What is Audit Audit Policy Change?

  

Audit Audit Policy Change is an advanced audit policy setting which, if enabled, logs events when the system audit policies are modified. Audit Policy Change is enabled to monitor the access and usage of users and entities on a network. Audit Audit Policy Change, in turn, audits changes to audit policies themselves, to detect any malicious attempt to lower the security posture of the network.

Why should you enable Audit Audit Policy Change?

Audit Audit Policy Change audits and generates events for modifications to audit policies that are set up to safeguard the network. For example, this policy setting can detect an attempt to remove an audit policy that monitors the activities of privileged users. This is a risky, unusual modification that should be immediately investigated. Audit Policies can be set up for every user and entity on an Active Directory network and therefore, actions on these audit policies can also become important security events.

How to enable Audit Policy Change?

Audit Policy Change with ADAudit Plus

ADAudit Plus is an Active Directory auditing solution that can audit and generate reports on all the users and entities on the network, in real-time. This tool has the capability to audit AD objects that have audit policies applied on them, as well as the audit policies themselves. It has a section for GPO settings changes, which has multiple reports on the various group policy changes including modifications to audit policy. Unlike Windows Event Viewer, this tool provides all the necessary information in one place. Here is a sample report from ADAudit Plus on system audit policy change:

This report gives information on the audit policy that was modified, the user who initiated it, the time stamp and so on. This report can help administrators to survey the changes made to system audit policies and detect an unauthorized or anomalous change, if any. This report can be accessed on ADAudit Plus by navigating to Reports > GPO Setting Changes > User Rights Assignment Changes.

About ADAudit Plus

ADAudit Plus is a real-time, web-based Windows Active Directory change reporting software that audits, tracks, reports and alerts on Windows (Active Directory, workstations logon/logoff, file servers and servers), NetApp filers and EMC servers to help meet the demands of the much-needed security, audit and compliance, including FISMA compliance. With ADAudit Plus, track authorized/unauthorized AD management changes, access of users, GPO setting changes, groups, computer, OU. Track every file, folder modifications, access and permissions changes with 200+ detailed event-specific reports and get instant emails alerts. You can also export the results to XLS, HTML, PDF and CSV formats to assist in interpretation and computer forensics. For more information on ADAudit Plus, visit https://www.manageengine.com/active-directory-audit/.