Windows 7 audit policy settings

When Advanced Security Audit policy settings are configured, events appear on computers running the supported versions of the Windows operating system as designated in the Applies to list at the beginning of this topic, in addition to Windows Server and Windows Vista. Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager SAM. Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used.

This category includes the following subcategories:. Audit Kerberos Authentication Service. Audit Kerberos Service Ticket Operations. The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups.

Audit Distribution Group Management. Audit Other Account Management Events. Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. These audit events are logged only on domain controllers. Audit Detailed Directory Service Replication. Audit Directory Service Replication. These events are particularly useful for tracking user activity and identifying potential attacks on network resources.

Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. Unlike Logon and Logoff policy settings and events, Account Logon settings and events focus on the account database that is used. This category includes the following subcategories:. The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups.

Detailed Tracking security policy settings and audit events can be used for the following purposes:. These audit events are logged only on domain controllers. These events are particularly useful for tracking user activity and identifying potential attacks on network resources. Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer.

For example, the file system subcategory needs to be enabled to audit file operations; the Registry subcategory needs to be enabled to audit registry accesses. Proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects.

To address this issue, see Global Object Access Auditing. Policy Change audit events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, tracking changes or its attempts to these policies is an important aspect of security management for a network. Group servers by the classification of their workloads, which allows you to quickly identify the servers that should be the most closely monitored and most stringently configured.

Disabled privileged accounts such as built-in Administrator accounts in Active Directory and on member systems for enabling the accounts. Built-in Security Configuration Wizard to configure service, registry, audit, and firewall settings to reduce the server's attack surface.

Use this wizard if you implement jump servers as part of your administrative host strategy. Cool Auditing Tricks in Vista and - Explains interesting new features of auditing in Windows Vista and Windows Server that can be used for troubleshooting problems or seeing what's happening in your environment.

It also provides procedures to implement this new feature. High: Event IDs with a high criticality rating should always and immediately be alerted and investigated. Medium: An Event ID with a medium criticality rating could indicate malicious activity, but it must be accompanied by some other abnormality for example, an unusual number occurring in a particular time period, unexpected occurrences, or occurrences on a computer that normally would not be expected to log the event.

A medium-criticality event may also r be collected as a metric and compared over time. Low: And Event ID with a low criticality events should not garner attention or cause alerts, unless correlated with medium or high criticality events.

These recommendations are meant to provide a baseline guide for the administrator. All recommendations should be thoroughly reviewed prior to implementation in a production environment. Refer to Appendix L: Events to Monitor for a list of the recommended events to monitor, their criticality ratings, and an event message summary. Skip to main content. This browser is no longer supported. Download Microsoft Edge More info. Contents Exit focus mode.

Is this page helpful?