apply.
      3. Run gpupdate /force.
      4. Run auditpol.exe /get /category:* again. If the results are still incorrect, proceed to the next step.
   3. Run gpresult /h auditsettings.html and send the HTML file that is created to Arctic Wolf for further investigation.

Enforce the Arctic Wolf GPO Advanced Audit Policy

1. Right-click your Arctic Wolf GPO Audit Policy, and select Enforced if it is not already selected.

2. Verify that a lock overlay appears in the policy icon.

   This confirms that the Audit Policy is enforced on the domain.

Set the precedence of an Advanced Audit Policy

The Arctic Wolf GPO requires precedence over other GPOs.

1. In the navigation pane, click Forest: , where is the name of your domain.
2. Click the Group Policy Inheritance tab.
3. In the GPO column, locate your GPO, and then click and drag it to the top of the list.
4. In the Precedence column, verify that your GPO is 1 (Enforced).
5. Close the Group Policy Management window.

Update the domain controller Group Policy

1. Click Start > Windows PowerShell or Command Prompt.

2. Run the following command:

   Note: If you are prompted to sign off or restart after the user and computer policy updates complete, press N and then press Enter.

3. Close Windows PowerShell or the Command Prompt. The audit settings are now successfully applied with Group Policy.

Review your log settings

After updating audit settings, review log settings to ensure that they align with your company best practices. Microsoft recommends specific settings for:

Where in the Advanced audit policy Configuration can the audit PNP activity policy be configured?

What is the difference between audit policy and Advanced audit policy Configuration?

Which versions of Windows Support Advanced audit policy Configuration?

What are the ten advanced audit policies?