Enabling Windows Advanced Audit Logging

In the world of IT security, it is rarely advisable to use default settings for critical services, application and operating systems. Each use case should be evaluated for default settings and modify them accordingly to meet policy and guideline requirements.

Audit logging is no exception to default setting enhancements when it comes to Windows systems running Windows 2008 and later operating systems. This also includes personal desktop operating systems such as Windows 7, 8 and 10.

Windows Advanced Audit logging expanded the number of audit settings from 9 to 53 giving administrators granular control over what events can be monitored as vital to the security of a system, and which can be ignored as noise or simply because the verbosity is too great.

Insufficient logging and monitoring of systems is an OWASP Top 10 vulnerability. One of the most effective strategies you can implement to increase the security posture of your infrastructure is to centralize the collection of log events in a Security Operations Center (SOC) for analysis. Many Federal and State regulations, and just a good practice in general, mandates the retention of critical log events for several weeks and months. A SOC can be beneficial to your business and your customers to meet these requirements.

The settings below are recommendations based on verbosity and efficiency for the purpose of security analysis and log retention.


How to Enable Critical Advanced Audit Events

Open the local policy editor and Enable forcing of the sub category settings.

force audit policy sub categories


Navigate to the Advanced Audit Policy Configuration -> System Audit Policies to enable granular Success and Failure settings.


Account Logon

audit account logon



Account Management

audit account management



Detailed Tracking

audit detailed tracking



DS Access

audit domain services access




audit windows logon logoff



Object Access

audit object access



Policy Change

audit policy changes



Privilege Use

audit privilege use




audit system events











Related articles

Extracting the Full Certificate Authority (CA) Root Path

There are differences in the CA path seen in IE vs Firefox vs Chrome vs Safari vs Opera. For an F5 you need the entire CA chain in PEM format in order to complete the […]

Learn More

VMWare SSH Keys Password-less Logins for ESXi

The file system for the hypervisor is not persistent for the directory where SSH keys are typically stored. Typically they are stored in the user’s home directory. For VMware an extra step is used to […]

Learn More
TLS SAN v3 openssl

Create Your Own Self-Signed Trusted TLS SAN Certificates

Encryption is critical to safeguarding credentials and communication for client/server applications that use exposed service ports for functions such as APIs. Even in a Dev/Test environment, it’s advisable to protect these endpoints with encryption. Purchasing […]

Learn More
Wildcard SSL