In our daily job as PFEs one of the most common questions we are asked in the Active Directory field, is what is the recommended Audit Policy to have in our Domain Controllers.
As always we recommend first going to docs.microsoft.com to find the documented recommendations and best practices for our products.
Question 1: Audit Policy vs Advanced Audit Policy, which one to use?
Audit Policies come with Windows since Windows 2000 times. These are the original nine categories that can be used for every Windows version. Beginning in Windows Vista/2008, we introduced the Advanced Audit Policy categories, to enhance the granularity of the events being recorded.
We can find these settings in these sections:
- 'Legacy' Audit Policy: Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
- Advanced Audit Policy: Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration
We don't recommend using both categories at the same time, since it might lead to unexpected resultant settings being applied. As a best practice we recommend to enable this setting: Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options.
Best Practice #1: Always use the Advanced Audit Policy settings instead of legacy settings
Best Practice #2: Always use the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting (set to Enabled)
Question 2: Too many categories to choose from, don't know what to select
A detailed process on what event categories to choose might be a lenghful task, that will involve identifying which event numbers are generated by each category, which, the frequency of those events, long time log archiving, meeting compliance regulations etc.
So, what if want a quick answer?. Well, our official answer is to look for our baselines using Security Compliance Toolkit. These baselines contains a wide range of security policies (not only for Audit Policies but should be used as your baseline for defining your Domain Security).
DO you want a detailed list of the Policy categories and which events are generated by each category? check this article
You might think "very nice, but I don't have time to go through all that documentation and process, I need a quick reference of the recommended categories", well, just go to this link, and implement all the categories under the "Stronger Recommendation" column that are marked as DC (for Domain Controller). Add all that to your Default Domain Controllers Policy (or create a different GPO linked to the Domain Controllers OU) and voila you updated the audit settings to MSFT recommendations.
Best Practice #3: Always check the Updated Security Baselines with Security Compliance Toolkit, and regularly review them
Best Practice #4: If you need something very quick to start, review the recommendations in this article
Question #3: Local Security Policy? secpol, Domain GPO, auditpol, too many tools, which one should I use?
You might have noticed that there are several ways to configure and retrieve Audit Policy settings, you can use a Domain GPO, a Local GPO or auditpol.exe tools. If you have time I strongly recommend you reading this article by Ned Pyle.. As a summary, we can state that the best way to configure the Domain Controllers Audit Policy is via GPO linked to the Domain COntrollers OU, and the best way to retrieve those settings is using the command "auditpol.exe /get /category:* ". Avoid using Local Policy Editor, auditpol or legacy tools such as secedit.
Best Practice #5: Always use a Group Policy Object linked to the Domain Controllers OU to set the Audit Policy
Best Practice #6: if you want to retrieve the Audit Policy settings in a server, the best way is using the "auditpol.exe /get /category:*
Question #4: How much size should I give to the log files?
Estimating the amount of logs that are going to be recorded in the Security Event Log is a very challenging (maybe impossible) task. Many people wonder which is the recommended log size for the Security Log, and the real answer is that , it's not that much important. Remember that the Security Event log is just for short time storage. Long term retentions SHOULD be stored in another system, being it a SIEM system such as Sentinel, QRadar or Splnunk, an Azure Log Analytics, a SCOM server or event a simple Windows Event Log Collector.
However, we always rely on this article that states that the recommended log size is 4,194,240 (in KB). The default value is 20 MBs.
The event log size can be specified with this GPO setting: Computer Configuration > Administrative Templates > Windows Components > Event Log Service > Security.
Best Practice #7: Event Logs are only for short term local storage, all security Events shuold be forwarded to a SIEM or collector system for long term storage and retrieval.
Best Practice #8: In modern 64 bit Operating Systems, set the Security log Size to 4,194,240 KB.
I hope all this information is useful for your. These are very simple recommendations to implement in your environment and you can quickly respond to your manager when they ask you "Do we have auditing in our Domain Controllers?"
Have a good day!
Top comments (0)