How to Optimize Windows Logging for Security

One of the most common configurations taken for granted is the built-in Microsoft Windows logging capabilities. Microsoft Windows continues to dominate the corporate enterprise market.

While the Windows Event Viewer can be used to investigate single instances on an endpoint, the ability to correlate that data can be a large advantage to any security team. The default logging enabled on a Microsoft AD Domain and all endpoints doesn’t include a fraction of the helpful data that can be obtained.

Here are a few modifications that can offer a deeper look into your Windows environment.

Download Free Microsoft Security Guide

Group Policy Objects

Group Policy Objects (GPOs) are used to centrally manage hardware and software settings in a domain configuration. They are broken up into both local and domain policies and can be applied to specific accounts or containers in a certain order to see differing results. Controlling event logging settings from within GPOs allows different settings to be applied to different groups of assets such as domain controllers, servers and endpoints.

*NOTE* All GPO changes should be thoroughly planned and tested in any environment.

Event Log Sizes

Default event log file sizes are traditionally too small and can cause log aggregation if a networking issue occurs. Taking into account the virtualization and hardware of today’s infrastructure, the sizes found below are recommended.

1. Open Group Policy Management on a domain controller
2. Either find the policy that will be edited or create a new policy
3. Right-click on the GPO and select edit
4. Configure event log sizes: Computer Configuration > Policies > Windows Settings > Security Settings > Event Log

Advanced Audit Policy Configuration

Starting in Windows Server 2008 R2 and Windows 7, Advanced Audit Policy Configuration in Group Policy allowed the ability to configure much more granular settings for Windows audit logging.

1. Enable advanced auditing
   • • Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
       • Audit: Force audit policy subcategory settings – Enabled

       

       1. Configure Advanced Audit Policies
          • Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies

       

       Account Logon
       Credential Validation	Success and Failure
       Kerberos Authentication Service	No Auditing
       Kerberos Service Ticket Operations	No Auditing
       Other Account Logon Events	Success and Failure

       Account Management
       Application Group Management	Success and Failure
       Computer Account Management	Success and Failure
       Distribution Group Management	Success and Failure
       Other Account Management Events	Success and Failure
       Security Group Management	Success and Failure
       User Account Management	Success and Failure

       Detailed Tracking
       DPAPI Activity	No Auditing
       PNP (Plug and Play)	Success
       Process Creation	Success and Failure
       Process Termination	No Auditing
       RPC Events	Success and Failure
       Token Right Adjusted	Success

       DS Access
       Detailed Directory Service Replication	No Auditing
       Directory Service Access	No Auditing
       Directory Service Changes	Success and Failure
       Directory Service Replication	No Auditing

       Logon/Logoff
       Account Lockout	Success
       Group Membership	Success
       IPsec Extended Mode	No Auditing
       IPsec Main Mode	No Auditing
       IPsec Quick Mode	No Auditing
       Logoff	Success
       Logon	Success and Failure
       Network Policy Server	Success and Failure
       Other Logon/Logoff Events	Success and Failure
       Special Logon	Success and Failure
       User/Device Claims	No Auditing

       Object Access
       Application Generated	Success and Failure
       Central Access Policy Staging	No Auditing
       Certification Services	Success and Failure
       Detailed File Share	Success
       File Share	Success and Failure
       File System	Success
       Filtering Platform Connection	Success
       Filtering Platform Packet Drop	No Auditing
       Handle Manipulation	No Auditing
       Kernel Object	No Auditing
       Other Object Access Events	No Auditing
       Registry	Success
       Removable Storage	Success and Failure
       SAM	Success

       Policy Change
       Audit Policy Change	Success and Failure
       Authentication Policy Change	Success and Failure
       Authorization Policy Change	Success and Failure
       Filtering Platform Policy Change	Success
       MPSSVC Rule-Level Policy Change	No Auditing
       Other Policy Change Events	No Auditing

       Privilege Use
       Non-Sensitive Privilege Use	No Auditing
       Other Privilege Use Events	No Auditing
       Sensitive Privilege Use	Success and Failure

       System
       IPsec Driver	Success
       Other System Events	Failure
       Security State Change	Success and Failure
       Security System Extension	Success and Failure
       System Integrity	Success and Failure

       Global Object Access Auditing
       File System	No Auditing
       Registry	No Auditing

       Advanced Microsoft Command Line Logging

       For advanced Microsoft command line and PowerShell module logging, make the following changes to group policy:

       1. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking > Audit Process Creation > Enable
       2. Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation > Include command line in process creation events > Enable
       3. User Configuration > Policies > Administrative Templates > Windows Components > Windows Powershell
          • Turn on Module Logging
            • Enable and set module names to *

       

       • Turn on PowerShell Script Block Logging
         • Enable and select Log script block invocation start / stop events

       

       Summary

       Windows offers an incredible amount of power with the settings that Group Policy can control, while these are just a portion of the logging GPO settings that can massively increase the visibility into an environment. Without a large portion of these settings, many different system attacks and malicious activities may end up being missed, such as brute-force authentication attempts, command and control traffic, and the addition of settings, software, or users to maintain a persistent connection on an endpoint.

       Combining advanced auditing with log collection, correlation, alerting and reports can give security teams deeper insights and the ability to react as needed to respond to or mitigate potential threats.