6.7.8 Advanced Audit Policy Facts *Important*

In Windows Server 2008 R2, 53 new auditing capabilities have been integrated with Group Policy. Be aware of the following details about the advanced audit policy configuration
• You can configure the Advanced Audit Policy using the Group Policy Management Console by navigating to the Computer ConfigurationPoliciesWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration node or by using the command line utility auditpol.exe.
• The 53 new settings can be used in place of the nine basic auditing settings under Local PoliciesAudit Policy to specifically target the types of activities you want to audit and eliminate the unnecessary auditing activities that can make audit logs difficult to manage and decipher.
• Using both the basic audit policy settings under Local PoliciesAudit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results; the two sets of audit policy settings should not be combined.
• If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy settings under Local PoliciesSecurity Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.
• Reason for Access auditing logs the reason, based on specific permissions. why someone had access to specific resources. The reason why someone has been granted or denied access is added to the open handle event. To enable this functionality, the handle manipulation audit policy also need to be enabled.
Be aware of the categories of the 53 new auditing policy settings
• Account Logon
• Account Management
• Detailed Tracking
• DS Access
• Logon/Logoff
• Object Access
• Policy Change
• Privilege Use
• System
• Global Object Access Auditing
Account Logon
Account Logon events help document domain attempts to authenticate account data, either to a domain controller or a local Security Accounts Manager (SAM), Unlike logon and logoff events, which track attempts to access a particular computer, events in this category report on the account database that is being used.
Account Logon, Be aware of the following settings
• Credential Validation audits events generated by validation tests on user account logon credentials.
• Kerberos Service Ticket Operations- audits events generated by Kerberos service ticket request.
• Other Account Logon Events- audits events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
• Kerberos Authentication Service- audits events generated by Kerberos authentication ticket-granting ticket (TGT) request.
Account Management
Account Management settings can monitor changes to user and computer accounts and groups.
Account Management, be aware of the following
• User Account Management- audits changes to user accounts.
• Computer Account Management- audits events generated by changes to computer accounts, such as when a computer account is created, changed, or deleted.
• Security Group Management- audits events generated by changes to security groups
• Distribution Group Management- audits events generated by changes to distribution groups. Events are logged only on domain controllers.
• Application Group Management- audits events generated by changes to application groups.
• Other Account Management Events- audits events generated by other user account changes that are not covered in this category.
Detailed Tracking
Detailed Tracking events can be used to monitor the activities of individual applications to understand how a computer is being used and the activities of users on that computer.
Detailed Tracking, be aware of the following
• Process Creation- audits events generated when a process is created or starts. The name of the application or user that created the process is also audited.
• Process Termination- audits events generated when a process ends.
• DPAPI Activity- audits events generated when encryption or decryption request are amde to the Data Protection Application Interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information.
• RPC Events- audits inbound Remote Procedure Call (RPC) connections.
DS Access
DS Access events provide a low-level audit trail of attempts to access and modify objects in AD DS. These events are logged only on domain controllers.
DS Access, be aware of the following
• Direcetory Service Access audits events generated when an AD DS object is accessed.
• Only AD DS object with a matching global System Access Control List (SACL) are logged.
• Events in this subcategory are similar to the Directory Service Access events available in previous version of Windows.
• Directory service Changes- audits events generated by changes to AD DS objects. Events are logged when an object is created, deleted, modified, moved, or undeleted.
• Directory Service Replication- audits replication between two AD DS domain controllers.
• Detailed Directory Service Replication- audits events generated by detailed AD DS replication between domain controllers.
Logon/Logoff
Logon/Logoff events track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources.
Logon/Logoff, be aware of the following
• Logon -audits events generated by user account logon attempts on a computer.
• Logoff- audits events generated by closing a logon session. These events occur on the computer taht was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to.
• Account Lockout- audits events generated by a failed attempt to log on to an account that is locked out.
• IPsec Main Mode- audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotations.
• IPsec Extended Mode- audits events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
• Special Logon- audits events generated by special logons.
• Other Logon/Logoff Events- audits other events related to logon and logoff that are not included in the Logon/Logoff category.
• Network Policy Server- audits events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These request can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
Object Access
Object Access events track attempts to access specific objects or types of object on a network or computer
Object Access, be aware of the following
• File System- audits user attempts to access file system objects.
• Registry- audits attempts to access registry objects.
• Kernel Object- audits attempts to access the system kernel, which include mutexes and semaphores.
NOTE: The Audit: audits the access of global system objects policy setting controls the default SACL of kernel objects.
• SAM- audits events generated by attempts to access Security Accounts Manger (SAM) objects.
• Application Generated- audits applications that generate events by using the Windows Auditing Application Programming Interface (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function.
• Handle Manipulation- audits events generated when a handle to an object is open or closed. Only objects with a matching SACL generate security audit events.
• File Share- audits attempts to access a shared folder. However, no security audit events are generated when a folder is created, deleted, or its share permissions are changes.
• Detailed File Share- audits attempts to access files and folders on a shared folder.
Note: the Detailed File share settings logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
• Filtering Platform Packet Drop- audits packets that are dropped by Windows Filtering Platform (WFP).
• Filtering Platform Connection- audits connections that are allowed or blocked by WFP.
• Other Object Access Events- audits events generated by the management of Task Scheduler jobs or COM+ objects.
Policy Change
Policy change events track changes to important security policies on a local system or network.
Policy change, be aware of the following
• Audit Policy Change- audits changes in security audit policy settings.
• Authentication Policy Change- audits events generated by changes to the authentication policy.
• Authorization Policy Change- audits generated by changes to the authorization policy.
• MPSSVC Rule-Level Policy Change- aduits events generated by changes in policy rules used by Windows Firewall.
• Filtering Platform Policy Change- audits events generated by changes to WFP.
• Other Policy Change Events- audits generated by other security policy changes that are not audited in the Policy Change category.
Privilege Use
Privilege Use events track the use of certain privileges on one or more computers.
Privilege Use, be aware of the following
• Sensitive Privilege Use- audits events generated by the use of sensitive privileges (user rights), such as acting as part of the operating system, backing up files and directories, impersonating a client computer, or generating security audits.
• Non Sensitive Privilege Use- audits events generated by the use of non-sensitive privileges (user rights), such as logging on locally or with a Remote Desktop connection, changing the system time, or removing a computer from a docking station.
System
System events track high-level changes to a computer that are not included in other categories and that have potential security implications.
System, be aware of the following
• Security State Change- audits events generated by changes in the security state of the computer.
• Security System Extension- audits events related to security system extensions or services.
• System Integrity- audits events that violate the integrity of the system subsystem.
• IPsec Driver- audits events that are generated by the IPsec filter driver.
• Other System Events- audits any of the following events;
• Startup and shutdown of the Windows Firewall
• Security policy processing by the Windows Firewall.
• Cryptography key file and migration operations.
Global Object Access Auditing
The Global Access Auditing settings define computer SACLs per object type for either the file system or registry. The specified SACL is then automatically applied to every object of that type.
• Auditors will be able to prove that every resource in the system is protected by an audit policy by just viewing the contents of the Global Object Access Auditing policy settings.
• Resource SACLs are also useful for disanostic scenarios. For example, setting a Global Object Access Auditing policy to log all the activity for a specific user and enabling the Access Failures audit policies in a resource (file system, registry) will help administrators quickly identify which object in system is denying a user access.
Global Object Access Auditing, be aware of the following
• File system- audits a SACL on the file system for an entire computer. NOTE: If both a file or folder SACL and a Global Object Access Auditing policy (or a single registry setting SACL and a Global Object Access Auditing policy) are configured on a computer, then an audit event is generated if an activity matches either the file or folder SACL or the Global Object Access Auditing policy.
• Registry- audits a global SACL on the file system for an entire computer.
NOTE: Both the File system and Registry settings must be used in combination with their corresponding security policy setting under the Object Access category.