Transcription
Quick Reference GuideWindows Advanced Audit PolicyConfigurationPublication Date:August 18, 2021 Copyright Netsurion. All Rights Reserved.1
AbstractThis document describes the security audit policy settings available in Windows Server 2008 onwards ,Windows 7 onwards, and audit events that they generate.These settings allow selecting only the behavior you want to monitor and exclude s audit results for otherbehaviors. In addition, security audit policies can be applied by using domain group policy, audit policysettings can be modified, tested, and deployed to selected users and groups.Click on the following link to know more about Windows Advanced Audit Policy Configuration.Windows Advanced Audit Policy Configuration (netsurion.com)AudienceThis guide is intended for use by all EventTracker users responsible for investigating and managing networksecurity. This guide assumes that you have EventTracker access and understanding of networkingtechnologies. Copyright Netsurion. All Rights Reserved.2
Table of ContentsTable of Contents31.Account Logon42.Account Management43.Detailed Tracking44.DS Access55.Logon / Logoff56.Object Access56.1Configuration66.2Recommended folders to audit76.3Exclude folders from auditing86.4Visualization87.Policy Change98.Privilege Use99.System910.Global Object Access Auditing10About Netsurion11Contact Us11 Copyright Netsurion. All Rights Reserved.3
1. Account LogonAccount LogonAudit Credential ValidationEnableEnableKerberos Authentication ServiceEnableEnableAccount Logon-Audit Kerberos Service TicketOperationsEnableEnableAudit Other Account Logon EventsEnableEnable2. Account ManagementAccount ManagementApplication Group ManagementEnableEnableComputer Account ManagementEnableEnableDistribution Group ManagementEnableEnableAudit Other Account Management EventsEnableEnableSecurity Group ManagementEnableEnableUser Account ManagementEnableEnableDPAPI ActivityDisableDisableProcess CreationEnableEnableProcess TerminationEnableEnableRPC EventsEnableEnable3. Detailed TrackingDetailed Tracking Copyright Netsurion. All Rights Reserved.4
4. DS AccessDS AccessDetailed Directory Service ReplicationDisableDisableDirectory Service AccessEnableEnableDirectory Service ChangesEnableEnableDirectory Service ReplicationDisableDisableAccount LockoutEnableEnableIPsec Extended ModeDisableDisableIPsec Main ModeDisableDisableIPsec Quick ModeDisableDisableAccount LogoffEnableEnableAccount LogonEnableEnableNetwork Policy Server (NPS)EnableEnableOther Logon/Logoff EventsEnableEnableSpecial LogonEnableEnableApplication GeneratedEnableEnableCertification ServicesEnableEnableDetailed File ShareDisableDisableFile ShareEnableEnableFile SystemEnableEnable5. Logon / LogoffLogon / Logoff6. Object AccessObject Access Copyright Netsurion. All Rights Reserved.5
Object AccessFiltering PlatformDisableDisableFiltering Platform Packet DropDisableDisableHandle ManipulationDisableDisableKernel ObjectEnableEnableOptional*Optional *RegistryEnableEnableSAM-Security Accounts ManagerDisableDisableOther Object Access Events*If you choose to track Scheduled Tasks through auditing, you can turn this Audit Sub Category on.6.1 ConfigurationThese are the recommended settings to optimize what is needed security-wise and to minimize the noise.1. Select the folder or file you wish to audit. Right-click the folder, select Properties, and navigate tothe Security tab. Click on the Advanced button.2. Navigate to the Auditing tab. Click on the Add button. Provide values as given below: Principal: “EveryOne” Type: “Success” Applies to: “THIS FOLDER and FILES” or “ THIS FOLDER, SUBFOLDERS and FILES”3. Click on Show advanced permissions and select only: Create files/write data Create folders/append data Write extended attributes Delete Change permissions Take ownership to audit4. Click Ok. Copyright Netsurion. All Rights Reserved.6
6.2 Recommended folders to auditTHIS FOLDER AND FILES ONLYTHIS FOLDER,SUBFOLDERS AND FILESAuditing of the subfolder(s) is not recommendedC:\BootC:\Program FilesC:\PerflogsC:\Program Files\Internet ExplorerAny Anti-Virus folder(s) used for quarantine, etc.C:\Program Files\Common FilesC:\Users\All C:\Program Files (x86)C:\Users\PublicC:\Program Files (x86)\Common ows\SystemC:\Windows\System32\GroupPolicy\Machine\ ScriptsC:\Windows\System32\GroupPolicy\User\ ScriptsC:\Windows\System32\Repl (only on ws\SysWOW64\WindowsPowerShell\v1.0Files are often added or changed by hackers and malware. By auditing key file and folder locations, anyadditions or changes made by an attacker can be captured in the logs, which is beneficial for alerting andforensics. Copyright Netsurion. All Rights Reserved.7
6.3 Exclude folders from auditingAfter setting auditing on the parent folder, remove auditing from these folders to reduce the noise e.sdfC:\ProgramData\ Anti-Virus \CommonFrameworkInsert your AV e ary Internet w\Microsoft\ rome\User DataAny other folder which might result in generating large noise events.6.4 VisualizationChanges to the monitored folder/file results in the generation of a security log with Event ID 4663 thatcontains the change details. Using this event, you can generate alert or visualize the data throughdashboards and reports. Copyright Netsurion. All Rights Reserved.8
7. Policy ChangePolicy ChangeAudit Policy ChangeEnableEnableAuthentication Policy ChangeEnableEnableAuthorization Policy ChangeEnableEnableFiltering Platform Policy ChangeDisableDisableMPSSVC Rule-Level Policy ChangeDisableDisableOther Policy Change EventsDisableEnableNon-Sensitive Privilege UseEnableEnableSensitive Privilege UseEnableEnableOther Privilege Use EventsEnableEnableIPSEC DriverDisableDisableOther System EventsDisableDisableSecurity State ChangeEnableEnableSecurity System ExtensionEnableEnable8. Privilege UsePrivilege Use9. SystemSystem Copyright Netsurion. All Rights Reserved.9
SystemSecurity System IntegrityEnableEnable10. Global Object Access AuditingGlobal Object Access AuditingRegistry (GOAA)OptionalOptionalFile System (GOAA)OptionalOptional Copyright Netsurion. All Rights Reserved.10
About NetsurionFlexibility and security within the IT environment are two of the most important factors driving businesstoday. Netsurion’s cybersecurity platforms enable companies to deliver on both. Netsurion’s approach ofcombining purpose-built technology and an ISO-certified security operations center gives customers theultimate flexibility to adapt and grow, all while maintaining a secure environment.Netsurion’s EventTracker cyber threat protection platform provides SIEM, endpoint protection, vulnerabilityscanning, intrusion detection and more; all delivered as a managed or co-managed service.Netsurion’s BranchSDO delivers purpose-built technology with optional levels of managed services to multilocation businesses that optimize network security, agility, resilience, and compliance for branch locations.Whether you need technology with a guiding hand or a complete outsourcing solution, Netsurion has themodel to help drive your business forward. To learn more visit netsurion.com or follow uson Twitter or LinkedIn. Netsurion is #19 among MSSP Alert’s 2020 Top 250 MSSPs.Contact UsCorporate HeadquartersNetsurionTrade Centre South100 W. Cypress Creek RdSuite 530Fort Lauderdale, FL 33309Contact NumbersEventTracker Enterprise SOC: 877-333-1433 (Option 2)EventTracker Enterprise for MSP’s SOC: 877-333-1433 (Option 3)EventTracker Essentials SOC: 877-333-1433 (Option 4)EventTracker Software Support: 877-333-1433 (Option 5)https://www.netsurion.com/eventtracker-support Copyright Netsurion. All Rights Reserved.11
Account Logon-Audit Kerberos Service Ticket Operations Enable Audit Other Account Logon Events Enable Enable 2. . Computer Account Management Enable Enable Distribution Group Management Enable Enable Audit Other Account Management Events Enable Enable Security Group Management Enable Enable User Account Management Enable Enable 3. .
