Configure audit policies for the domain controllers (DC)

To access AD Logga functionality you must activate specific audit policies.

If you want to make changes to audit policy you must be a member of the appropriate domain admin or organization admin group.

 

Configure audit policies for DCs on Server 2008

Before configuring audit policies you can verify if all required categories are already activated.

 

You can activate the required audit policies by running the following commands on every DC with admin rights:

 

For "Monitor policy changes":

auditpol /set /subcategory:{0CCE922F-69AE-11D9-BED3-505054503030} /success:enable

 

For "Directory service changes":

auditpol /set /subcategory:{0CCE923C-69AE-11D9-BED3-505054503030} /success:enable

 

For "Managing User Accounts", "Managing computer accounts", "Managing security groups", "Managing distribution groups", "Managing application groups" and "other account management events":

auditpol /set /subcategory:{0CCE9235-69AE-11D9-BED3-505054503030} /success:enable

auditpol /set /subcategory:{0CCE9236-69AE-11D9-BED3-505054503030} /success:enable

auditpol /set /subcategory:{0CCE9237-69AE-11D9-BED3-505054503030} /success:enable

auditpol /set /subcategory:{0CCE9238-69AE-11D9-BED3-505054503030} /success:enable

auditpol /set /subcategory:{0CCE9239-69AE-11D9-BED3-505054503030} /success:enable

auditpol /set /subcategory:{0CCE923A-69AE-11D9-BED3-505054503030} /success:enable

 

Repeat this process for every DC!

 

Configure audit policies for DCs on Server 2008 R2 or higher

You can use the group policy editor to manage audit policy on server 2008 R2 or higher. This means you only need to implement the policy once rather than having to repeat it for every DC.

Please note that the activation of audit policy may be delayed on the domain controllers (DCs) depending on your replication interval.

 

Once you have completed these settings:

  • complete a manual policy update with the command "gpupdate /force"
  • Verify the audit policies settings

 

Start managing group policies, by opening:

gpmc.msc

 

Create a new group policy.

Select the OU in which the DC computer accounts are located. By default they are located in the OU "Domain Controllers".

Ensure that the newly created policy is applied/winning to the appropriate DCs (hierarchy and order).

The order in which you set the options affects the effectiveness of the policy. Follow the order given here!

 

Select the newly created group policy by right clicking and selecting "edit".

 

  1. Navigate to "security options".
  2. Double-click the policy "Audit: Force audit policy...".
  3. Activate the security policy as shown in the screenshot.

The order in which you set the options affects the effectiveness of the policy. Follow the order given here!

 

  1. Navigate to account management.
  2. Use multi-select and select all subcategories.
  3. Activate the audit by right-clicking and selecting "Properties", as shown in the diagram.

 

  1. Navigate to "DS Access".
  2. Double-click the subcategory "Audit Directory Service Changes".
  3. Activate the audit as shown in the screenshot.

 

  1. Navigate to "DS Access".
  2. Double-click the subcategory "Audit Directory Service Access".
  3. Activate the audit in case of failure, as shown in the screenshot.

 

  1. Navigate to "Policy Change".
  2. Double-click the subcategory "Audit Audit Policy Change".
  3. Activate the audit as shown in the screenshot.

 

Once you have completed these settings:

  • complete a manual policy update with the command "gpupdate /force"
  • Verify the audit policies settings

 

Configure the AD Logga disk space requirement

1000 events require approximately 0.57 MB of storage in the data base.

By default the storage period of AD Logga events is set to 30 days and can be managed under server -> storage of scans.

 

Set the size of the Windows event log

To ensure that you don't "lose" any events, you must configure the maximum size for security event logs appropriately. For audit policy settings the storage requirements is roughly 1KB per event.

 

For example:

For a server outage or maintenance time (of the collector server selected for the AD Logga) of one hour, with approximately 1000 events per hour, the absolute minimum security event log size would be 1MB. Considering the low storage space requirements for 1000 events, the uncertainty of outage times as well as the potential relevance of individual security events we highly recommend that you ensure that enough storage space is available.

More information on how to manage storage size can be found at Microsoft.

 

Verify the audit policy settings

You can verify the effectiveness of audit policies by starting the command prompt with admin rights and entering the following command:

For english servers

auditpol /get /category:"policy change,account management,ds access"

For all languages

auditpol /get /category:*

 

The marked subcategories must be set to "Success" or "Failure" as shown.