Configure Windows audit policy for use with LEM
The Windows audit policy determines the amount of data that Windows Security logs on domain controllers and other computers in the domain. This section covers
Verbosity is the amount of known data.
See Microsoft's TechNet knowledge base for details on Windows Audit Policy Definitions. These definitions are effective from both a best-practice and compliance standpoint, and are based on customer experience and recommendations from Microsoft.
- Audit Policies and Best Practices for LEM in the SolarWinds Success Center.
Using the Windows Audit Policy with LEM requires:
- Windows Server 2003 or higher
- Permissions to change the Windows Audit Policy at the domain controller and domain level
- SolarWinds LEM installation
Windows Audit Policy
The following events and descriptions are adapted from information available on the Microsoft TechNet knowledge base. You can query relevant articles on TechNet by searching for audit policy best practice.
|Audit account logon events||Represents user log on or log off instances on a computer logging those events. These events are specifically related to domain logon events and logged in the security log for the related domain controller.|
|Audit account management||The change management events on a computer. These events include all changes made to users, groups and machines.|
|Audit logon events||Represents user log on or log off instances from a computer logging those events. These events are logged in the security log of the local computer onto which the user is logging, even when the user is logging onto the domain using their local computer.|
|Audit object access||Track users accessing objects with their own system access control lists. These objects include files, folders and printers.|
|Audit policy change||Represents instances where local or group policy changed. These changes include user rights assignments, audit policies and trust policies.|
|Audit privilege use||Track users accessing objects based on their privilege level. These objects include files, folders and printers, or any object with its own system access control list defined.|
|Audit process tracking||Logs all instances of process, service, and program starts and stops. This can be useful to track both wanted and unwanted processes, such as AV services and malicious programs.|
|Audit system events||Includes start up and shut down events on the computer logging them, along with events that affect the system’s security. These are operating system events and are only logged locally.|
Windows audit policy is defined locally for each computer. SolarWinds recommends using group policy to manage the audit policy at both the domain controller and domain levels.
Set the Windows audit policy
Use the Group Policy Object Editor to set your Windows audit policy settings on desktop systems running at least Windows 7, and servers running Windows Server 2008 and 2012. The following procedure applies to setting up sub-category-level auditing.
- Expand Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options > Audit > Force Audit Policy Subcategory Settings, and then select enabled.
Change or set the policies in Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
When enabling the Force Audit Policy Subcategory option, set the subcategory auditing to enabled and the category-level auditing will be disabled.
Default Domain Controllers Policy
Select Success and Failure for all policies except:
- Audit object access
- Audit privilege use
Default Domain Policy
The Default Domain Policy applies to all computers on your domain except your domain controllers. For this policy, select Success and Failure for:
- Audit account logon events
- Audit account management
- Audit logon events
- Audit policy change
- Audit system events
You can also select Success and Failure for audit process tracking critical processes (such as the AV service) or unauthorized programs (such as games or malicious executable files).
Enabling auditing at the audit level will increase the number of events in the system logs. As a result, your LEM database will quickly expand as it collects these logs.
Similarly, there could be bandwidth implications as well. This is dependent upon your network traffic volume and bandwidth capacity. Since Agent traffic is transmitted to the Manager as a real-time trickle of data, bandwidth impact is minimal.
SolarWinds recommends meeting PCI Auditing. However, this may be applicable to other auditing as well. For more information, see PCI Compliance and Log and Event Manager.
|Category or Subcategory||Setting|
|Security System Extension||No Auditing|
|System Integrity||Success and Failure|
|IPsec Driver||No Auditing|
|Other System Events||No Auditing|
|Security State Change||Success and Failure|
|Logon||Success and Failure|
|Logoff||Success and Failure|
|Account Lockout||Success and Failure|
|IPsec Main Mode||No Auditing|
|IPsec Quick Mode||No Auditing|
|IPsec Extended Mode||No Auditing|
|Special Logon||Success and Failure|
|Other Logon/Logoff Events||Success and Failure|
|Network Policy Server||No Auditing|
|File System||Success and Failure|
|Registry||Success and Failure|
|Kernel Object||No Auditing|
|Certification Services||No Auditing|
|Application Generated||No Auditing|
|Handle Manipulation||No Auditing|
|File Share||Success and Failure|
|Filtering Platform Packet Drop||No Auditing|
|Filtering Platform Connection||No Auditing|
|Other Object Access Events||No Auditing|
|Detailed File Share||No Auditing|
|Sensitive Privilege Use||Failure|
|Non-Sensitive Privilege Use||No Auditing|
|Other Privilege Use Events||No Auditing|
|Process Termination||No Auditing|
|DPAPI Activity||No Auditing|
|RPC Events||No Auditing|
|Process Creation||No Auditing|
|Audit Policy Change||Success and Failure|
|Authentication Policy Change||Success and Failure|
|Authorization Policy Change||Success and Failure|
|MPSSVC Rule-Level Policy Change||No Auditing|
|Filtering Platform Policy Change||No Auditing|
|Other Policy Change Events||Success and Failure|
|User Account Management||Success and Failure|
|Computer Account Management||Success and Failure|
|Security Group Management||Success and Failure|
|Distribution Group Management||Success and Failure|
|Application Group Management||Success and Failure|
|Other Account Management Events||Success and Failure|
|Directory Service Changes||No Auditing|
|Directory Service Replication||No Auditing|
|Detailed Directory Service Replication||No Auditing|
|Directory Service Access||Failure|
|Kerberos Service Ticket Operations||Success and Failure|
|Other Account Logon Events||Success and Failure|
|Kerberos Authentication Service||Success and Failure|
|Credential Validation||Success and Failure|