Enabling Windows Advanced Audit Logging

In the world of IT security, it is rarely advisable to use default settings for critical services, application and operating systems. Each use case should be evaluated for default settings and modify them accordingly to meet policy and guideline requirements.

Audit logging is no exception to default setting enhancements when it comes to Windows systems running Windows 2008 and later operating systems. This also includes personal desktop operating systems such as Windows 7, 8 and 10.

Windows Advanced Audit logging expanded the number of audit settings from 9 to 53 giving administrators granular control over what events can be monitored as vital to the security of a system, and which can be ignored as noise or simply because the verbosity is too great.

Insufficient logging and monitoring of systems is an OWASP Top 10 vulnerability. One of the most effective strategies you can implement to increase the security posture of your infrastructure is to centralize the collection of log events in a Security Operations Center (SOC) for analysis. Many Federal and State regulations, and just a good practice in general, mandates the retention of critical log events for several weeks and months. A SOC can be beneficial to your business and your customers to meet these requirements.

The settings below are recommendations based on verbosity and efficiency for the purpose of security analysis and log retention.


How to Enable Critical Advanced Audit Events

Open the local policy editor and Enable forcing of the sub category settings.

force audit policy sub categories


Navigate to the Advanced Audit Policy Configuration -> System Audit Policies to enable granular Success and Failure settings.


Account Logon

audit account logon



Account Management

audit account management



Detailed Tracking

audit detailed tracking



DS Access

audit domain services access




audit windows logon logoff



Object Access

audit object access



Policy Change

audit policy changes



Privilege Use

audit privilege use




audit system events











Related articles

IPSec Tunnels Using F5 Viprions

The F5 appliances contain several modules that can be licensed and activated to deploy services at every layer of the OSI model. One feature that does not require any licensing since the underlying OS for […]

Learn More

Packet Capture with SourceFire IDS/IPS

The SourceFire IDS/IPS 3D sensors have packet capturing capabilities that may not be as well documented as users might like. The ability to capture packets at the perimeter of your network can give valuable insight […]

Learn More

Matching SSL Certificates and Keys with OpenSSL

The data contained in SSL certificates and keys can be manipulated to determine if the private key used to decrypt your SSL traffic matches the certificate. When you have multuiple domain names and multiple expiration […]

Learn More