How to Optimize Windows Logging for Security

One of the most common configurations taken for granted is the built-in Microsoft Windows logging capabilities. Microsoft Windows continues to dominate the corporate enterprise market.

While the Windows Event Viewer can be used to investigate single instances on an endpoint, the ability to correlate that data can be a large advantage to any security team. The default logging enabled on a Microsoft AD Domain and all endpoints doesn’t include a fraction of the helpful data that can be obtained.

Here are a few modifications that can offer a deeper look into your Windows environment.

Download Free Microsoft Security Guide

Group Policy Objects

Group Policy Objects (GPOs) are used to centrally manage hardware and software settings in a domain configuration. They are broken up into both local and domain policies and can be applied to specific accounts or containers in a certain order to see differing results. Controlling event logging settings from within GPOs allows different settings to be applied to different groups of assets such as domain controllers, servers and endpoints.

*NOTE* All GPO changes should be thoroughly planned and tested in any environment.

Event Log Sizes

Default event log file sizes are traditionally too small and can cause log aggregation if a networking issue occurs. Taking into account the virtualization and hardware of today’s infrastructure, the sizes found below are recommended.

1. Open Group Policy Management on a domain controller
2. Either find the policy that will be edited or create a new policy
3. Right-click on the GPO and select edit
4. Configure event log sizes: Computer Configuration > Policies > Windows Settings > Security Settings > Event Log

Advanced Audit Policy Configuration

Starting in Windows Server 2008 R2 and Windows 7, Advanced Audit Policy Configuration in Group Policy allowed the ability to configure much more granular settings for Windows audit logging.

1. Enable advanced auditing
2. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
   • Audit: Force audit policy subcategory settings – Enabled

   

   1. Configure Advanced Audit Policies
      • Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies

   

   Account Logon
   Credential Validation	Success and Failure
   Kerberos Authentication Service	No Auditing
   Kerberos Service Ticket Operations	No Auditing
   Other Account Logon Events	Success and Failure

   Account Management
   Application Group Management	Success and Failure
   Computer Account Management	Success and Failure
   Distribution Group Management	Success and Failure
   Other Account Management Events	Success and Failure
   Security Group Management	Success and Failure
   User Account Management	Success and Failure

   Detailed Tracking
   DPAPI Activity	No Auditing
   PNP (Plug and Play)	Success
   Process Creation	Success and Failure
   Process Termination	No Auditing
   RPC Events	Success and Failure
   Token Right Adjusted	Success

   DS Access
   Detailed Directory Service Replication	No Auditing
   Directory Service Access	No Auditing
   Directory Service Changes	Success and Failure
   Directory Service Replication	No Auditing

   Logon/Logoff
   Account Lockout	Success
   Group Membership	Success
   IPsec Extended Mode	No Auditing
   IPsec Main Mode	No Auditing
   IPsec Quick Mode	No Auditing
   Logoff	Success
   Logon	Success and Failure
   Network Policy Server	Success and Failure
   Other Logon/Logoff Events	Success and Failure
   Special Logon	Success and Failure
   User/Device Claims	No Auditing

   Object Access
   Application Generated	Success and Failure
   Central Access Policy Staging	No Auditing
   Certification Services	Success and Failure
   Detailed File Share	Success
   File Share	Success and Failure
   File System	Success
   Filtering Platform Connection	Success
   Filtering Platform Packet Drop	No Auditing
   Handle Manipulation	No Auditing
   Kernel Object	No Auditing
   Other Object Access Events	No Auditing
   Registry	Success
   Removable Storage	Success and Failure
   SAM	Success

   Policy Change
   Audit Policy Change	Success and Failure
   Authentication Policy Change	Success and Failure
   Authorization Policy Change	Success and Failure
   Filtering Platform Policy Change	Success
   MPSSVC Rule-Level Policy Change	No Auditing
   Other Policy Change Events	No Auditing

   Privilege Use
   Non-Sensitive Privilege Use	No Auditing
   Other Privilege Use Events	No Auditing
   Sensitive Privilege Use	Success and Failure

   System
   IPsec Driver	Success
   Other System Events	Failure
   Security State Change	Success and Failure
   Security System Extension	Success and Failure
   System Integrity	Success and Failure

   Global Object Access Auditing
   File System	No Auditing
   Registry	No Auditing

   Advanced Microsoft Command Line Logging

   For advanced Microsoft command line and PowerShell module logging, make the following changes to group policy:

   1. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking > Audit Process Creation > Enable
   2. Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation > Include command line in process creation events > Enable
   3. User Configuration > Policies > Administrative Templates > Windows Components > Windows Powershell
      • Turn on Module Logging
        • Enable and set module names to *

   

   • Turn on PowerShell Script Block Logging
     • Enable and select Log script block invocation start / stop events

   

   Summary

   Windows offers an incredible amount of power with the settings that Group Policy can control, while these are just a portion of the logging GPO settings that can massively increase the visibility into an environment. Without a large portion of these settings, many different system attacks and malicious activities may end up being missed, such as brute-force authentication attempts, command and control traffic, and the addition of settings, software, or users to maintain a persistent connection on an endpoint.

   Combining advanced auditing with log collection, correlation, alerting and reports can give security teams deeper insights and the ability to react as needed to respond to or mitigate potential threats.

    

   Looking for other ways to proactively improve your security posture?
   

   Take your security to the next level. Get a comprehensive Domain Security Assessment (DSA) to uncover potential vulnerabilities across your Windows environment. The DSA provides insight into the domain security of your environment in minutes, including existing CVEs or vulnerabilities you may be exposed to and recommendations on how to improve your security. Sign up for your free DSA report here.