info@punkinnovation.com 571-572-2160

Enabling Windows Advanced Audit Logging

In the world of IT security, it is rarely advisable to use default settings for critical services, application and operating systems. Each use case should be evaluated for default settings and modify them accordingly to meet policy and guideline requirements.

Audit logging is no exception to default setting enhancements when it comes to Windows systems running Windows 2008 and later operating systems. This also includes personal desktop operating systems such as Windows 7, 8 and 10.

Windows Advanced Audit logging expanded the number of audit settings from 9 to 53 giving administrators granular control over what events can be monitored as vital to the security of a system, and which can be ignored as noise or simply because the verbosity is too great.

Insufficient logging and monitoring of systems is an OWASP Top 10 vulnerability. One of the most effective strategies you can implement to increase the security posture of your infrastructure is to centralize the collection of log events in a Security Operations Center (SOC) for analysis. Many Federal and State regulations, and just a good practice in general, mandates the retention of critical log events for several weeks and months. A SOC can be beneficial to your business and your customers to meet these requirements.

The settings below are recommendations based on verbosity and efficiency for the purpose of security analysis and log retention.

 

How to Enable Critical Advanced Audit Events

Open the local policy editor and Enable forcing of the sub category settings.

force audit policy sub categories

 

Navigate to the Advanced Audit Policy Configuration -> System Audit Policies to enable granular Success and Failure settings.

 

Account Logon

audit account logon

 

 

Account Management

audit account management

 

 

Detailed Tracking

audit detailed tracking

 

 

DS Access

audit domain services access

 

 

Logon/Logoff

audit windows logon logoff

 

 

Object Access

audit object access

 

 

Policy Change

audit policy changes

 

 

Privilege Use

audit privilege use

 

 

System

audit system events

 

 

 

 

 

 

 

 

 

 

Related articles

SourceFire IDS/IPS 4.x to 5.x Upgrade

A SourceFire upgrade from 4.x to 5.x for either the sensor or the Defense Center needs to be carefully planned and executed in a manner that does not leave your network vulnerable to malicious actors.

Learn More

Top 6 Network Function Virtualization (NFV) Benefits for Enterprise Data Centers

NFV adds value and flexibility while reducing physical space and costs for data centers. Cloud adaptation and spending priorities continue to press enterprise data centers toward rethinking the viability of a traditional IT hardware-based model […]

Learn More

Hair-pinning a Juniper SRX for Interzone Access

Each of your firewall vendors, or any device capable of Layer 3 traffic tries very hard to prevent traffic that will ingress on the same interface used to egress traffic. This is about preventing spoof […]

Learn More