Windows Server Advanced Auditing Policies

Security auditing is a methodical examination and review of activities that may affect the security of a system. In the and environments, security auditing is the features and services that log and review events for specified security-related activities.

Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators and investigate security-related activities.

Audit policies are configured through . You can configure local policies, but in most environments, auditing is configured through application of policies at the Domain, Site or Organizational Unit Level.

The basic security audit policy settings in Security SettingsLocal PoliciesAudit Policy and the advanced security audit policy settings in Security SettingsAdvanced Audit Policy ConfigurationSystem Audit Policies appear to overlap, but they're recorded and applied differently.

There are nine basic audit policy settings under Security SettingsLocal PoliciesAudit Policy and settings under Advanced Audit Policy Configuration. The settings available in Security SettingsAdvanced Audit Policy Configuration address similar issues as the nine basic settings in Local PoliciesAudit Policy, but they allow administrators to be more selective in the number and types of events to audit. Instead of the nine basic audit policy settings, there are 58 different audit policy settings available through advanced audit policies. Advanced audit policies allow you to be far more specific in what you are auditing than the basic audit policies can.

Advanced-Audit-Policy.png

To help you come to terms with all these different policies, we've created a set of short videos, 5-10 minutes in length, that go through each of the advanced auditing policies categories, explain the different policies and the interesting event log entries the policies are likely to generate. The videos are as follows:

Introduction to Advanced Security Auditing: https://www.youtube.com/watch?v=OvIraaN2ZnI
Account Logon policies: https://www.youtube.com/watch?v=A-EjL5sz5rk

Account Management policies: https://www.youtube.com/watch?v=jmxloIQp_yg

Detailed Tracking policies: https://www.youtube.com/watch?v=EXHWhGrlH5c

DS Access policies: https://www.youtube.com/watch?v=tZVFuFOppwA

Logon/Logoff policies: https://www.youtube.com/watch?v=9uooYpTBlsA

Object Access policies: https://www.youtube.com/watch?v=b9juS5RT1lg

Policy Change policies: https://www.youtube.com/watch?v=GKc4lo_shUg
Privilege Use policies: https://www.youtube.com/watch?v=L5bJ4z4qlco

System policies: https://www.youtube.com/watch?v=WhoLstyh0pA

Global Object Access Auditing policies: https://www.youtube.com/watch?v=NCNXWQoApIk

Understanding and applying audit policies is critical to making sure that the activity you want tracked on the computers you manage is actually recorded in the event log. Hopefully this set of videos, broken down into snack sized chunks, will allow you to review what these policies can do and will assist you to be more deliberative in how you audit activity in the computers that you manage.

You can also consult detailed information about advanced audit policies at the following link on Microsoft Learn: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audi…

 

This article was originally published by Microsoft's ITOps Talk Blog. You can find the original article here.