Skip to content
Get A Demo
Free SIEM
    April 13, 2020

    How to Optimize Windows Logging for Security

    One of the most common configurations taken for granted is the built-in Microsoft Windows logging capabilities. Microsoft Windows continues to dominate the corporate enterprise market.

    While the Windows Event Viewer can be used to investigate single instances on an endpoint, the ability to correlate that data can be a large advantage to any security team. The default logging enabled on a Microsoft AD Domain and all endpoints doesn’t include a fraction of the helpful data that can be obtained.

    Here are a few modifications that can offer a deeper look into your Windows environment.

    Download Free Microsoft Security Guide

    Group Policy Objects

    Group Policy Objects (GPOs) are used to centrally manage hardware and software settings in a domain configuration. They are broken up into both local and domain policies and can be applied to specific accounts or containers in a certain order to see differing results. Controlling event logging settings from within GPOs allows different settings to be applied to different groups of assets such as domain controllers, servers and endpoints.

    *NOTE* All GPO changes should be thoroughly planned and tested in any environment.

    Event Log Sizes

    Default event log file sizes are traditionally too small and can cause log aggregation if a networking issue occurs. Taking into account the virtualization and hardware of today’s infrastructure, the sizes found below are recommended.

    1. Open Group Policy Management on a domain controller
    2. Either find the policy that will be edited or create a new policy
    3. Right-click on the GPO and select edit
    4. Configure event log sizes: Computer Configuration > Policies > Windows Settings > Security Settings > Event Log

    Event Log

     
     

    Maximum Application Log Size

     

    256k (or larger)

     

    Maximum Security Log Size

     

    Regular Endpoints - 1,024,000kb (minimum)

    Server Endpoints - 2,048,000kb (minimum)

     

    Maximum System Log Size

     

    256k (or larger)

    Advanced Audit Policy Configuration

    Starting in Windows Server 2008 R2 and Windows 7, Advanced Audit Policy Configuration in Group Policy allowed the ability to configure much more granular settings for Windows audit logging.

    1. Enable advanced auditing
        • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
          • Audit: Force audit policy subcategory settings – Enabled

          1. Configure Advanced Audit Policies
            • Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies

          Account Logon

           
           

          Credential Validation

           

          Success and Failure

           

          Kerberos Authentication Service

           

          No Auditing

           
          Kerberos Service Ticket Operations
           

          No Auditing

           
          Other Account Logon Events
           

          Success and Failure

          Account Management

           

          Application Group Management

          Success and Failure

          Computer Account Management

          Success and Failure

          Distribution Group Management

          Success and Failure

          Other Account Management Events

          Success and Failure

          Security Group Management

          Success and Failure

          User Account Management

          Success and Failure

          Detailed Tracking
           

          DPAPI Activity

          No Auditing
          PNP (Plug and Play)

          Success

          Process Creation

          Success and Failure

          Process Termination

          No Auditing
          RPC Events

          Success and Failure

          Token Right Adjusted

          Success

          DS Access
           
          Detailed Directory Service Replication
          No Auditing
          Directory Service Access

          No Auditing

          Directory Service Changes

          Success and Failure
          Directory Service Replication

          No Auditing

          Logon/Logoff

           

          Account Lockout

          Success
          Group Membership

          Success

          IPsec Extended Mode

          No Auditing

          IPsec Main Mode

          No Auditing

          IPsec Quick Mode

          No Auditing

          Logoff

          Success
          Logon
          Success and Failure

          Network Policy Server

          Success and Failure

          Other Logon/Logoff Events
          Success and Failure
          Special Logon
          Success and Failure

          User/Device Claims

          No Auditing

          Object Access

           

          Application Generated

          Success and Failure

          Central Access Policy Staging

          No Auditing

          Certification Services

          Success and Failure

          Detailed File Share

          Success

          File Share

          Success and Failure

          File System

          Success

          Filtering Platform Connection

          Success

          Filtering Platform Packet Drop

          No Auditing

          Handle Manipulation

          No Auditing

          Kernel Object

          No Auditing

          Other Object Access Events

          No Auditing

          Registry

          Success

          Removable Storage

          Success and Failure

          SAM

          Success

          Policy Change

           

          Audit Policy Change

          Success and Failure

          Authentication Policy Change

          Success and Failure

          Authorization Policy Change

          Success and Failure

          Filtering Platform Policy Change

          Success

          MPSSVC Rule-Level Policy Change

          No Auditing

          Other Policy Change Events

          No Auditing

          Privilege Use

           
           

          Non-Sensitive Privilege Use

           

          No Auditing

           

          Other Privilege Use Events

           

          No Auditing

           

          Sensitive Privilege Use

           

          Success and Failure

          System

           

          IPsec Driver

          Success

          Other System Events

          Failure

          Security State Change

          Success and Failure

          Security System Extension

          Success and Failure

          System Integrity

          Success and Failure

          Global Object Access Auditing

           

          File System

          No Auditing

          Registry

          No Auditing

          Advanced Microsoft Command Line Logging

          For advanced Microsoft command line and PowerShell module logging, make the following changes to group policy:

          1. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking > Audit Process Creation > Enable
          2. Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation > Include command line in process creation events > Enable
          3. User Configuration > Policies > Administrative Templates > Windows Components > Windows Powershell
            • Turn on Module Logging
              • Enable and set module names to *

          • Turn on PowerShell Script Block Logging
            • Enable and select Log script block invocation start / stop events

          Summary

          Windows offers an incredible amount of power with the settings that Group Policy can control, while these are just a portion of the logging GPO settings that can massively increase the visibility into an environment. Without a large portion of these settings, many different system attacks and malicious activities may end up being missed, such as brute-force authentication attempts, command and control traffic, and the addition of settings, software, or users to maintain a persistent connection on an endpoint.

          Combining advanced auditing with log collection, correlation, alerting and reports can give security teams deeper insights and the ability to react as needed to respond to or mitigate potential threats.

         

        Free Download: Guide to Microsoft Security

    Amanda Berlin

    Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...

    More from the blog

    View All Posts