Recommended advanced audit logging

A couple of weeks ago I wrote a blog post about the importance of logging in your environment. This is a follow up to that post showing more of how advanced audit logging should be configured.

This is only a recommendation on a starting point. The general rule is you can never have to much logs. The challenge is finding a balance between logging enough and getting enough information.

This post will focus on how to accomplish this using GPO. You can of course accomplish the same thin using desired state configuration or other tools.

Creating a GPO

The settings for advanced audit policies can be found under Computer Configuration / Policies / Windows Settings / Security Settings / Advanced Audit Polcies / Audit Policies

Group policy logging

The following settings should be configured

  • Account Logon
    • Audit Credential Validation – Failure
    • Audit Kerberos Authentication Service – Success, Failure
    • Audit Kerberos Service Ticket Operations – Failure
    • Audit Other Account Logon Events – Success, Failure
  • Account Management
    • Audit Application Group Management – Success
    • Audit Computer Account Management – Success
    • Audit Distribution Group Management – Success
    • Audit Other Account Management Events – Success
    • Audit Security Group Management – Success
    • Audit User Account Management – Success, Failure
  • Detailed Tracking
    • Audit PNP Activity – Success
    • Audit Process Creation – Success
  • DS Access
    • Audit Directory Service Access – Failure
    • Audit Directory Service Changes – Success
  • Logon/Logoff
    • Audit Account Lockout Failure
    • Audit Group Membership Success
    • Audit Logon Success, Failure
    • Audit Other Logon/Logoff Events Success, Failure
    • Audit Special Logon Success
  • Object Access
    • Audit Detailed File Share Failure
    • Audit File Share Success, Failure
    • Audit Other Object Access Events Success, Failure
    • Audit Removable Storage Success, Failure
  • Policy Change
    • Audit Audit Policy Change – Success
    • Audit Authentication Policy Change – Success
    • Audit MPSSVC Rule-Level Policy Change – Success, Failure
    • Audit Other Policy Change Events – Failure
  • Privilege Use
    • Audit Sensitive Privilege Use – Success, Failure
  • System
    • Audit Other System Events – Success, Failure
    • Audit Security State Change – Success
    • Audit Security System Extension – Success
    • Audit System Integrity -Success, Failure

Configuring the above settings will make sure the correct events are logged to allow tracking of most scenarios. This also means by default the event logs will rotate quickly and a long log trail will not be preserved. To make sure is not the case the following settings in Windows Components / Event Log Service should also be configured.

  • Application
    • Specify the maximum log file size (KB) Enabled
    • Maximum Log Size (KB) 512000
  • Security
    • Specify the maximum log file size (KB) Enabled
    • Maximum Log Size (KB) 512000
  • Setup
    • Specify the maximum log file size (KB) Enabled
    • Maximum Log Size (KB) 512000
  • System
    • Specify the maximum log file size (KB) Enabled
    • Maximum Log Size (KB) 512000

Import GPO using PowerShell

If you are like me and you have done this once and then thought, there has to be a better way. Don’t worry, there is – PowerShell to the rescue. Using PowerShell we can automatically read a GPO backup and then create and import the setting into that specific GPO. This all results in you being able to download the script and the GPO available at the end of this post and save yourself a lot of trouble.

To run the script simple run the following command and change the source location to where you have saved the GPO backup copy.

.\Import-TSxGPO.ps1 -Source C:\GPOBackup

When its done you would have a GPO imported that looks like the image below that can be linked to your domain controller OU.

Advanced Audit Logging Group Policy

The complete GPO and PowerShell script can be downloaded below for your convenience.

Read more

If you want to read more about this topic Microsoft has detailed information about what each version of Windows should have enabled for advanced audit logging. https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations


By Peter Löfgren

I am a positive, hands-on, consultant with a passion for innovation who thrives on opportunities to be on the cutting edge of technology. Splitting my time between trainings, workshops, and consulting has allowed me to gain unique insight and perspective for my clients. My 10+ years of expert Windows knowledge and experience allows me to guide my customers to achieve new client platforms. By using all new Microsoft technology, I help my customers build and maintain production solutions for years to come.

Some of my notable accomplishments are:
Being chosen to present at Tech Days
Being a trusted advisor for US companies
Deployed a new platform for a large bank in Sweden