Submit a ticketCall us

Looking to compare latest NPM features with previous versions of NPM?
The NPM new feature summary offers a comparison of new features and improvements offered with this release.

 

 

 

 

Home > Success Center > Log & Event Manager (LEM) > SolarWinds LEM 6.3 User Guide > Additional LEM Configuration and Troubleshooting Information > Windows Audit Policy and Best Practice

Windows Audit Policy and Best Practice

Created by Caroline Juszczak, last modified by Steve.Hawkins on Sep 13, 2016

Views: 769 Votes: 1 Revisions: 4

Windows Audit Policy is used to determine the amount of data logged by Windows security on domain controllers and other computers on the domain support.

Verbosity is the amount of known data.

See Microsoft's TechNet knowledge base for details on Windows Audit Policy Definitions. These definitions were found to be most effective from both a best practice and compliance standpoint and are based on customer experience and recommendations from Microsoft.

Requirements

Using the Windows Audit Policy with LEM requires:

  • Windows Server 2003 or higher
  • Permissions to change the Windows Audit Policy at the domain controller and domain level
  • SolarWinds LEM installation

Windows Audit Policy

The following events and descriptions were adapted from information available on the Microsoft TechNet knowledge base. You can query relevant articles on TechNet by searching for audit policy best practice.

Event Description
Audit account logon events Represents user log on or log off instances on a computer logging those events. These events are specifically related to domain logon events and logged in the security log for the related domain controller.
Audit account management The change management events on a computer. These events include all changes made to users, groups, and machines.
Audit logon events Represents user log on or log off instances from a computer logging those events. These events are logged in the security log of the local computer onto which the user is logging, even when the user is actually logging onto the domain using their local computer.
Audit object access Track users accessing objects with their own system access control lists. These objects include files, folders and printers.
Audit policy change Represents instances where local or group policy changed. These changes include user rights assignments, audit policies and trust policies.
Audit privilege use Track users accessing objects based on their privilege level. These objects include files, folders and printers, or any object with its own system access control list defined.
Audit process tracking Logs all instances of process, service, and program starts and stops. This can be useful to track both wanted and unwanted processes, such as AV services and malicious programs.
Audit system events Includes start up and shut down events on the computer logging them, along with events that affect the system's security. These are operating system events and are only logged locally.

Best practice

Windows Audit Policy is defined locally for each computer. SolarWinds recommends using Group Policy to manage the Audit Policy at both the domain controller and domain levels.

Set the Windows audit policy

Use the Group Policy Object Editor to set your Windows Audit Policy settings on desktop systems running Windows 7 and servers running Windows Server 2008 and 2012. The following procedure applies to setting up sub-category-level auditing.

  1. Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Audit > Force Audit Policy Subcategory Settings and select enabled.
  2. Change or set the policies in Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

    When enabling the Force Audit Policy Sub-category, set the sub-category auditing to be enabled and the category-level auditing will be disabled.

Default Domain Controllers Policy

Select Success and Failure for all policies except:

  • Audit object access
  • Audit privilege use

Default Domain Policy

The Default Domain Policy applies to all computers on your domain except your domain controllers. For this policy, select Success and Failure for:

  • Audit account logon events
  • Audit account management
  • Audit logon events
  • Audit policy change
  • Audit system events

You can also select Success and Failure for audit process tracking critical processes (such as the AV service) or unauthorized programs (such as games or malicious executable files).

Enabling auditing at the audit level will increase the number of events in the system logs. As a result, your LEM database will quickly expand as it collects these logs.

Similarly, there could be bandwidth implications as well. This is dependent upon your network traffic volume and bandwidth capacity. Since agent traffic is transmitted to the manager as a real time trickle of data, bandwidth impact is minimal.

SolarWinds recommends meeting PCI Auditing. However, this may be applicable to other auditing as well. For more information, see PCI Compliance and Log and Event Manager in the SolarWinds Success Center.

Category or Sub-category Setting
System  
Security System Extension No Auditing
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change Success and Failure
   
Logon/Logoff  
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server No Auditing
   
Object access  
File System Success and Failure
Registry Success and Failure
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share Success and Failure
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
   
Privilege Use  
Sensitive Privilege Use Failure
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
   
Detailed Tracking  
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
   
Policy Change  
Audit Policy Change Success and Failure
Authentication Policy Change Success and Failure
Authorization Policy Change Success and Failure
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events Success and Failure
   
Account Management  
User Account Management Success and Failure
Computer Account Management Success and Failure
Security Group Management Success and Failure
Distribution Group Management Success and Failure
Application Group Management Success and Failure
Other Account Management Events Success and Failure
   
DS Access  
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access Failure
   
Account Logon  
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure

 

Last modified
15:17, 13 Sep 2016

Tags

Classifications

Public