Security, et al

I’m frequently asked what the best audit policy is Windows. As you know there are 9 different audit policies you can enable for Success and/or Failure. While I recommend some of those policies be enabled no matter what there are others that depend on the type of Windows system you’re dealing with as well as your own requirements so here goes.

First, I recommend you use this as your base policy for all computers:

System Events - S/F Policy Change - S/F Account Management - S/F Privilege Use - Disabled Logon/Logoff - S/F

System Events generates few events but a number of them are important such as time changes and system shutdown and startup.

Policy Changes provides notification of important security policy changes such as rights assignments and more. It doesn’t generate too many events and is very valuable.

Account Management is an awesome category because it gives you easy to understand notifications of all changes to users, groups, and, in the case of domain controllers, computer accounts. On domain controllers, events from this category signify changes to domain accounts while on member servers and workstations they reflect local SAM account changes.

The Privilege Use category generates a lot of noise and very little in the way of value. I almost always disable this policy.

Logon/Logoff events tell you about all attempts to get access to the local computer whether with a local SAM account or a domain account. This policy gives better logon failure reasons than Account Logon.

Policies to enable on Domain Controllers

Directory Service - S/F

This policy only has effect on Domain Controllers so it doesn’t matter how you configure it on workstations and member servers. I suggest enabling this policy on Domain Controllers since it allows you to track changes to group policy and delegated administrator permissions. Be aware however that you need to enable auditing of at the object level on the domainDNS, organizationUnit and groupPolicyContainer classes.

Account Logon - S/F

On domain controllers this policy will give you a complete audit trail of all attempts to authenticate with a domain account any where on the network. Any events from this category on non domain controllers signifies an attempt to logon with a local SAM account but you can detect the local account logon attempts using the Logon/Logoff category by comparing the Domain in the event’s description to the Computer name in the event header.

Other Policies

Process Tracking

I suggest enabling this policy on all workstations, Terminal Servers and any other system where you want a complete audit trail of all programs executed.

Object Access

You’ll need to enable this policy on any systems where you will be auditing files and folders or registry keys.