Data Center Risk - Tell us how you manage it and enter to win iPad
Previous Question | Back to Intrusion Detection FAQ Home

Intrusion Detection FAQ: What Logging Would You Recommend for Windows?

Dirk Lehmann, Siemens CERT
Updated by Jim McMillan
November 2009

Windows Operating Systems (up to Windows XP and Server 2003) offer a variety of categories for audit in the event of failure or success: account management, detailed tracking, logon/logoff, object access, policy change, privilege use, and system event. Auditing is disabled by default on all of these OS versions, except for Windows Server 2003, and needs to be enabled.

On Windows Operating Systems, post XP and Server 2003, some auditing is enabled by default and should be reviewed to meet your requirements. On these OS versions, additional categories and subcategories have been created for more granular auditing control. The categories for audit in event of failure or success include: account logon, account management, directory service access, logon events, object access, policy change, privilege use, process tracking, system event and global object access.

The best audit policy settings for a company really depend on the company's needs and regulatory compliance requirements. Microsoft has a document titled "Planning and Deploying Advanced Security Audit Policies" available for your assistance.

In the newer versions of Windows, Audit Policy can be configured by category or subcategory. If you define a policy by category, keep in mind that the category setting will override all subcategory settings. Category settings can be set with group policy by configuring each setting with the Group Policy Management Console (GPMC).

If you plan to control group policy at the subcategory level, you will need to enable the "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" group policy setting. Or you can set the registry entry HKLM\System\CurrentControlSet\Control\LSA\SCENoConfigLegacyAuditPolicy to a non-zero value.

Subcategories cannot be set through the GPMC, you will need to use the AuditPol command. The AuditPol command can be used to set audit policy locally or remotely, and can be used in a script that is enforced by group policy. To get complete command help, enter "auditpol /?" at a command prompt. You can use the "list" and "get" options to list available categories and subcategories or view current settings, respectively.

For a sample of commands to include in a script to set audit policy by category, see Randy Franklin Smith's page on recommend settings for Windows Server 2008.

For intrusion detection, you should consider enabling logging for both successful and failed logon/logoff attempts as a minimum measure. This way you see at least all connection attempts using Microsoft's authentication protocol. As a next step, you'll probably want to log account management, policy change, and privilege use. These events tell you, for example, whether an account was added or the account lockout value was modified. For maximum surveillance, you should enable detailed tracking and object access. Note- this can have a severe impact on your system's performance.

If you already use a host-based ID system or log monitor, consult the product's manual to learn what logging must be enabled in order to get maximum results.

Resources

Microsoft (2009, June 15). Advanced security audit policy settings. Retrieved from http://technet.microsoft.com/en-us/library/dd772712(WS.10).aspx

Melber, D. (2009, July 01). Event IDs for Windows Server 2008 and Vista revealed!. Retrieved from http://www.windowsecurity.com/articles/Event-IDs-Windows-Server-2008-Vista-Revealed.html

De Clercq, J. (2009, April 14). How can I prevent the granular audit policies (GAPS) that I defined on my Windows Server 2008 servers from being overwritten by the audit policies that are defined in my default domain gpo?. Retrieved from http://windowsitpro.com/article/articleid/101810/q--how-can-i-prevent-the-granular-audit-policies-gaps-that-i-defined-on-my-windows-server-2008-servers-from-being-overwritten-by-the-audit-policies-that-are-defined-in-my-default-domain-gpo.html

Microsoft, . (2009, September 15). Planning and deploying advanced security audit policies. Retrieved from http://technet.microsoft.com/en-us/library/ee513968(WS.10).aspx

Ultimate Windows Security (n.d.). Auditpol. Retrieved from http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Auditpol

Ultimate Windows Security (n.d.). Recommended baseline audit policy for Windows Server 2008. Retrieved from http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008

Previous Question | Back to Intrusion Detection FAQ Home | Next Question