| System audit policy | |
| Category/Subcategory | Setting |
| System | |
| Security System Extension | No Auditing |
| System Integrity | Success and Failure |
| IPsec Driver | No Auditing |
| Other System Events | Success and Failure |
| Security State Change | Success |
| Logon/Logoff | |
| Logon | Success and Failure |
| Logoff | Success |
| Account Lockout | Success |
| IPsec Main Mode | No Auditing |
| IPsec Quick Mode | No Auditing |
| IPsec Extended Mode | No Auditing |
| Special Logon | Success |
| Other Logon/Logoff Events | No Auditing |
| Network Policy Server | Success and Failure |
| Object Access | |
| File System | Success and Failure |
| Registry | Success and Failure |
| Kernel Object | No Auditing |
| SAM | No Auditing |
| Certification Services | No Auditing |
| Application Generated | No Auditing |
| Handle Manipulation | No Auditing |
| File Share | Success and Failure |
| Filtering Platform Packet Drop | No Auditing |
| Filtering Platform Connection | No Auditing |
| Other Object Access Events | No Auditing |
| Privilege Use | |
| Sensitive Privilege Use | No Auditing |
| Non Sensitive Privilege Use | No Auditing |
| Other Privilege Use Events | No Auditing |
| Detailed Tracking | |
| Process Termination | No Auditing |
| DPAPI Activity | No Auditing |
| RPC Events | No Auditing |
| Process Creation | No Auditing |
| Policy Change | |
| Audit Policy Change | Success |
| Authentication Policy Change | Success |
| Authorization Policy Change | No Auditing |
| MPSSVC Rule-Level Policy Change | No Auditing |
| Filtering Platform Policy Change | No Auditing |
| Other Policy Change Events | No Auditing |
| Account Management | |
| User Account Management | Success |
| Computer Account Management | Success |
| Security Group Management | Success |
| Distribution Group Management | No Auditing |
| Application Group Management | No Auditing |
| Other Account Management Events | No Auditing |
| DS Access | |
| Directory Service Changes | Success and Failure |
| Directory Service Replication | No Auditing |
| Detailed Directory Service Replication | No Auditing |
| Directory Service Access | Success |
| Account Logon | |
| Kerberos Service Ticket Operations | Success |
| Other Account Logon Events | No Auditing |
| Kerberos Authentication Service | Success |
| Credential Validation | Success |
Sunday, January 19, 2020
Windows Server System Audit Policy
For every task we do corresponding logs are generated. However, not all events in windows events are important. So, we need to make sure that we have optimum set of auditing enabled in our infrastructure. This will allow us to do much of forensic analysis by using simple tool like SIEM. So, here are the list of audit policy that needs to be atleast configured in your network. The list below is the minimum set of recommended settings and it can vary according to your organizations needs. Feel free to edit according to your requirements.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment