info@punkinnovation.com 571-572-2160

Enabling Windows Advanced Audit Logging

In the world of IT security, it is rarely advisable to use default settings for critical services, application and operating systems. Each use case should be evaluated for default settings and modify them accordingly to meet policy and guideline requirements.

Audit logging is no exception to default setting enhancements when it comes to Windows systems running Windows 2008 and later operating systems. This also includes personal desktop operating systems such as Windows 7, 8 and 10.

Windows Advanced Audit logging expanded the number of audit settings from 9 to 53 giving administrators granular control over what events can be monitored as vital to the security of a system, and which can be ignored as noise or simply because the verbosity is too great.

Insufficient logging and monitoring of systems is an OWASP Top 10 vulnerability. One of the most effective strategies you can implement to increase the security posture of your infrastructure is to centralize the collection of log events in a Security Operations Center (SOC) for analysis. Many Federal and State regulations, and just a good practice in general, mandates the retention of critical log events for several weeks and months. A SOC can be beneficial to your business and your customers to meet these requirements.

The settings below are recommendations based on verbosity and efficiency for the purpose of security analysis and log retention.

 

How to Enable Critical Advanced Audit Events

Open the local policy editor and Enable forcing of the sub category settings.

force audit policy sub categories

 

Navigate to the Advanced Audit Policy Configuration -> System Audit Policies to enable granular Success and Failure settings.

 

Account Logon

audit account logon

 

 

Account Management

audit account management

 

 

Detailed Tracking

audit detailed tracking

 

 

DS Access

audit domain services access

 

 

Logon/Logoff

audit windows logon logoff

 

 

Object Access

audit object access

 

 

Policy Change

audit policy changes

 

 

Privilege Use

audit privilege use

 

 

System

audit system events

 

 

 

 

 

 

 

 

 

 

Related articles

Matching SSL Certificates and Keys with OpenSSL

The data contained in SSL certificates and keys can be manipulated to determine if the private key used to decrypt your SSL traffic matches the certificate. When you have multuiple domain names and multiple expiration […]

Learn More

4 Questions to Consider for Cloud Deployment

Make a solid plan for the technical impacts of cloud-based enterprise systems. The cloud offers several strategic benefits, such as providing online access from anywhere, increasing infrastructure efficiency and allowing for very rapid changes. However, […]

Learn More

VPN Client Linux OpenSuse Patch

OpenSuse 12.x requires some patching in order to use the Linux VPN client. During a workstation migration, this issue came up and the process was documented to upgrade the OpenSuse VPN client.

Learn More