Thursday 25 August 2016

How to Configure Windows Auditing - Windows Active Directory Advanced Audit Configuration

Intro
So, you have yourself a new active directory environment.  Or you are looking to remediate your current environment and want to get logging established on the servers. Well let me walk you through the following.
  1. Each log configuration
  2. Where to configure it (what group policy, against what host type)
  3. Some interesting items that you may find in the log type.
  4. My notes if any.
Just to cover off the basics of my setup. I am using Windows Server 2012 R2, if I find information that a setting is only configurable in Windows 2012 R2 and not in its predecessors, I will try and make note of it.  Also, from time to time I will revisit this guide and make changes to ensure that I am logging what is required to improve your visibility in your own network and to provide analysts the ability to detect threats or perform Incident Response.

How to use this guide?
Every AD environment is different, especially where the placement of AD objects are.  Some people keep workstation and servers in the same Organisational Unit (OU) and some keep each service in seperate OU's.  So what I will do is mention what type of host that I expect a group policy to be applied against.  To simplify the process I have 2 types of endpoints when it comes to logging, Domain Controllers and Hosts (the rest, including server and endpoint).

Advanced Audit Policy Configuration
Beginning in Windows Server 2008 R2 the Advanced Audit Policy Configuration was released.  To edit the GPO navigate to this section in your policies.  Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration. It was improved from 2003 to now have 53 customisable policies rather than 9 of the original logging feature, ultimately providing the server admin with much more granular control.  Advanced Audit policy config is broken up into 10 sections with settings in each that can be configured.

  1. Account Logon
  2. Account Management
  3. Detailed Tracking
  4. DS Access
  5. Logon/Logoff
  6. Object Access
  7. Policy Change
  8. Privilege Use
  9. System
  10. Global Object Access Auditing

Event Log Auditing Table
I have taken the time to dump out a spreadsheet of the event log settings that I recommend.  These settings have been combined from the Center for Information Security Benchmark, Microsoft's technet article and my own personal experience. If you are keen to review any of these sites links are below.

  • https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2012_R2_Benchmark_v2.2.0.pdf
  • https://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx

Link to Spreadsheet
https://drive.google.com/file/d/0B1rXi_hylyatVjU1bWVrR2UxdXM/view?usp=sharing

Posted by at

2 comments:

  1. Akhila19 September 2017 at 05:12

    nice post! I really like and appreciate your work, thank you for sharing such a useful information about auditing management strategies, keep updating the information, hear i prefer some more information about jobs for your career hr jobs in hyderabad .

    ReplyDelete
  2. Active Directory Group Policy Management2 February 2020 at 07:22

    Thanks for sharing Active directory auditor tips. for more info i rfer cion systems Active directory auditor in USA.

    ReplyDelete

Subscribe to: Post Comments (Atom)