Better instructions for which Auditing items should be enabled

Author Message

  • Total Posts : 4
  • Joined: 5/2/2016
  • Status: offline
Better instructions for which Auditing items should be enabled Thursday, April 06, 2017 3:55 PM (permalink)
I have gone through and review documentation and enabled the basic set of auditing for successes and failures for Account Management, Object Access, Process Tracking and System Event. That's all well and good but it does seem to generate and excessive slew of events. Obviously there are going to be a large number of events in the log once the auditing changes are made, but it also seems obvious that those instructions are very broad.
Instead, could we have an update to the documentation to use, as an alternative, the "Advanced Audit Policy Configuration" settings with more specific detail about what should be enabled and audited for successes and failures? I understand every organization has its own very specific needs, but a good and true baseline is certainly the way to go.
What I think makes the most sense is a review of the current set of event processing rules, after all GFI would know better than anyone what specific events are needed in order for the system to capture the information an end-user expects to see stored. With that information, then go and determine exactly which auditing items produce the needed events for those rules.
This way, for a base installation and more direct instructions, every organization can take full advantage of the EventsManager program from day one and not risk flooding their event logs and in turn, producing performance and stability issues, particularly on older, more limited hardware that may still be in use.
Basically I'm looking for something like this below (obviously where the setting changes would be updated to say only success, failure, success and failure or no auditing as needed):
1. Navigate to "Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Local Policies \ Security Options" and enable "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings"
2. Navigate to "Computer Configuration \ Policies \ Windows Settings \ Security Settings \ Advanced Audit Policy Configuration \ Audit Policies" and make the following changes
  a. Account Management
    i.   Audit Application Group Management: Success and Failure
    ii.  Audit Computer Account Management: Success and Failure
    iii. Audit Distribution Group Management: Success and Failure
    iv.  Audit Other Account Management Events: Success and Failure
    v.   Audit Security Group Management: Success and Failure
    vi.  Audit User Account Management: Success and Failure
  b. Detailed Tracking
    i.   Audit DPAPI Activity: Success and Failure
    ii.  Audit Process Creation: Success and Failure
    iii. Audit Process Termination: Success and Failure
    iv.  Audit RPC Events: Success and Failure
  c. Object Access
    i.    Audit Application Generated: Success and Failure
    ii.   Audit Certification Services: Success and Failure
    iii.  Audit Detailed File Share: Success and Failure
    iv.   Audit File System: Success and Failure
    v.    Audit Filtering Platform Connection: No Auditing[/style][/style]
    vi.   Audit Filtering Platform Packet Drop: No Auditing[/style][/style]
    vii.  Audit Handle Manipulation: Success and Failure
    viii. Audit Kernel Object: Success and Failure
    ix.   Audit Other Object Access Events: Success and Failure
    x.    Audit Registry: Success and Failure
    xi.   Audit SAM: Success and Failure
  d. System
    i.   Audit IPsec Driver: Success and Failure
    ii.  Audit Other System Events: Success and Failure
    iii. Audit Security State Change: Success and Failure
    iv.  Audit Security System Extension: Success and Failure
    v.   Audit System Integrity: Success and Failure
Notice the highlighted portion. That one particular change I gleaned from this How To article ( you have posted recommending to turn off auditing for those to categories. To get it to say “No Auditing”, you enable the policy, but clear the Success and Failure check boxes.
    Online Bookmarks Sharing: Share/Bookmark

    Jump to:

    Current active users

    There are 0 members and 1 guests.

    Icon Legend and Permission

    • New Messages
    • No New Messages
    • Hot Topic w/ New Messages
    • Hot Topic w/o New Messages
    • Locked w/ New Messages
    • Locked w/o New Messages
    • Read Message
    • Post New Thread
    • Reply to message
    • Post New Poll
    • Submit Vote
    • Post reward post
    • Delete my own posts
    • Delete my own threads
    • Rate post

    2000-2018 ASPPlayground.NET Forum Version 3.9