One of the most common configurations taken for granted is the built-in Microsoft Windows logging capabilities. Microsoft Windows continues to dominate the corporate enterprise market.
While the Windows Event Viewer can be used to investigate single instances on an endpoint, the ability to correlate that data can be a large advantage to any security team. The default logging enabled on a Microsoft AD Domain and all endpoints doesn’t include a fraction of the helpful data that can be obtained.
Here are a few modifications that can offer a deeper look into your Windows environment.
Download Free Microsoft Security Guide
Group Policy Objects (GPOs) are used to centrally manage hardware and software settings in a domain configuration. They are broken up into both local and domain policies and can be applied to specific accounts or containers in a certain order to see differing results. Controlling event logging settings from within GPOs allows different settings to be applied to different groups of assets such as domain controllers, servers and endpoints.
*NOTE* All GPO changes should be thoroughly planned and tested in any environment.
Default event log file sizes are traditionally too small and can cause log aggregation if a networking issue occurs. Taking into account the virtualization and hardware of today’s infrastructure, the sizes found below are recommended.
|
Event Log |
|
|
Maximum Application Log Size |
256k (or larger) |
|
Maximum Security Log Size |
Regular Endpoints - 1,024,000kb (minimum) |
|
Maximum System Log Size |
256k (or larger) |
Starting in Windows Server 2008 R2 and Windows 7, Advanced Audit Policy Configuration in Group Policy allowed the ability to configure much more granular settings for Windows audit logging.
|
Account Logon |
|
|
Credential Validation |
Success and Failure |
|
Kerberos Authentication Service |
No Auditing |
|
Kerberos Service Ticket Operations
|
No Auditing |
|
Other Account Logon Events
|
Success and Failure |
|
Account Management |
|
|
Application Group Management |
Success and Failure |
|
Computer Account Management |
Success and Failure |
|
Distribution Group Management |
Success and Failure |
|
Other Account Management Events
|
Success and Failure |
|
Security Group Management
|
Success and Failure |
|
User Account Management |
Success and Failure |
|
Detailed Tracking
|
|
|
DPAPI Activity |
No Auditing
|
|
PNP (Plug and Play)
|
Success |
|
Process Creation
|
Success and Failure |
|
Process Termination |
No Auditing
|
|
RPC Events
|
Success and Failure |
|
Token Right Adjusted |
Success |
|
DS Access
|
|
|
Detailed Directory Service Replication
|
No Auditing
|
|
Directory Service Access
|
No Auditing |
|
Directory Service Changes |
Success and Failure
|
|
Directory Service Replication
|
No Auditing |
|
Logon/Logoff |
|
|
Account Lockout |
Success
|
|
Group Membership
|
Success |
|
IPsec Extended Mode
|
No Auditing |
|
IPsec Main Mode
|
No Auditing |
|
IPsec Quick Mode
|
No Auditing |
|
Logoff |
Success
|
|
Logon
|
Success and Failure
|
|
Network Policy Server |
Success and Failure |
|
Other Logon/Logoff Events
|
Success and Failure
|
|
Special Logon
|
Success and Failure
|
|
User/Device Claims |
No Auditing
|
|
Object Access |
|
|
Application Generated |
Success and Failure |
|
Central Access Policy Staging
|
No Auditing |
|
Certification Services
|
Success and Failure |
|
Detailed File Share
|
Success |
|
File Share
|
Success and Failure |
|
File System
|
Success |
|
Filtering Platform Connection |
Success |
|
Filtering Platform Packet Drop |
No Auditing |
|
Handle Manipulation
|
No Auditing |
|
Kernel Object |
No Auditing |
|
Other Object Access Events |
No Auditing |
|
Registry |
Success |
|
Removable Storage |
Success and Failure |
|
SAM |
Success |
|
Policy Change |
|
|
Audit Policy Change |
Success and Failure |
|
Authentication Policy Change |
Success and Failure |
|
Authorization Policy Change
|
Success and Failure |
|
Filtering Platform Policy Change
|
Success |
|
MPSSVC Rule-Level Policy Change |
No Auditing |
|
Other Policy Change Events |
No Auditing
|
|
Privilege Use |
|
|
Non-Sensitive Privilege Use |
No Auditing |
|
Other Privilege Use Events |
No Auditing |
|
Sensitive Privilege Use |
Success and Failure |
|
System |
|
|
IPsec Driver |
Success |
|
Other System Events |
Failure |
|
Security State Change |
Success and Failure |
|
Security System Extension |
Success and Failure |
|
System Integrity |
Success and Failure |
|
Global Object Access Auditing |
|
|
File System |
No Auditing |
|
Registry |
No Auditing |
For advanced Microsoft command line and PowerShell module logging, make the following changes to group policy:
Windows offers an incredible amount of power with the settings that Group Policy can control, while these are just a portion of the logging GPO settings that can massively increase the visibility into an environment. Without a large portion of these settings, many different system attacks and malicious activities may end up being missed, such as brute-force authentication attempts, command and control traffic, and the addition of settings, software, or users to maintain a persistent connection on an endpoint.
Combining advanced auditing with log collection, correlation, alerting and reports can give security teams deeper insights and the ability to react as needed to respond to or mitigate potential threats.
Looking for other ways to proactively improve your security posture?
Take your security to the next level. Get a comprehensive Domain Security Assessment (DSA) to uncover potential vulnerabilities across your Windows environment. The DSA provides insight into the domain security of your environment in minutes, including existing CVEs or vulnerabilities you may be exposed to and recommendations on how to improve your security. Sign up for your free DSA report here.
