Windows Audit Policy is used to determine the amount of data logged by Windows security on domain controllers and other computers on the domain support.
Verbosity is the amount of known data.
See Microsoft's TechNet knowledge base for details on Windows Audit Policy Definitions. These definitions were found to be most effective from both a best practice and compliance standpoint and are based on customer experience and recommendations from Microsoft.
Using the Windows Audit Policy with LEM requires:
The following events and descriptions were adapted from information available on the Microsoft TechNet knowledge base. You can query relevant articles on TechNet by searching for audit policy best practice.
|Audit account logon events||Represents user log on or log off instances on a computer logging those events. These events are specifically related to domain logon events and logged in the security log for the related domain controller.|
|Audit account management||The change management events on a computer. These events include all changes made to users, groups, and machines.|
|Audit logon events||Represents user log on or log off instances from a computer logging those events. These events are logged in the security log of the local computer onto which the user is logging, even when the user is actually logging onto the domain using their local computer.|
|Audit object access||Track users accessing objects with their own system access control lists. These objects include files, folders and printers.|
|Audit policy change||Represents instances where local or group policy changed. These changes include user rights assignments, audit policies and trust policies.|
|Audit privilege use||Track users accessing objects based on their privilege level. These objects include files, folders and printers, or any object with its own system access control list defined.|
|Audit process tracking||Logs all instances of process, service, and program starts and stops. This can be useful to track both wanted and unwanted processes, such as AV services and malicious programs.|
|Audit system events||Includes start up and shut down events on the computer logging them, along with events that affect the system's security. These are operating system events and are only logged locally.|
Windows Audit Policy is defined locally for each computer. SolarWinds recommends using Group Policy to manage the Audit Policy at both the domain controller and domain levels.
Use the Group Policy Object Editor to set your Windows Audit Policy settings on desktop systems running Windows 7 and servers running Windows Server 2008 and 2012. The following procedure applies to setting up sub-category-level auditing.
Change or set the policies in Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
When enabling the Force Audit Policy Sub-category, set the sub-category auditing to be enabled and the category-level auditing will be disabled.
Select Success and Failure for all policies except:
The Default Domain Policy applies to all computers on your domain except your domain controllers. For this policy, select Success and Failure for:
You can also select Success and Failure for audit process tracking critical processes (such as the AV service) or unauthorized programs (such as games or malicious executable files).
Enabling auditing at the audit level will increase the number of events in the system logs. As a result, your LEM database will quickly expand as it collects these logs.
Similarly, there could be bandwidth implications as well. This is dependent upon your network traffic volume and bandwidth capacity. Since agent traffic is transmitted to the manager as a real time trickle of data, bandwidth impact is minimal.
SolarWinds recommends meeting PCI Auditing. However, this may be applicable to other auditing as well. For more information, see PCI Compliance and Log and Event Manager in the SolarWinds Success Center.
|Category or Sub-category||Setting|
|Security System Extension||No Auditing|
|System Integrity||Success and Failure|
|IPsec Driver||No Auditing|
|Other System Events||No Auditing|
|Security State Change||Success and Failure|
|Logon||Success and Failure|
|Logoff||Success and Failure|
|Account Lockout||Success and Failure|
|IPsec Main Mode||No Auditing|
|IPsec Quick Mode||No Auditing|
|IPsec Extended Mode||No Auditing|
|Special Logon||Success and Failure|
|Other Logon/Logoff Events||Success and Failure|
|Network Policy Server||No Auditing|
|File System||Success and Failure|
|Registry||Success and Failure|
|Kernel Object||No Auditing|
|Certification Services||No Auditing|
|Application Generated||No Auditing|
|Handle Manipulation||No Auditing|
|File Share||Success and Failure|
|Filtering Platform Packet Drop||No Auditing|
|Filtering Platform Connection||No Auditing|
|Other Object Access Events||No Auditing|
|Detailed File Share||No Auditing|
|Sensitive Privilege Use||Failure|
|Non Sensitive Privilege Use||No Auditing|
|Other Privilege Use Events||No Auditing|
|Process Termination||No Auditing|
|DPAPI Activity||No Auditing|
|RPC Events||No Auditing|
|Process Creation||No Auditing|
|Audit Policy Change||Success and Failure|
|Authentication Policy Change||Success and Failure|
|Authorization Policy Change||Success and Failure|
|MPSSVC Rule-Level Policy Change||No Auditing|
|Filtering Platform Policy Change||No Auditing|
|Other Policy Change Events||Success and Failure|
|User Account Management||Success and Failure|
|Computer Account Management||Success and Failure|
|Security Group Management||Success and Failure|
|Distribution Group Management||Success and Failure|
|Application Group Management||Success and Failure|
|Other Account Management Events||Success and Failure|
|Directory Service Changes||No Auditing|
|Directory Service Replication||No Auditing|
|Detailed Directory Service Replication||No Auditing|
|Directory Service Access||Failure|
|Kerberos Service Ticket Operations||Success and Failure|
|Other Account Logon Events||Success and Failure|
|Kerberos Authentication Service||Success and Failure|
|Credential Validation||Success and Failure|