Audit Policies and Subcategories
An Audit policy determines which security events to report to administrators to establish a record of user or system activity based on specified event categories. Administrators can monitor security-related activity, such as who accesses an object, when users log on to or log off from computers, or if changes are made to an Audit policy setting. For all of these reasons, Microsoft recommends that you form an Audit policy for an administrator to implement in your environment.
However, before you implement an Audit policy you must investigate which event categories to audit in your environment. The audit settings you choose within the event categories define your Audit policy. Then an administrator can create an Audit policy to meet the security needs of your organization.
If you do not configure audit settings, it will be difficult or impossible to determine what took place during a security incident. However, if you configure audit settings so that too many authorized activities generate events, the Security event log will fill up with too much data. The information in the following sections of this appendix is designed to help you decide what to monitor to facilitate the collection of relevant audit data for your organization.
Windows Server® 2008 includes the same nine Audit policy categories that are present in earlier versions of Windows:
System
Logon/Logoff
Object Access
Privilege Use
Detailed Tracking
Policy Change
Account Management
Directory Service Access
Account Logon
However, Windows Server 2008 allows you to manage Audit policy in a more precise way by including 50 Audit policy subcategories. Although not all subcategories apply to Windows Server 2008–based computers, you can configure many of them to record specific events that provide valuable information.
Configuring Audit Policy Settings
In the past, you could easily configure any of the nine audit categories using Group Policy. Although the same method is possible with Windows Server 2008, you cannot individually configure the new audit subcategories using the Group Policy Management Console (GPMC) because the subcategories are not exposed in the GPMC. If you enable any of the audit category settings in Windows Server 2008 that are present in the GPMC, this action also enables subcategory settings related to each category. For this reason, enabling Audit policy settings by category will likely cause excessive audit logging that will quickly fill up your event logs.
Microsoft recommends configuring only necessary audit subcategory settings using a command-line tool included in Windows Server 2008 called AuditPol.exe. Using a command-line tool to implement prescribed Audit policy settings across many computers is difficult. For more information about using scripts to automate detailed Audit policy settings for computers running Windows Vista or Windows Server 2008, see "How to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain": Microsoft Knowledge Base article 921469.
The following tables summarize the Audit policy setting recommendations for servers in the two types of secure environments discussed in this guide. Review these recommendations and adjust them as appropriate for your organization. Information about how to modify and remove the Audit policy settings that the GPOs configure appears after the Audit policy setting tables.
Note Microsoft recommends taking extra caution in using Audit settings that can generate large volumes of traffic. For example, if you enable either success or failure auditing for all of the Privilege Use subcategory settings, the high volume of audit events these settings generate will make it difficult to find other types of entries in the Security event log. Such a configuration could also have a significant negative effect on performance.
Audit Policy Subcategories
The following sections provide a brief description of each Audit policy. The tables in each section include recommendations for domain controllers in the two types of secure environments discussed in this guide.
Note Descriptions for each Audit policy subcategory are not provided in this appendix. For additional information on the available Audit policy subcategories and related security events, see "Description of security events in Windows Vista and in Windows Server 2008": Microsoft Knowledge Base article 947226.
System
The System audit category in Windows Server 2008 allows you to monitor system events that succeed and fail, and provides a record of these events that may help determine instances of unauthorized system access. System events include starting or shutting down computers in your environment, full event logs, or other security-related events that affect the entire system.
The System audit category contains subcategories defined in the following table, along with configuration recommendations for each one.
Table 2.1 System Audit Policy Subcategory Recommendations
Audit policy subcategory
|
EC domain controller
|
SSLF domain controller
|
EC member server
|
SSLF member server
|
§ Security System Extension
|
Success and Failure
|
Success and Failure
|
Success and Failure
|
Success and Failure
|
§ System Integrity
|
Success and Failure
|
Success and Failure
|
Success and Failure
|
Success and Failure
|
§ IPsec Driver
|
Success and Failure
|
Success and Failure
|
Success and Failure
|
Success and Failure
|
§ Other System Events
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Security State Change
|
Success and Failure
|
Success and Failure
|
Success and Failure
|
Success and Failure
|
Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.
Logon/Logoff
The Logon/Logoff audit category in Windows Server 2008 generates events that record the creation and destruction of logon sessions. These events occur on the accessed computer. For interactive logons, the generation of these events occurs on the computer that is logged on to. If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource.
If you configure the Audit logon events setting to No auditing, it is difficult or impossible to determine which users have accessed or attempted to access your organization's computers.
The Logon/Logoff events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.
Table 2.2 Logon/Logoff Audit Policy Subcategory Recommendations
Audit policy subcategory
|
EC domain controller
|
SSLF domain controller
|
EC member server
|
SSLF member server
|
§ Logon
|
Success
|
Success and Failure
|
Success
|
Success and Failure
|
§ Logoff
|
Success
|
Success
|
Success
|
Success
|
§ Account Lockout
Note No events map to this category.
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ IPsec Main Mode
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ IPsec Quick Mode
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ IPsec Extended Mode
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Special Logon
|
Success
|
Success
|
Success
|
Success
|
§ Other Logon/Logoff Events
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Network Policy Server
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.
Object Access
By itself, the Object Access audit category in Windows Server 2008 will not audit any events. Settings in this category determine whether to audit when a user accesses an object—for example, a file, folder, registry key, or printer—that has a specified system access control list (SACL), which effectively enables auditing to occur.
Access control entries (ACEs) comprise a SACL. Each ACE contains three pieces of information:
The security principal (user, computer, or group) to be audited.
The specific access type to be audited, called an access mask.
A flag to indicate whether to audit failed access events, successful access events, or both.
If you configure the Audit object access setting to Success, an audit entry is generated each time that a user successfully accesses an object with a specified SACL. If you configure this policy setting to Failure, an audit entry is generated each time that a user fails an attempt to access an object with a specified SACL.
Organizations should define only the actions that they want enabled when they configure SACLs. For example, you might want to enable the Write and Append Data auditing setting on executable files to track when they are changed or replaced, because computer viruses, worms, and Trojan horses typically target executable files. Similarly, you might want to track when sensitive documents are accessed or changed.
The Object Access events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.
Table 2.3 Object Access Audit Policy Subcategory Recommendations
Audit policy subcategory
|
EC domain controller
|
SSLF domain controller
|
EC member server
|
SSLF member server
|
§ File System
|
No auditing
|
Failure
|
No auditing
|
Failure
|
§ Registry
|
No auditing
|
Failure
|
No auditing
|
Failure
|
§ Kernel Object
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ SAM
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Certification Services
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Application Generated
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Handle Manipulation
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ File Share
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Filtering Platform Packet Drop
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Filtering Platform Connection
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Other Object Access Events
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.
Configuring and Testing Object Access Audit Rules
The following procedures describe how to configure audit rules on a file or folder, and how to test each audit rule for each object in the specified file or folder.
Note You must use Auditpol.exe to configure the File System subcategory to audit Success and Failure events. Then you can use the following procedure to log events in the Security event log.
To define an audit rule for a file or folder
Use Windows Explorer to locate the file or folder and then click it.
On the File menu, click Properties.
Click the Security tab, and then click the Advanced button.
Click the Auditing tab.
If prompted for administrative credentials, click Continue, type your username and password, and then press ENTER.
Click the Add button to make the Select User, Computer, or Group dialog box display.
Click the Object Types button, and then in the Object Types dialog box, select the object types you want to find.
Note The User, Group, and Built-in security principal object types are selected by default.
Click the Locations button, and then in the Location dialog box, select either your domain or local computer.
In the Select User or Group dialog box, type the name of the group or user you want to audit. Then, in the Enter the object names to select dialog box, type Authenticated Users (to audit the access of all authenticated users) and then click OK.
The Auditing Entry dialog box displays.
Determine the type of access you want to audit on the file or folder using the Auditing Entry dialog box.
Note Remember that each object access may generate multiple events in the event log and cause it to grow rapidly.
In the Auditing Entry dialog box, next to List Folder/Read Data, select Successful and Failed, and then click OK.
You can view the audit entries you enabled under the Auditing tab of the Advanced Security Settings dialog box.
Click OK to close the Properties dialog box.
To test an audit rule for a file or folder
Open the file or folder.
Close the file or folder.
Start the Event Viewer. Several Object Access events with Event ID 4663 will appear in the Security event log.
Double-click the events as needed to view their details.
Privilege Use
The Privilege Use audit category in Windows Server 2008 determines whether to audit each instance of a user exercising a user right. If you configure these setting values to Success, an audit entry is generated each time that a user right is exercised successfully. If you configure these settings values to Failure, an audit entry is generated each time that a user right is exercised unsuccessfully. These policy settings can generate a very large number of event records.
The Privilege Use events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.
Table 2.4 Privilege Use Audit Policy Subcategory Recommendations
Audit policy subcategory
|
EC domain controller
|
SSLF domain controller
|
EC member server
|
SSLF member server
|
§ Sensitive Privilege Use
|
No auditing
|
Success and Failure
|
No auditing
|
Success and Failure
|
§ Non Sensitive Privilege Use
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Other Privilege Use Events
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.
Detailed Tracking
The Detailed Tracking audit category in Windows Server 2008 determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access. Enabling Audit process tracking will generate a large number of events, so it is typically set to No Auditing. However, this setting can provide a great benefit during an incident response from information in the log about when processes started and when they were launched.
The Detailed Tracking events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.
Table 2.5 Detailed Tracking Audit Policy Subcategory Recommendations
Audit policy subcategory
|
EC domain controller
|
SSLF domain controller
|
EC member server
|
SSLF member server
|
§ Process Termination
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ DPAPI Activity
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ RPC Events
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Process Creation
|
Success
|
Success
|
Success
|
Success
|
Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.
Policy Change
The Policy Change audit category in Windows Server 2008 determines whether to audit every incident of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the Audit policy itself. The recommended settings would let you see any account privileges that an attacker attempts to elevate—for example, if an attacker were to attempt to turn off auditing, that change itself would be recorded.
The Policy Change events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.
Table 2.6 Policy Change Audit Policy Subcategory Recommendations
Audit policy subcategory
|
EC domain controller
|
SSLF domain controller
|
EC member server
|
SSLF member server
|
§ Audit Policy Change
|
Success and Failure
|
Success and Failure
|
Success and Failure
|
Success and Failure
|
§ Authentication Policy Change
|
Success
|
Success
|
Success
|
Success
|
§ Authorization Policy Change
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ MPSSVC Rule-Level Policy Change
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Filtering Platform Policy Change
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Other Policy Change Events
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.
Account Management
The Account Management audit category in Windows Server 2008 helps you track attempts to create new users or groups, rename users or groups, enable or disable user accounts, change account passwords, and enable auditing for Account Management events. If you enable this Audit policy setting, administrators can track events to detect malicious, accidental, and authorized creation of user and group accounts.
The Account Management events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.
Table 2.7 Account Management System Audit Policy Subcategory Recommendations
Audit policy subcategory
|
EC domain controller
|
SSLF domain controller
|
EC member server
|
SSLF member server
|
User Account Management
|
Success
|
Success and Failure
|
Success
|
Success and Failure
|
Computer Account Management
|
Success
|
Success and Failure
|
Success
|
Success and Failure
|
Security Group Management
|
Success
|
Success and Failure
|
Success
|
Success and Failure
|
Distribution Group Management
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
Application Group Management
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
Other Account Management Events
|
Success
|
Success and Failure
|
Success
|
Success and Failure
|
Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.
Directory Service Access
The Directory Service Access audit category in Windows Server 2008 applies only to domain controllers. For this reason, the Directory Service Access audit category and all related subcategories are configured to No Auditing for member servers in both environments discussed in the security guide.
The Directory Service Access events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.
Table 2.8 Directory Service Access Audit Policy Subcategory Recommendations
Audit policy subcategory
|
EC domain controller
|
SSLF domain controller
|
EC member server
|
SSLF member server
|
§ Directory Service Access
|
Success
|
Success and Failure
|
No auditing
|
No auditing
|
§ Directory Service Changes
|
Success
|
Success and Failure
|
No auditing
|
No auditing
|
§ Directory Service Replication
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Detailed Directory Service Replication
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.
Account Logon
The Account Logon audit category in Windows Server 2008 generates events for credential validation. These events occur on the computer that is authoritative for the credentials. For domain accounts, the domain controller is authoritative, whereas for local accounts, the local computer is authoritative. In domain environments, most of the Account Logon events occur in the Security log of the domain controllers that are authoritative for the domain accounts. However, these events can occur on other computers in the organization when local accounts are used to log on.
The Account Logon events audit category contains subcategories defined in the following table, along with configuration recommendations for each one.
Table 2.9 Account Logon Audit Policy Subcategory Recommendations
Audit policy subcategory
|
EC domain controller
|
SSLF domain controller
|
EC member server
|
SSLF member server
|
§ Kerberos Authentication Service
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Credential Validation
|
Success
|
Success and Failure
|
Success
|
Success and Failure
|
§ Kerberos Service Ticket Operations
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
§ Other Account Logon Events
Note No events map to this category.
|
No auditing
|
No auditing
|
No auditing
|
No auditing
|
Note § - Denotes Group Policy settings that are new in Windows Vista or Windows Server 2008.
|
