In the world of IT security, it is rarely advisable to use default settings for critical services, application and operating systems. Each use case should be evaluated for default settings and modify them accordingly to meet policy and guideline requirements.
Audit logging is no exception to default setting enhancements when it comes to Windows systems running Windows 2008 and later operating systems. This also includes personal desktop operating systems such as Windows 7, 8 and 10.
Windows Advanced Audit logging expanded the number of audit settings from 9 to 53 giving administrators granular control over what events can be monitored as vital to the security of a system, and which can be ignored as noise or simply because the verbosity is too great.
Insufficient logging and monitoring of systems is an OWASP Top 10 vulnerability. One of the most effective strategies you can implement to increase the security posture of your infrastructure is to centralize the collection of log events in a Security Operations Center (SOC) for analysis. Many Federal and State regulations, and just a good practice in general, mandates the retention of critical log events for several weeks and months. A SOC can be beneficial to your business and your customers to meet these requirements.
The settings below are recommendations based on verbosity and efficiency for the purpose of security analysis and log retention.
How to Enable Critical Advanced Audit Events
Open the local policy editor and Enable forcing of the sub category settings.
Navigate to the Advanced Audit Policy Configuration -> System Audit Policies to enable granular Success and Failure settings.