(AGD1: FAU_SEL.1) (AGD2: FAU_SEL.1)
Windows 10 Local Administrator Guidance
The following log locations are always enabled (AGD3: FAU_SEL.1):
System
Setup
Security (for startup and shutdown of the audit functions and of the OS and kernel, and clearing the audit log)
The following TechNet topic describes the categories of audits in the Security log:
Advanced Audit Policy Configuration: http://technet.microsoft.com/en-us/library/jj852202(v=ws.10).aspx
The following TechNet topic describes how to select audit policies by category, user and audit success or failure in the Security log:
Auditpol set: https://technet.microsoft.com/en-us/library/cc755264.aspx
For example, to enable all audits in the given subcategories of the Security log run the following commands at an elevated command prompt:
auditpol /set /subcategory:”Logon” /success:enable /failure:enable
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:”IPsec Main Mode” /success:enable /failure:enable
auditpol /set /subcategory: “IPsec Quick Mode” /success:enable /failure:enable
Configuring IKEv1 and IKEv2 connection properties:
auditpol /set /subcategory:" Filtering Platform Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enable
registry changes (modifying TLS Cipher Suite priority):
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
In addition to enabling audit policy as noted above, each registry key to be audited must also have its auditing permissions enabled. This is done as follows:
Start the registry editor tool by executing the command regedit.exe as an administrator
Navigate to the registry path for the key that should be audited, right-click the key’s node and select Permissions… on the key’s context menu to open the Permissions dialog
Click the Advanced button to open the Advanced Security Settings dialog, click on the Auditing tab and click the Add button to open the Auditing Entry dialog
Click the Select a principal to open the Select User or Group dialog to select a user (e.g. Administrator) and click the OK button.
Choose the desired audits using the Type, Applies to and Basic Permissions attributes and click OK
Click OK on the Advanced Security Settings dialog
Click OK on the Permissions dialog
The following is the list of registry keys that must be audited:
HKEY_LOCAL_MACHINE/Software/Microsoft/PolicyManager
HKEY_LOCAL_MACHINE /Software/Policies/Microsoft/Windows/DeviceInstall/Restrictions
HKEY_LOCAL_MACHINE /Software/Policies/Microsoft/Windows/SettingSync/DisableSettingSync
HKEY_LOCAL_MACHINE/Software/Microsoft/Windows/CurrentVersion/Policies/System
To enable/disable TLS and DTLS event logging in the System Event Log, browse to the following link and see How to enable Schannel event logging:
https://technet.microsoft.com/en-us/library/Dn786445.aspx
To enable/disable event logging in the Application and Services Logs, see the following link describing how to enumerate the log names2 and set their security descriptor and enabled state:
Wevtutil: http://technet.microsoft.com/en-us/library/cc732848.aspx
To view audit logs, see the following links (AGD1: FMT_SMF_EXT.1(32)):
Get-EventLog: http://technet.microsoft.com/en-us/library/hh849834.aspx
Get-WinEvent: https://technet.microsoft.com/en-us/library/hh849682.aspx?f=255&MSPPError=-2147217396
|