Here are the best practices for auditing Windows endpoints and Windows Server
Introduction
Auditing Windows endpoints and Windows Server is a critical aspect of maintaining a secure and compliant IT environment. By implementing best practices for auditing, you can ensure that your systems are monitored effectively, potential security incidents are detected early, and compliance requirements are met.
This guide provides a comprehensive overview of the best practices for auditing Windows operating systems. Whether you are managing a small network or a large enterprise, these recommendations will help you enhance the security and integrity of your Windows infrastructure.
INFO
To learn more about Tier 0, Tier 1, and Tier 2, please refer to my Asset Security article or the Microsoft Learn article.
Recommendation for Windows endpoints (Tier 2️⃣):
| Audit Policy Category or Subcategory | Success | Failure |
|---|---|---|
| Account Logon: Audit Credential Validation | Yes | No |
| Account Management: Audit Computer Account Management | Yes | No |
| Account Management: Audit Other Account Management Events | Yes | No |
| Account Management: Audit Security Group Management | Yes | No |
| Account Management: Audit User Account Management | Yes | No |
| Detailed Tracking: Audit Process Creation | Yes | No |
| Logon and Logoff: Audit Logoff | Yes | No |
| Logon and Logoff: Audit Logon | Yes | Yes |
| Logon and Logoff: Audit Special Logon | Yes | No |
| Policy Change: Audit Audit Policy Change | Yes | Yes |
| Policy Change: Audit Authentication Policy Change | Yes | No |
| System: Audit IPsec Driver | Yes | Yes |
| System: Audit Security State Change | Yes | Yes |
| System: Audit Security System Extension | Yes | Yes |
| System: Audit System Integrity | Yes | Yes |
Recommendation for ⚡critical Windows endpoints (Tier 2️⃣):
| Audit Policy Category or Subcategory | Success | Failure |
|---|---|---|
| Account Logon: Audit Credential Validation | Yes | Yes |
| Account Logon: Audit Kerberos Authentication Service | Yes | Yes |
| Account Logon: Audit Kerberos Service Ticket Operations | Yes | Yes |
| Account Logon: Audit Other Account Logon Events | Yes | Yes |
| Account Management: Audit Computer Account Management | Yes | Yes |
| Account Management: Audit Other Account Management Events | Yes | Yes |
| Account Management: Audit Security Group Management | Yes | Yes |
| Account Management: Audit User Account Management | Yes | Yes |
| Detailed Tracking: Audit DPAPI Activity | Yes | Yes |
| Detailed Tracking: Audit Process Creation | Yes | Yes |
| Logon and Logoff: Audit Account Lockout | Yes | No |
| Logon and Logoff: Audit Logoff | Yes | No |
| Logon and Logoff: Audit Logon | Yes | Yes |
| Logon and Logoff: Audit Special Logon | Yes | Yes |
| Policy Change: Audit Audit Policy Change | Yes | Yes |
| Policy Change: Audit Authentication Policy Change | Yes | Yes |
| Policy Change: Audit MPSSVC Rule-Level Policy Change | Yes | Yes |
| System: Audit IPsec Driver | Yes | Yes |
| System: Audit Security State Change | Yes | Yes |
| System: Audit Security System Extension | Yes | Yes |
| System: Audit System Integrity | Yes | Yes |
Recommendation for Windows Server (Tier 1️⃣):
| Audit Policy Category or Subcategory | Success | Failure |
|---|---|---|
| Account Logon: Audit Credential Validation | Yes | Yes |
| Account Management: Audit Computer Account Management | Yes | No |
| Account Management: Audit Other Account Management Events | Yes | Yes |
| Account Management: Audit Security Group Management | Yes | Yes |
| Account Management: Audit User Account Management | Yes | Yes |
| Detailed Tracking: Audit Process Creation | Yes | No |
| Logon and Logoff: Audit Logoff | Yes | No |
| Logon and Logoff: Audit Logon | Yes | Yes |
| Logon and Logoff: Audit Special Logon | Yes | No |
| Policy Change: Audit Audit Policy Change | Yes | Yes |
| Policy Change: Audit Authentication Policy Change | Yes | No |
| System: Audit IPsec Driver | Yes | Yes |
| System: Audit Security State Change | Yes | Yes |
| System: Audit Security System Extension | Yes | Yes |
| System: Audit System Integrity | Yes | Yes |
Recommendation for ⚡critical Windows Server / Domain Controller (Tier 0️⃣):
| Audit Policy Category or Subcategory | Success | Failure |
|---|---|---|
| Account Logon: Audit Credential Validation | Yes | Yes |
| Account Logon: Audit Kerberos Authentication Service | Yes | Yes |
| Account Logon: Audit Kerberos Service Ticket Operations | Yes | Yes |
| Account Logon: Audit Other Account Logon Events | Yes | Yes |
| Account Management: Audit Computer Account Management | Yes | Yes |
| Account Management: Audit Other Account Management Events | Yes | Yes |
| Account Management: Audit Security Group Management | Yes | Yes |
| Account Management: Audit User Account Management | Yes | Yes |
| Detailed Tracking: Audit DPAPI Activity | Yes | Yes |
| Detailed Tracking: Audit Process Creation | Yes | Yes |
| DS Access: Audit Directory Service Access | DC | DC |
| DS Access: Audit Directory Service Changes | DC | DC |
| Logon and Logoff: Audit Account Lockout | Yes | No |
| Logon and Logoff: Audit IPsec Main Mode | Yes | Yes |
| Logon and Logoff: Audit Logoff | Yes | No |
| Logon and Logoff: Audit Logon | Yes | Yes |
| Logon and Logoff: Audit Other Logon/Logoff Events | Yes | Yes |
| Logon and Logoff: Audit Special Logon | Yes | Yes |
| Policy Change: Audit Audit Policy Change | Yes | Yes |
| Policy Change: Audit Authentication Policy Change | Yes | Yes |
| Policy Change: Audit MPSSVC Rule-Level Policy Change | Yes | Yes |
| System: Audit IPsec Driver | Yes | Yes |
| System: Audit Security State Change | Yes | Yes |
| System: Audit Security System Extension | Yes | Yes |
| System: Audit System Integrity | Yes | Yes |
Additional Information
These are 'Advanced Audit' settings, which can be found under:
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy ConfigurationThese should not be mixed with the basic audit policies, as this can lead to conflicts. End-user devices should be considered when creating audit policies, even if they do not have the same priority as servers. Hacker attacks almost always start with workstation computers. Neglecting this important source of information can lead to significant losses. In addition, for all the above policy recommendations should the 'maximum log size' attribute be set.
To be found under:
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Event Log- 💿 Maximum appIicatlon log size: 4,194,240 (kilobytes)
- ⛔ Maximum security log size: 4,194,240 (kilobytes)
- 🖥️ Maximum system log size: 4,194,240 (kilobytes)
However, it is important to know that this does not mean permanent storage of the logs. Depending on the amount of logs, they may be overwritten very quickly. For longer storage / archiving of the logs, a central log management is required (like 'Windows Event Collector'). However, it is not enough to collect the logs. They also need to be monitored regularly to detect irregular behavior.
The following are some standard events to look out for:
| Event Name | Event ID |
|---|---|
| Logon Failures | 4624, 4771 |
| Successful logons | 4624 |
| Failures due to bad passwords | 4625 |
| User Account Locked out | 4740 |
| User Account Unlocked | 4767 |
| User changed password | 4723 |
| User Added to Privileged Group | 4728, 4732, 4756 |
| Member added to a group | 4728, 4732, 4756 , 4761, 4746, 4751 |
| Member removed from group | 4729, 4733, 4757, 4762, 4747, 4752 |
| Security log cleared | 1102 |
| Computed Deleted | 4743 |
Here you will find other event IDs that may be of interest depending on the machine being monitored. Microsoft Learn | Events to Monitor
This command can be used to display the PC's currently valid audit policies (elevated privileges required).
auditpol /get /category:*