Submit a ticketCall us

Webinar: Web Help Desk for HR, Facilities and Accounting Departments
This webinar will focus on use cases for HR, Facilities and Accounting.

Having a unified ticketing and asset management system for all the departments in your company can provide end-users with a seamless experience and make things easier for your IT team. Yet, with different business tasks and objectives, many departments don’t fully understand the capabilities of Web Help Desk and how the software can be customized for effective use in their departments.
Register Now.

Home > Success Center > Log & Event Manager (LEM) > Configure LEM Audit Policy Information

Configure LEM Audit Policy Information

Table of contents

Updated May 24th 2016

Overview

Configuring LEM Audit Policy

Environment

Log and Event Manager / Windows

Steps

I have installed/deployed the LEM, now what? (after activation of license and ‘activate’ command)

  • Let’s get network devices (syslog or SNMP) sending data to the LEM.
  • Configure connectors in the LEM to receive the syslog data
  • Install Windows/Linux/Unix agents to send data, and set/verify connectors for desired logs.
  • Verifying the LEM is configured correctly to receive the volume of traffic, and the data is going into the database.
  • Configuring rules to act upon the specific types of data.

 

I’m sending data but what is the correct data?

Set up Windows auditing as you choose, but if you are under any compliance, we encourage you to follow the recommendations of your auditor (and your internal security/management policies) , or at least our set of PCI auditing recommendations. At the bottom of this article, included are both PCI auditing recommendations and WFP (Windows filtering platform) settings.

 

Use the following for a basic understanding:  Windows Audit Policy and Best Practice

 

Important:  If you follow the PCI auditing at the bottom of this article, you will also be disabling the WFP noise.

To verify/set Windows auditing, use the PCI Auditing as a baseline.

 

What about File Auditing?

We have always seen issues about file auditing (which falls under Object Auditing), but the FIM connector makes it easier to audit too much. Audit only what is NEEDED, not everything under the C drive, which can overwhelm the LEM. Two ways to file audit (do one or the other, not both):

(right-click a directory and select properties, select security tab, select Advanced button. In the pop-up window, select Auditing tab, select Edit and add the auditing desired, allowing the setting to push down through directories as desired.)

 

 

RSOP” (technically rsop.msc) worked great for windows 2003, but was deprecated by Microsoft because it does not pick up some of the audit policies in Windows Vista and newer (includes 2008/2012). If you run it, you may need to search the C drive for the command, but do not expect it to show the GAP (granular audit policies) or commonly referred to as advanced audit policies.

 

GPresult (gpresult.msc) has replaced RSOP for Windows 2008/2012, and has several attributes to help with displaying the policies.

gpresult [/s <COMPUTER> [/u <USERNAME> [/p [<PASSWORD>]]]] [/user [<TARGETDOMAIN>\]<TARGETUSER>] [/scope {user | computer}] {/r | /v | /z | [/x | /h] <FILENAME> [/f] | /?}

From a windows server, use “gpresult /h rsop-gpresult.htm” for graphical, but note the command has other capabilities.

 

You can still look at the individual active directory group policies using Active Directory Users and Computers, or Group Policy Management Console. One of the two should be loaded on a DC or PC/server that has the management applications installed.

 

To use the GAP (advanced audit policies), you either need to enable the GPO setting in AD policies or set it on the local computer.

  • AD-Users and Computers or GPMC or Gpedit or Local Policy Editor
    • (Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Force Audit Policy Subcategory Settings)
  • Regedit à HKLM\System\CurrentControlSet\Control\LSA   à set for 1 to enable the GAP.

 

The agent is needed on every active directory Domain Controller ( DC) to receive data from the security event log. Events like a user logon and changes in AD are picked up on only 1 DC, even though the information is securely replication between domain controllers (which we do not see). Occasionally we do see duplicate events (a single event sent by two different domain controllers), but this is typically caused by event logs being replicated between DC’s. Something we never saw in 2003.

 

PCI-DSS  log selection

Category/Subcategory                      Setting

 

System

  Security System Extension               No Auditing

  System Integrity                        Success and Failure

  IPsec Driver                            No Auditing

  Other System Events                     No Auditing

  Security State Change                   Success and Failure

 

Logon/Logoff

  Logon                                   Success and Failure

  Logoff                                  Success and Failure

  Account Lockout                         Success and Failure

  IPsec Main Mode                         No Auditing

  IPsec Quick Mode                        No Auditing

  IPsec Extended Mode                     No Auditing

  Special Logon                           Success and Failure

  Other Logon/Logoff Events               Success and Failure

  Network Policy Server                   No Auditing

 

Object Access

  File System                             Success and Failure

  Registry                                Success and Failure

  Kernel Object                           No Auditing

  SAM                                     No Auditing

  Certification Services                  No Auditing

  Application Generated                   No Auditing

  Handle Manipulation                     No Auditing

  File Share                              Success and Failure

  Filtering Platform Packet Drop          No Auditing

  Filtering Platform Connection           No Auditing

  Other Object Access Events              No Auditing

  Detailed File Share                     No Auditing

 

Privilege Use

  Sensitive Privilege Use                 Failure

  Non Sensitive Privilege Use             No Auditing

  Other Privilege Use Events              No Auditing

 

Detailed Tracking

  Process Termination                     No Auditing

  DPAPI Activity                          No Auditing

  RPC Events                              No Auditing

  Process Creation                        No Auditing

 

Policy Change

  Audit Policy Change                     Success and Failure

  Authentication Policy Change            Success and Failure

  Authorization Policy Change             Success and Failure

 MPSSVC Rule-Level Policy Change         No Auditing

  Filtering Platform Policy Change        No Auditing

  Other Policy Change Events              Success and Failure

 

Account Management

  User Account Management                 Success and Failure

  Computer Account Management             Success and Failure

  Security Group Management               Success and Failure

  Distribution Group Management           Success and Failure

  Application Group Management            Success and Failure

  Other Account Management Events         Success and Failure

 

DS Access

  Directory Service Changes               No Auditing

  Directory Service Replication           No Auditing

  Detailed Directory Service Replication  No Auditing

  Directory Service Access                Failure

 

Account Logon

  Kerberos Service Ticket Operations      Success and Failure

  Other Account Logon Events              Success and Failure

  Kerberos Authentication Service         Success and Failure

  Credential Validation                   Success and Failure

 

 

Here is the information on Windows noise (Windows Filtering Platform noise).

  • Windows Filtering Platform (WFP) is a new architecture that enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs). KB1676.
  • Some Windows Filtering Platform (WFP) events have been deemed as 'noise', because we have never found any value in these events.
  • These are TCP/IP/PPTP/UDP/ICMP events ending in 515x (5152, 5154, 5156, 5157, 5158, 5159), as identified in the EventID, which we call the ProviderSID.
  • When you search the internet for this log data, please let us know if you find any value in these events from Windows Vista and newer operating systems.
  • Because of the volume of WFP traffic, Windows security-event logs can fill up quickly, this traffic is traversing your network, and can occupy up to 90% of the database capacity in the LEM.
  • Noise is removed by enabling sub-category level auditing (which disables category level), enable desired auditing and disabling 9-subcategories within the advanced auditing.

 

Here are the 9 sub-categories to be disabled (no auditing)

  • MPSSVC Rule-Level Policy Change
  • Filtering Platform policy change
  • IPsec Main Mode
  • IPsec Quick Mode
  • IPsec Extended Mode
  • IPsec Driver
  • Other System Events
  • Filtering Platform Packet Drop
  • Filtering Platform Connection

  

Windows 2008 Windows Filtering Platform noise tuning information:

 

The best way to reduce WFP noise is to change active directory group policies (GPO's) to remove these events at the source, especially in the DC's:

You can also reduce WFP 'noise' received into the LEM appliance using "Event Distribution Policy", but the LEM still consumes additional resources to process these events:

 

Check/view how the category/sub-categories are set (applicable to Windows Vista and newer operating systems):

    cmd-line: auditpol /get /category:*

    or cmd-line: auditpol /get /category:"policy change","logon/logoff","system","Object Access"

    or view Category-level auditing in gpedit/policy-mgmt: Computer-Config,Windows-Settings,Security-Settings,Local-Policies,Audit-Policies.

    or view Sub-category-level auditing in gpedit/policy-mgmt: Computer-Config,Windows-Settings,Secutity-Settings,Advanced-Audit-Policy-Config,Audit-Policies.

 

Enable/Force subcategory use:

  (to view) Local-Security-Policy: Local-Policies, Security-Options, Audit:Force-audit-policy-subcategory-settings==> enabled

  (to set) GPMC: Computer-Config,Windows-Settings, Secutity-Settings, Local-Policies, Security-Options, Audit:Force-audit-policy-subcategory-settings==> enabled

  Note: When enabling the "force sub-category", this sets the sub-category auditing to be enabled and the category-level-auditing to be disabled.

 

Manually set Auditing level (removes the following 9-subcategories) command to set on auditing locally: (can be set using cmd-line, but GPO's will overwrite)

   auditpol.exe /set /subcategory:"MPSSVC Rule-Level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:disable /failure:disable

Use Group Policy Management Editor to set policies to disable the 9-subcategories, in the domain/site/OU, whichever is applicable.

  

You may also see additional WFP noise from -->  Other Policy Change Events ==> EventID 5447

We cannot disable these events without possibly missing some desired events that you may want logged.

Windows 2008 Auditing (MSDN) (© 2017 Microsoft, available at https://msdn.microsoft.com, obtained on January 10th, 2017.)

 

-----

 

Additional events that may be reduced within the LEM can also be tuned out under the Event Distribution Policy.

If you do not care about machine-level authentication events or the policy-scope-change events, we suggest tuning them out.

Disable Windows Filtering Platform Alerts Using Alert Distribution Policy

 

Open LEM Console -> Manage > Appliances, select Policy from gear on the left, uncheck console/database/warehouse/rules check boxes:

   Machine Logon              Generic Alert > Audit Alert > Auth Audit > Machine Auth Audit

   Machine Logoff             Generic Alert > Audit Alert > Auth Audit > Machine Auth Audit

   Machine Auth Ticket   Generic Alert > Audit Alert > Auth Audit > Machine Auth Audit

   User Auth Ticket           Generic Alert > Audit Alert > Auth Audit > User Auth Audit

   Policy Scope Change   Generic Alert > Audit Alert > Resource Audit > Policy Audit > Policy Access

 

 

 

Last modified
14:26, 10 Jan 2017

Tags

Classifications

Public