How to Use Security Audit Policies in Windows?

Windows

An administrator can use the auditing security events to get reliable information about all events in the system, monitor user activities, and use the information to identify vulnerabilities in the server’s security. On Windows, such events are recorded into the Security log of the operating system. In this article, we will show you how to configure security audit policies in Windows using the example of configuring file and folder access auditing.

You can use the Group Policy console to configure audit policies on Windows. If you are configuring policies for domain computers/servers, use the Group Policy Management Console (gpmc.msc). You can use the Local Group Policy Editor console (gpedit.msc) when setting up audit policy on a standalone server or in a workgroup.

There are two sections in the GPO console, which contain basic and advanced audit policies.

The basic audit policy is located under GPO section: Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy. The following event categories are available in it:

  • Audit account logon events;
  • Audit account management;
  • Audit directory service access;
  • Audit logon events;
  • Audit object access;
  • Audit policy change;
  • Audit privilege use;
  • Audit process tracking;
  • Audit system events.

security audit policies

Advanced audit policies are located under the section: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration. There are 60 different audit policies, divided into 10 categories.

READ ALSO  How to Map a Network Drive in Windows 10?
  • Account Logon;
  • Account Management;
  • Detailed Tracking;
  • DS Access;
  • Logon/Logoff;
  • Object Access;
  • Policy Change;
  • Privilege Use;
  • System;
  • Global Object Access Auditing.

windows audit policy

In most cases, you need to use audit policies from the Advanced Audit Policy Configuration section—they allow you to fine-tune auditing and exclude unnecessary security events.

Before enabling Windows audit policies, we recommend you to increase the maximum size of the Security log from 128 Mb (by default in Windows Server).

Run the Event Viewer console (eventvwr.msc), expand Windows Logs, and open the Security log properties. Increase the value in the Maximum log size (KB) field.

windows 10 audit policy

Now you need to configure the policy for auditing user access to files and folders on the shared network folder. Go to the Advanced Audit Policy > Object Access section. Open the properties for the Audit File Share and Audit File System subcategories.

Enable the policy: Configure the following audit events.

Specify what events should be recorded in the Security log:

  • Success — successful user access to objects in the shared folder
  • Failure — unsuccessful access events to folders.

In our case, it is enough to audit only Success events.

audit policy windows 10

Now you need to assign an audit policy to the shared folder (create system access control lists—SACLs).

READ ALSO  How to Migrate User Profiles with User State Migration Tool (USMT) on Windows 10?

Now open the properties of the network folder, go to Security tab > Advanced > Auditing tab > Continue.

security audit policies

Click the Add > Select a principal button and add principals—these are users or groups (local or from Active Directory) whose activities you want to audit. We added the Domain Users or Everyone groups (this means that we will audit access to the shared network folder for all users).
Next, in the Permissions section, specify what user actions should be logged. I selected events from the Delete category.

windows audit policy permissions

Save the changes and update the policies on the computer using the gpupdate command:

gpupdate /force

Now, if any user deletes a file or folder in your network folder, an event with EventID 4660 from the Microsoft Windows security source with Task Category File System “An object was deleted” will appear in the Security log.

The event contains the user who deleted the file (Account Name).

auditpol examples

It is not recommended to enable many audit events at once—this can cause increased the load on the computer. In addition, it is difficult to look for a large number of security events.

You can also manage audit policies through the auditpol.exe command line tool.

To display information about all enabled audit policies, run the command:

auditpol /get /category:*

auditpol

To enable a specific audit policy, the following syntax is used:

auditpol /set /subcategory:"Registry" /success:enable

To reset audit policies to their clean state, use the command:

AuditPol /clear
Cyril Kardashevsky
Latest posts by Cyril Kardashevsky (see all)
READ ALSO  Manage and Disable Windows Defender Using PowerShell

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.