One of the most common configurations taken for granted is the built-in Microsoft Windows logging capabilities. Microsoft Windows continues to dominate the corporate enterprise market.
While the Windows Event Viewer can be used to investigate single instances on an endpoint, the ability to correlate that data can be a large advantage to any security team. The default logging enabled on a Microsoft AD Domain and all endpoints doesn’t include a fraction of the helpful data that can be obtained.
Here are a few modifications that can offer a deeper look into your Windows environment.
Download Free Microsoft Security Guide
Group Policy Objects
Group Policy Objects (GPOs) are used to centrally manage hardware and software settings in a domain configuration. They are broken up into both local and domain policies and can be applied to specific accounts or containers in a certain order to see differing results. Controlling event logging settings from within GPOs allows different settings to be applied to different groups of assets such as domain controllers, servers and endpoints.
*NOTE* All GPO changes should be thoroughly planned and tested in any environment.
Event Log Sizes
Default event log file sizes are traditionally too small and can cause log aggregation if a networking issue occurs. Taking into account the virtualization and hardware of today’s infrastructure, the sizes found below are recommended.
- Open Group Policy Management on a domain controller
- Either find the policy that will be edited or create a new policy
- Right-click on the GPO and select edit
- Configure event log sizes: Computer Configuration > Policies > Windows Settings > Security Settings > Event Log
Event Log |
|
Maximum Application Log Size |
256k (or larger) |
Maximum Security Log Size |
Regular Endpoints - 1,024,000kb (minimum) |
Maximum System Log Size |
256k (or larger) |
Advanced Audit Policy Configuration
Starting in Windows Server 2008 R2 and Windows 7, Advanced Audit Policy Configuration in Group Policy allowed the ability to configure much more granular settings for Windows audit logging.
- Enable advanced auditing
-
- Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
- Audit: Force audit policy subcategory settings – Enabled
- Configure Advanced Audit Policies
- Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies
Account Logon
Credential Validation
Success and Failure
Kerberos Authentication Service
No Auditing
Kerberos Service Ticket OperationsNo Auditing
Other Account Logon EventsSuccess and Failure
Account Management
Application Group Management
Success and Failure
Computer Account Management
Success and Failure
Distribution Group Management
Success and Failure
Other Account Management EventsSuccess and Failure
Security Group ManagementSuccess and Failure
User Account Management
Success and Failure
Detailed TrackingDPAPI Activity
No AuditingPNP (Plug and Play)Success
Process CreationSuccess and Failure
Process Termination
No AuditingRPC EventsSuccess and Failure
Token Right Adjusted
Success
DS AccessDetailed Directory Service ReplicationNo AuditingDirectory Service AccessNo Auditing
Directory Service Changes
Success and FailureDirectory Service ReplicationNo Auditing
Logon/Logoff
Account Lockout
SuccessGroup MembershipSuccess
IPsec Extended ModeNo Auditing
IPsec Main ModeNo Auditing
IPsec Quick ModeNo Auditing
Logoff
SuccessLogonSuccess and FailureNetwork Policy Server
Success and Failure
Other Logon/Logoff EventsSuccess and FailureSpecial LogonSuccess and FailureUser/Device Claims
No AuditingObject Access
Application Generated
Success and Failure
Central Access Policy StagingNo Auditing
Certification ServicesSuccess and Failure
Detailed File ShareSuccess
File ShareSuccess and Failure
File SystemSuccess
Filtering Platform Connection
Success
Filtering Platform Packet Drop
No Auditing
Handle ManipulationNo Auditing
Kernel Object
No Auditing
Other Object Access Events
No Auditing
Registry
Success
Removable Storage
Success and Failure
SAM
Success
Policy Change
Audit Policy Change
Success and Failure
Authentication Policy Change
Success and Failure
Authorization Policy ChangeSuccess and Failure
Filtering Platform Policy ChangeSuccess
MPSSVC Rule-Level Policy Change
No Auditing
Other Policy Change Events
No AuditingPrivilege Use
Non-Sensitive Privilege Use
No Auditing
Other Privilege Use Events
No Auditing
Sensitive Privilege Use
Success and Failure
System
IPsec Driver
Success
Other System Events
Failure
Security State Change
Success and Failure
Security System Extension
Success and Failure
System Integrity
Success and Failure
Global Object Access Auditing
File System
No Auditing
Registry
No Auditing
Advanced Microsoft Command Line Logging
For advanced Microsoft command line and PowerShell module logging, make the following changes to group policy:
- Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking > Audit Process Creation > Enable
- Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation > Include command line in process creation events > Enable
- User Configuration > Policies > Administrative Templates > Windows Components > Windows Powershell
- Turn on Module Logging
- Enable and set module names to *
- Turn on Module Logging
- Turn on PowerShell Script Block Logging
- Enable and select Log script block invocation start / stop events
Summary
Windows offers an incredible amount of power with the settings that Group Policy can control, while these are just a portion of the logging GPO settings that can massively increase the visibility into an environment. Without a large portion of these settings, many different system attacks and malicious activities may end up being missed, such as brute-force authentication attempts, command and control traffic, and the addition of settings, software, or users to maintain a persistent connection on an endpoint.
Combining advanced auditing with log collection, correlation, alerting and reports can give security teams deeper insights and the ability to react as needed to respond to or mitigate potential threats.
- Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
-
Amanda Berlin
Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...
More from the blog
View All PostsSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.