Audit Policy Best Practices

How to implement audit policy

  • Determine which types of events that you want to audit from the list below, and specify the settings for each one. The settings you specify constitute your audit policy. Note that some event types are audited by default.
  • Specify the maximum size and other attributes of the Security log using the Event Logging policy settings. You can view the Security log with Event Viewer.
  • If you want to audit directory service access or object access, configure the Audit directory service access and Audit object access policy settings.

 

Types of events you can audit

  • Account logon. User logon auditing is the only way to detect all unauthorized attempts to log in to a domain. It is necessary to audit logon events — both successful and failed — to detect intrusion attempts . Logoff events are not tracked on the domain controllers.
  • Account management. Carefully monitoring all user account changes helps minimize the risk of business disruption and system unavailability.
  • Directory service access. Monitor this only when you need to see when someone accesses an AD object that has its own system access control list (for example, an OU).
  • Logon. Seeing successful and failed attempts to log on or off a local computer  is useful for intruder detection and post-incident forensics.
  • Object access. Audit this only when you need to see when someone used privileges to access, copy, distribute, modify or delete files on file servers.
  • Policy change. Improper changes to a GPO can greatly damage the security of your environment. Monitor all GPO modifications to reduce the risk of data exposure.
  • Privilege use. Turn this on only when you want to track each instance of user privileges being used.
  • Process tracking. Auditing process-related events, such as process creation, process termination, handle duplication and indirect object access, can be useful for incident investigations.
  • System. Configuring the system audit policy to log startups and shutdowns or restarts of the computer, and attempts by a process or program to do something that it does not have permission to do, is valuable because all such events are very significant. For example, if malicious software tries to change a setting on your computer without your permission, system event auditing would record that action.

 

Recommended Audit Policy settings

Account logon

  • Audit Credential Validation: Success and Failure

Account management

  • Audit Computer Account Management: Success and Failure
  • Audit Other Account Management Events: Success and Failure
  • Audit Security Group Management: Success and Failure
  • Audit User Account Management: Success and Failure

Directory service access

  • Audit Directory Service Access: Success and Failure on DC
  • Audit Directory Service Changes: Success and Failure on DC

Logon

  • Audit Account Lockout: Success
  • Audit Logoff: Success
  • Audit Logon: Success and Failure
  • Audit Special Logon: Success and Failure

Object access 

  • Enable this setting only if you have a specific use for the data that will be logged, because it can cause a large volume of entries to be generated in your Security logs.

Policy Change

  • Audit Audit Policy Change: Success and Failure
  • Audit Authentication Policy Change: Success and Failure

Privilege use

  • Enable this setting only if you have a specific use for the data that will be logged, because it can cause a large volume of entries to be generated in your Security logs.

Process tracking

  • Enable this setting only if you have a specific use for the data that will be logged, because it can cause a large volume of entries to be generated in your Security logs.

System

  • Audit Security State Change: Success and Failure
  • Audit Other System Events: Success and Failure
  • Audit System Integrity: Success and Failure

Detailed tracking (available in under Advanced Security Audit Policy Configuration)

  • Audit Process Creation: Success

What is audit policy?

Windows audit policy defines what types of events are written in the Security logs of your Windows servers. 
Establishing an effective audit policy is an important aspect of IT security. Monitoring the creation or modification of objects helps you spot potential security problems, ensure user accountability and provide evidence in the event of a security breach.
The recommended settings provided are intended as a baseline for system administrators starting to define AD audit policies. 

Each company must make their own decisions regarding the threats they face, their risk tolerance, and which audit policy settings they should choose. For more information about threats, please refer to the Netwrix Visibility Academy. IT specialists without an audit policy in place are encouraged to start with the settings recommended — and to test and refine them  before implementing them in their production environment.

Best practices for auditing

  • Before you implement any audit processes, you should determine how you will collect, store and analyze the data. There is little value in amassing large volumes of audit data if there is no underlying plan to manage and use it.
  • Remember that audit settings can affect computer performance. Therefore, you should perform performance tests before you deploy new audit settings in your production environment.
  • A final consideration is the amount of storage space that you can allocate to storing the data collected by auditing. Depending on the setting you choose, audit data can quickly fill up available disk space.

With Netwrix Auditor, you can archive audit data for years. The two-tiered (file-based + SQL database) AuditArchive storage enables you to keep your big data securely archived and readily available for e-discovery and security investigations for more than 10 years.