Best practice Audit Policies - Windows OS

When configuring Windows to write audit logs for your SIEM, consider the following policies as a way to improve value over volume in your logging. In today's SIEM platforms, space is always a consideration, as is ability to create meaningful alarms. If you are in a SaaS model, then cost matters as well. The following settings for your Audit Policies on servers writing key log files will help you go a long way to being able to get actionable intelligencefromyour current Windows OS.

 

OSSEC Windows Audit Policy



Basic vs Advanced Security Policy

Windows Server 2008/Windows Vista and later operating systems introduced more granular auditing settings.

 

Basic Audit policy in blue, Advanced in Green:



Checking Security Policy (Checking audit policy)

To see what auditing policy is actually set on a machine.

From admin command prompt, you run:

auditpol /get /category:*

Example output:

Click here to expand...

System
  Security System Extension               No Auditing
  System Integrity                        Success and Failure
  IPsec Driver                            No Auditing
  Other System Events                     Success and Failure
  Security State Change                   Success
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success
  Account Lockout                         Success
  IPsec Main Mode                         Success
  IPsec Quick Mode                        Success
  IPsec Extended Mode                     Success
  Special Logon                           Success
  Other Logon/Logoff Events               Success
  Network Policy Server                   Success and Failure
  User / Device Claims                    Success
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
  Removable Storage                       No Auditing
  Central Policy Staging                  No Auditing
Privilege Use
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
  Sensitive Privilege Use                 No Auditing
Detailed Tracking
  Process Creation                        No Auditing
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
Policy Change
  Authentication Policy Change            Success
  Authorization Policy Change             Success
  MPSSVC Rule-Level Policy Change         Success
  Filtering Platform Policy Change        Success
  Other Policy Change Events              Success
  Audit Policy Change                     Success
Account Management
  User Account Management                 Success
  Computer Account Management             Success
  Security Group Management               Success
  Distribution Group Management           Success
  Application Group Management            Success
  Other Account Management Events         Success
DS Access
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                Success
Account Logon
  Kerberos Service Ticket Operations      Success
  Other Account Logon Events              Success
  Kerberos Authentication Service         Success
 

2012 R2, Win8, Win10 Audit Policy

Starting point with Audit Policies for good OSSEC logs

Feel free to enable as many as you like, though there are ramifications for doing so.

 

We are looking at Value over Volume here, and this is especially true in the age of SaaS based SIEM models



Advanced

Enable these









 

NOTES

  • Audit File share does add value, but will be VERY high volume on File Servers, enable with caution
  • Audit File System will be very verbose during patching
  • Note disabled for Windows Firewall


Known issues

Set to 'No Auditing'. If auditing is enabled for these services, then system will likely overload itself (cpu, network, etc) trying to process and forward logs.

Object Access > Filtering Platform Connection
Detailed Tracking > Process Termination
Detailed Tracking > Process Creation









 

Do NOT enable these (there are scenarios where we can, but we will start with these off as they can affect the server



Win 2003 and Older Accepted settings

This is our default auditing policy to help prevent rapid log bloat. As we are off-loading all of the logs to our AlienVault server, these settings help prevent both the cpu from being overutilized by the OSSEC process that sends these logs to AlienVault and the internet connection from getting saturated. The key settings that should be set to "No auditing" are Audit object access and Audit process tracking.



DO NOT ENABLE OBJECT ACCESS ON Win 2003 and Older