The best practices to setup Windows Server Audit Policies

  

Audit policies are the bedrock of your IT security plans. They determine exactly what events you need to monitor, and will ultimately determine what footprints are available when you try to investigate a security incident.

We recommend that you have an audit policy strategy in place before you actually start configuring your policy settings. We've outlined a strategy for you.

Develop an audit policy strategy

Here are five things you need to do to develop an audit policy strategy:

Have a clear picture of what events are important

One thing you need to know about monitoring events is that, its extremely time - consuming. This is because a small change to a policy setting generates numerous events, most of which are 'noise'. Combing through all this noise to look for a particular event may be unnecessary, and could stop you from responding to a security incident quickly.

Therefore, you can first come up with a list of events that are important to your organization's security. You can then configure the audit policies that generate these events. This makes it easier to track suspicious activity.

Leverage group policy management

Configuring audit policies within a group policy gives you a centralized way to deploy your audit policies to entities within the domain.

Know the structure of your AD network

While configuring your audit policies in a group policy setting, it's important to know how your organization is structured. You need a clear picture of what organizational units need what security settings, and how they're logically organized. This will help you in understanding how to deploy your audit policies.

Log collection and event monitoring

Organize how you'll store, and review your logs. You can choose to store the logs on local computers, or choose to send these logs to a centralized location.

Before we jump into what audit policies you should configure, we thought we'd tell you about the benefits of having a centralized platform for your event logs.

Centralized platform for event logs

You probably already know you can use Event Viewer to view your logs. But we suggest that you opt-for a more efficient solution that helps get actionable information. There are a number of such solutions, but it goes without saying that we'd like you to give ManageEngine ADAudit Plus a try. We'll discuss how ADAudit Plus can help you keep track of all your events at the end of this article.

The reason we recommend using an efficient solution is because it speeds up the process of looking for specific events. Also, disparate events from all over the network can be correlated to have a clear picture of an incident. This improves your troubleshooting capabilities, and reduces your incident response time.

Once your audit strategy is ready, you can go ahead and configure audit policies. Now we list three recommended audit policies you should configure.

Configure event log size

Standard log sizes are already defined but you can change these settings to increase the retention period. This prevents the logs from being overwritten and you won't lose out on your audit logs.

How to do this: In the required audit policy, you can define the event log settings at Computer Configuration -> Policies -> Security Settings -> Event Log

The Microsoft Windows documentation on audit policy recommendations prescribes the following retention settings:

Configure Password policies and account lockouts

To log events for account lockouts and password failures, you'll have to configure these settings and also set a threshold.

Password Policy

How to do this: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy

Account Lockout

How to do this: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy

Audit Policy Settings for your domain controller

How to configure these settings: Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration

Important events to monitor for suspicious activity :

Here's a list of important events you should monitor. We have a series of dedicated posts for each of these events. You can check out how each of these settings can be configured and how you can view these events in Event Viewer. You'll also learn how you can access a consolidated view of all your events in ADAudit Plus.

How ADAudit Plus can help you monitor events?

Although Event Viewer is the default tool to check your logs, you could also try a premium solution like ADAudit Plus.

ADAudit Plus is a comprehensive solution that simplifies AD auditing and reporting. It is a one-stop platform that brings together intuitive user interface, pre-configured reports, and advanced filter options make it easy for you to track changes to your network, and detect threats immediately. You get a fully equipped dashboard that gives you a holistic view of the various systems in your network. This way you can correlate events across the network and spot suspicious behavior.

Regarding tracking events related to your audit policies, you can check out the 'GPO Settings' section that lists out various reports on changes made to audit policies. You can also try out 'GPO Management' reports to tracks modifications made to your GPO.

Image: The GPO Settings section of ADAudit Plus

Image: The 'GPO management' reports in ADAudit Plus

ADAudit Plus is a real-time, web-based Windows Active Directory (AD) change reporting software that audits, reports and alerts on Active Directory, Windows servers and workstations, and NAS storage devices to meet the demands of security, and compliance requirements. You can track AD management changes, processes, folder modifications, permissions changes, and more with 200+ reports and real-time alerts. You can also get out-of-the-box reports for compliance mandates such as the HIPAA. To learn more, visit https://www.manageengine.com/active-directory-audit/