fbpx
Share on:

One of the most common configurations taken for granted is the built-in Microsoft Windows logging capabilities. Microsoft Windows continues to dominate the corporate enterprise market.

While the Windows Event Viewer can be used to investigate single instances on an endpoint, the ability to correlate that data can be a large advantage to any security team. The default logging enabled on a Microsoft AD Domain and all endpoints doesn’t include a fraction of the helpful data that can be obtained.

Here are a few modifications that can offer a deeper look into your Windows environment.

Download Free Microsoft Security Guide

Group Policy Objects

Group Policy Objects (GPOs) are used to centrally manage hardware and software settings in a domain configuration. They are broken up into both local and domain policies and can be applied to specific accounts or containers in a certain order to see differing results. Controlling event logging settings from within GPOs allows different settings to be applied to different groups of assets such as domain controllers, servers and endpoints.

*NOTE* All GPO changes should be thoroughly planned and tested in any environment.

Event Log Sizes

Default event log file sizes are traditionally too small and can cause log aggregation if a networking issue occurs. Taking into account the virtualization and hardware of today’s infrastructure, the sizes found below are recommended.

  1. Open Group Policy Management on a domain controller
  2. Either find the policy that will be edited or create a new policy
  3. Right-click on the GPO and select edit
  4. Configure event log sizes: Computer Configuration > Policies > Windows Settings > Security Settings > Event Log

Event Log

Maximum Application Log Size

256k (or larger)

Maximum Security Log Size

Regular Endpoints - 1,024,000kb (minimum)

Server Endpoints - 2,048,000kb (minimum)

Maximum System Log Size

256k (or larger)

Advanced Audit Policy Configuration

Starting in Windows Server 2008 R2 and Windows 7, Advanced Audit Policy Configuration in Group Policy allowed the ability to configure much more granular settings for Windows audit logging.

  1. Enable advanced auditing
      • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
        • Audit: Force audit policy subcategory settings – Enabled

        1. Configure Advanced Audit Policies
          • Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies

        Account Logon

        Credential Validation

        Success and Failure

        Kerberos Authentication Service

        No Auditing

        Kerberos Service Ticket Operations

        No Auditing

        Other Account Logon Events

        Success and Failure

        Account Management

        Application Group Management

        Success and Failure

        Computer Account Management

        Success and Failure

        Distribution Group Management

        Success and Failure

        Other Account Management Events

        Success and Failure

        Security Group Management

        Success and Failure

        User Account Management

        Success and Failure

        Detailed Tracking

        DPAPI Activity

        No Auditing
        PNP (Plug and Play)

        Success

        Process Creation

        Success and Failure

        Process Termination

        No Auditing
        RPC Events

        Success and Failure

        Token Right Adjusted

        Success

        DS Access
        Detailed Directory Service Replication
        No Auditing
        Directory Service Access

        No Auditing

        Directory Service Changes

        Success and Failure
        Directory Service Replication

        No Auditing

        Logon/Logoff

        Account Lockout

        Success
        Group Membership

        Success

        IPsec Extended Mode

        No Auditing

        IPsec Main Mode

        No Auditing

        IPsec Quick Mode

        No Auditing

        Logoff

        Success
        Logon
        Success and Failure

        Network Policy Server

        Success and Failure

        Other Logon/Logoff Events
        Success and Failure
        Special Logon
        Success and Failure

        User/Device Claims

        No Auditing

        Object Access

        Application Generated

        Success and Failure

        Central Access Policy Staging

        No Auditing

        Certification Services

        Success and Failure

        Detailed File Share

        Success

        File Share

        Success and Failure

        File System

        Success

        Filtering Platform Connection

        Success

        Filtering Platform Packet Drop

        No Auditing

        Handle Manipulation

        No Auditing

        Kernel Object

        No Auditing

        Other Object Access Events

        No Auditing

        Registry

        Success

        Removable Storage

        Success and Failure

        SAM

        Success

        Policy Change

        Audit Policy Change

        Success and Failure

        Authentication Policy Change

        Success and Failure

        Authorization Policy Change

        Success and Failure

        Filtering Platform Policy Change

        Success

        MPSSVC Rule-Level Policy Change

        No Auditing

        Other Policy Change Events

        No Auditing

        Privilege Use

        Non-Sensitive Privilege Use

        No Auditing

        Other Privilege Use Events

        No Auditing

        Sensitive Privilege Use

        Success and Failure

        System

        IPsec Driver

        Success

        Other System Events

        Failure

        Security State Change

        Success and Failure

        Security System Extension

        Success and Failure

        System Integrity

        Success and Failure

        Global Object Access Auditing

        File System

        No Auditing

        Registry

        No Auditing

        Advanced Microsoft Command Line Logging

        For advanced Microsoft command line and PowerShell module logging, make the following changes to group policy:

        1. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking > Audit Process Creation > Enable
        2. Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation > Include command line in process creation events > Enable
        3. User Configuration > Policies > Administrative Templates > Windows Components > Windows Powershell
          • Turn on Module Logging
            • Enable and set module names to *

        • Turn on PowerShell Script Block Logging
          • Enable and select Log script block invocation start / stop events

        Summary

        Windows offers an incredible amount of power with the settings that Group Policy can control, while these are just a portion of the logging GPO settings that can massively increase the visibility into an environment. Without a large portion of these settings, many different system attacks and malicious activities may end up being missed, such as brute-force authentication attempts, command and control traffic, and the addition of settings, software, or users to maintain a persistent connection on an endpoint.

        Combining advanced auditing with log collection, correlation, alerting and reports can give security teams deeper insights and the ability to react as needed to respond to or mitigate potential threats.

      Free Download: Guide to Microsoft Security

# windows logging, group policy objects, GPO, windows audit policy

Security news and stories right to your inbox!