Good day!
Welcome back!!! As part of non compliance,our security team asked me to enable below Audit Policy settings for Success/Failure in Local group policy.
Audit system events
Audit process tracking
Audit Policy change
Audit object access
When we try to enable Success/Failure it seams to work and then after we close the settings and go back and recheck the settings get unchecked.
So first think we checked was is it bound by group policy which is not and if its even bound by group policy it will not even allow to change it, we will clearly get error saying can't change it as its been enforced by Group policy.
For starters if you don't know starting 2008 MS introduced Advance Audit settings which you can enable using the Auidtpol command.
Below is the list of Category and subcategory for the Audit
Advance Policy sub category:
Audit system events
Category: System
Security System Extension
System Integrity
IPsec Driver
Other System Events
Security State Change
Audit process tracking
Category: Detailed Tracking
Sub-Category:
Process Creation
Process Termination
DPAPI Activity
RPC Events
Plug and Play Events
Audit privilege use
Category: Privilege Use
Non Sensitive Privilege Use
Other Privilege Use Events
Sensitive Privilege Use
Audit Policy change
Category: Policy Change
Authentication Policy Change
Authorization Policy Change
MPSSVC Rule-Level Policy Change
Filtering Platform Policy Change
Other Policy Change Events
Audit Policy Change
Audit object access
Category: Object Access
File System
Registry
Kernel Object
SAM
Certification Services
Application Generated
Handle Manipulation
File Share
Filtering Platform Packet Drop
Filtering Platform Connection
Other Object Access Events
Detailed File Share
Removable Storage
Central Policy Staging
Audit Logon events
Category: Logon/Logoff
Logon
Logoff
Account Lockout
IPsec Main Mode
IPsec Quick Mode
IPsec Extended Mode
Special Logon
Other Logon/Logoff Events
Network Policy Server
User / Device Claims
Audit directory service access
Category: DS Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication
Directory Service Access
Audit account management
Category: Account Management
User Account Management
Computer Account Management
Security Group Management
Distribution Group Management
Application Group Management
Other Account Management Events
Audit account logon events
Category: Account Logon
Kerberos Service Ticket Operations
Other Account Logon Events
Kerberos Authentication Service
Credential Validation
How to enable Category:
Example:
Auditpol /set /category:"Account Logon" /Success:enable /failure:enable
Auditpol /set /category:"Logon/Logoff" /Success:enable /failure:enable
If you don't want to enable all the Audit settings in Category you can enable just the Subcategory
Example:
AuditPol /Set /Subcategory:”Credential Validation” /Success:enable /failure:enable
So if you have to enable Audit policy subcategory you need to enable it as below.
coming back to my issue when i tried to change the settings under Audit Policy it was not allowing me because Advance Policy was enabled and now any settings you will have to enable it by using Auditpol command only.
Problem was our tool from security was only looking at the Audit policy, is settings enabled or not and it had no clue on Advance Audit Subcategory. Even though we had it enable in there it was not working.
So to fix the problem i had to disable the Force audit policy, then enable all the settings in Audit policy and then enable it back.
Hopefully this helps someone and until next one you all have good day!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Welcome back!!! As part of non compliance,our security team asked me to enable below Audit Policy settings for Success/Failure in Local group policy.
Audit system events
Audit process tracking
Audit Policy change
Audit object access
When we try to enable Success/Failure it seams to work and then after we close the settings and go back and recheck the settings get unchecked.
So first think we checked was is it bound by group policy which is not and if its even bound by group policy it will not even allow to change it, we will clearly get error saying can't change it as its been enforced by Group policy.
For starters if you don't know starting 2008 MS introduced Advance Audit settings which you can enable using the Auidtpol command.
Below is the list of Category and subcategory for the Audit
Advance Policy sub category:
Audit system events
Category: System
Security System Extension
System Integrity
IPsec Driver
Other System Events
Security State Change
Audit process tracking
Category: Detailed Tracking
Sub-Category:
Process Creation
Process Termination
DPAPI Activity
RPC Events
Plug and Play Events
Audit privilege use
Category: Privilege Use
Non Sensitive Privilege Use
Other Privilege Use Events
Sensitive Privilege Use
Audit Policy change
Category: Policy Change
Authentication Policy Change
Authorization Policy Change
MPSSVC Rule-Level Policy Change
Filtering Platform Policy Change
Other Policy Change Events
Audit Policy Change
Audit object access
Category: Object Access
File System
Registry
Kernel Object
SAM
Certification Services
Application Generated
Handle Manipulation
File Share
Filtering Platform Packet Drop
Filtering Platform Connection
Other Object Access Events
Detailed File Share
Removable Storage
Central Policy Staging
Audit Logon events
Category: Logon/Logoff
Logon
Logoff
Account Lockout
IPsec Main Mode
IPsec Quick Mode
IPsec Extended Mode
Special Logon
Other Logon/Logoff Events
Network Policy Server
User / Device Claims
Audit directory service access
Category: DS Access
Directory Service Changes
Directory Service Replication
Detailed Directory Service Replication
Directory Service Access
Audit account management
Category: Account Management
User Account Management
Computer Account Management
Security Group Management
Distribution Group Management
Application Group Management
Other Account Management Events
Audit account logon events
Category: Account Logon
Kerberos Service Ticket Operations
Other Account Logon Events
Kerberos Authentication Service
Credential Validation
Example:
Auditpol /set /category:"Account Logon" /Success:enable /failure:enable
Auditpol /set /category:"Logon/Logoff" /Success:enable /failure:enable
If you don't want to enable all the Audit settings in Category you can enable just the Subcategory
Example:
AuditPol /Set /Subcategory:”Credential Validation” /Success:enable /failure:enable
So if you have to enable Audit policy subcategory you need to enable it as below.
coming back to my issue when i tried to change the settings under Audit Policy it was not allowing me because Advance Policy was enabled and now any settings you will have to enable it by using Auditpol command only.
Problem was our tool from security was only looking at the Audit policy, is settings enabled or not and it had no clue on Advance Audit Subcategory. Even though we had it enable in there it was not working.
So to fix the problem i had to disable the Force audit policy, then enable all the settings in Audit policy and then enable it back.
Hopefully this helps someone and until next one you all have good day!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
No comments:
Post a Comment