Advanced Security Audit Policy Settings. Skip to main content. This browser is no longer supported. The following baseline audit policy settings are recommended for normal security computers that are not known to be under active, successful attack by determined adversaries or malware. This section contains tables that list the audit setting recommendations that apply to the following operating systems:.
These tables contain the Windows default setting, the baseline recommendations, and the stronger recommendations for these operating systems. In previous versions of Windows, only Success is enabled by default. A common mistake is to only monitor servers or domain controllers. Because malicious hacking often initially occurs on workstations, not monitoring workstations is ignoring the best and earliest source of information.
Administrators should thoughtfully review and test any audit policy prior to implementation in their production environment.
If Domain Admins DAs are forbidden from logging on to computers that are not domain controllers, a single occurrence of a DA member logging on to an end-user workstation should generate an alert and be investigated.
This type of alert is easy to generate by using the Audit Special Logon event Special groups have been assigned to a new logon. Other examples of single instance alerts include:. Investigate if a regular end-user attempts to directly log on to a SQL Server for which they have no clear reason for doing so. If you have no members in your DA group, and someone adds themselves there, check it immediately. An aberrant number of failed logons could indicate a password guessing attack.
For an enterprise to provide an alert for an unusually high number of failed logons, they must first understand the normal levels of failed logons within their environment prior to a malicious security event. Not all parameters are valid for each entry type. Trusted forest information was added. Note: This event message is generated when forest trust information is updated and one or more entries are added. One event message is generated per added, deleted, or modified entry.
If multiple entries are added, deleted, or modified in a single update of the forest trust information, all the generated event messages have a single unique identifier called an operation ID.
This allows you to determine that the multiple generated event messages are the result of a single operation. Trusted forest information was deleted. The purpose of security auditing is to ensure that events are logged whenever an activity occurs. However, when every activity is audited, event logs become flooded with irrelevant information that makes it difficult for network administrators to separate critical events from insignificant ones. Advanced audit policy settings help administrators exercise granular control over which activities get recorded in the logs, helping cut down on event noise.
As an example, instead of turning on the DS Access audit policy category to troubleshoot a replication problem—which would generate around eight events every time this activity occurs—an administrator could turn on the advanced audit policy subcategory for Directory Service Replication, which would only generate one event instead of eight. For information on how to configure SACLs, visit our help document.
Setting an advanced audit policy requires administrator-level account permissions or the appropriate delegated permissions. You should assess the advantages and disadvantages before choosing to log successes, failures, or both. For example, for files that are frequently accessed by legitimate users, successful access attempts will quickly fill the event log with benign events.
Since failed login events can indicate unauthorized access attempts, those are the events that should be audited in this scenario. On the other hand, for files with sensitive information, every access attempt should be logged both successful and failed , so that you have an audit trail of every user who accessed the file. ADAudit Plus automatically detects domain controllers, configures the required security settings to log events, and configures default alert profiles—with your consent of course.
0コメント