What is Audit Security System Extension?

Audit Security System Extension is an advanced audit policy which, if enabled, audits and records system events such as the loading of authentication packages, notification packages, security packages, and so on. It also records events when services are installed on the system. Authentication and security packages are contained in dynamic-link libraries (DLL) which help in authenticating a user when they enter their credentials. The notification packages assist In the password creation process by ensuring that the password created by the user adheres to the password policy of the network.

Why should you enable Audit Security System Extension?

This policy mainly audits the functioning of the authentication, notification and security packages and so on. These events are crucial in the authentication process and malfunctioning of these could prevent a user from logging in. Since these packages contain authentication information in plain text, they should be continuously monitored to ensure that a malicious agent does not tamper with them.

How to enable Audit Security System Extension?

Open Server Manager on your Windows server.
Under the Manage tab, select Group Policy Management to view the Group Policy Management Console.
Navigate to Forest > Domain > Your Domain > Domain Controllers.
Either create a new group policy object or you can edit an existing GPO.
In the group policy editor, navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration.
Expand the node and select System. Click on Audit Security System Extension and enable it for 'Success' and 'Failure'.

If this audit policy is enabled, the following events will be recorded:

4610: An authentication package has been loaded by the Local Security Authority.
4611: A trusted logon process has been registered with the Local Security Authority.
4614: A notification package has been loaded by the Security Account Manager.
4622: A security package has been loaded by the Local Security Authority.
4697: A service was installed in the system.

Auditing system events with ADAudit Plus

ADAudit Plus is an Active Directory auditing tool that can help audit all the important events on the network in real-time. This tool has the capability to audit all the major system events and generates audit reports on the same. Here is a sample report on system events:

This report gives information such as the server on which the event happened, the timestamp, details about the actual domain, and so on. This report can help an administrator gain comprehensive knowledge about all the important system events such as systems starting up, users logging in and so on.

It can be accessed on ADAudit Plus by navigating to Server Audit > Server Audit Reports > System Events.

About ADAudit Plus

ADAudit Plus is a real-time, web-based Windows Active Directory change reporting software that audits, tracks, reports and alerts on Windows (Active Directory, workstations logon/logoff, file servers and servers), NetApp filers and EMC servers to help meet the demands of the much-needed security, audit and compliance. With ADAudit Plus, track authorized/unauthorized AD management changes, system events, access of users, GPO, groups, computer, OU. Track every file, folder modifications, access and permissions changes with 200+ detailed event-specific reports and get instant emails alerts. You can also export the results to XLS, HTML, PDF and CSV formats to assist in interpretation and computer forensics. For more information on ADAudit Plus, visit https://www.manageengine.com/active-directory-audit/.

More related links

✕
Native auditing becoming a little too much?

Try ADAudit Plus login monitoring tool to audit, track, and respond to malicious login and logoff actions instantaneously.
Try ADAudit Plus for free