Skip to content
    April 13, 2020

    How to Optimize Windows Logging for Security

    One of the most common configurations taken for granted is the built-in Microsoft Windows logging capabilities. Microsoft Windows continues to dominate the corporate enterprise market.

    While the Windows Event Viewer can be used to investigate single instances on an endpoint, the ability to correlate that data can be a large advantage to any security team. The default logging enabled on a Microsoft AD Domain and all endpoints doesn’t include a fraction of the helpful data that can be obtained.

    Here are a few modifications that can offer a deeper look into your Windows environment.

    Download Free Microsoft Security Guide

    Group Policy Objects

    Group Policy Objects (GPOs) are used to centrally manage hardware and software settings in a domain configuration. They are broken up into both local and domain policies and can be applied to specific accounts or containers in a certain order to see differing results. Controlling event logging settings from within GPOs allows different settings to be applied to different groups of assets such as domain controllers, servers and endpoints.

    *NOTE* All GPO changes should be thoroughly planned and tested in any environment.

    Event Log Sizes

    Default event log file sizes are traditionally too small and can cause log aggregation if a networking issue occurs. Taking into account the virtualization and hardware of today’s infrastructure, the sizes found below are recommended.

    1. Open Group Policy Management on a domain controller
    2. Either find the policy that will be edited or create a new policy
    3. Right-click on the GPO and select edit
    4. Configure event log sizes: Computer Configuration > Policies > Windows Settings > Security Settings > Event Log

    Event Log

     
     

    Maximum Application Log Size

     

    256k (or larger)

     

    Maximum Security Log Size

     

    Regular Endpoints - 1,024,000kb (minimum)

    Server Endpoints - 2,048,000kb (minimum)

     

    Maximum System Log Size

     

    256k (or larger)

    Advanced Audit Policy Configuration

    Starting in Windows Server 2008 R2 and Windows 7, Advanced Audit Policy Configuration in Group Policy allowed the ability to configure much more granular settings for Windows audit logging.

    1. Enable advanced auditing
    2. Navigate to: Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
      • Audit: Force audit policy subcategory settings – Enabled

      1. Configure Advanced Audit Policies
        • Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies

      Account Logon

       
       

      Credential Validation

       

      Success and Failure

       

      Kerberos Authentication Service

       

      No Auditing

       
      Kerberos Service Ticket Operations
       

      No Auditing

       
      Other Account Logon Events
       

      Success and Failure

      Account Management

       

      Application Group Management

      Success and Failure

      Computer Account Management

      Success and Failure

      Distribution Group Management

      Success and Failure

      Other Account Management Events

      Success and Failure

      Security Group Management

      Success and Failure

      User Account Management

      Success and Failure

      Detailed Tracking
       

      DPAPI Activity

      No Auditing
      PNP (Plug and Play)

      Success

      Process Creation

      Success and Failure

      Process Termination

      No Auditing
      RPC Events

      Success and Failure

      Token Right Adjusted

      Success

      DS Access
       
      Detailed Directory Service Replication
      No Auditing
      Directory Service Access

      No Auditing

      Directory Service Changes

      Success and Failure
      Directory Service Replication

      No Auditing

      Logon/Logoff

       

      Account Lockout

      Success
      Group Membership

      Success

      IPsec Extended Mode

      No Auditing

      IPsec Main Mode

      No Auditing

      IPsec Quick Mode

      No Auditing

      Logoff

      Success
      Logon
      Success and Failure

      Network Policy Server

      Success and Failure

      Other Logon/Logoff Events
      Success and Failure
      Special Logon
      Success and Failure

      User/Device Claims

      No Auditing

      Object Access

       

      Application Generated

      Success and Failure

      Central Access Policy Staging

      No Auditing

      Certification Services

      Success and Failure

      Detailed File Share

      Success

      File Share

      Success and Failure

      File System

      Success

      Filtering Platform Connection

      Success

      Filtering Platform Packet Drop

      No Auditing

      Handle Manipulation

      No Auditing

      Kernel Object

      No Auditing

      Other Object Access Events

      No Auditing

      Registry

      Success

      Removable Storage

      Success and Failure

      SAM

      Success

      Policy Change

       

      Audit Policy Change

      Success and Failure

      Authentication Policy Change

      Success and Failure

      Authorization Policy Change

      Success and Failure

      Filtering Platform Policy Change

      Success

      MPSSVC Rule-Level Policy Change

      No Auditing

      Other Policy Change Events

      No Auditing

      Privilege Use

       
       

      Non-Sensitive Privilege Use

       

      No Auditing

       

      Other Privilege Use Events

       

      No Auditing

       

      Sensitive Privilege Use

       

      Success and Failure

      System

       

      IPsec Driver

      Success

      Other System Events

      Failure

      Security State Change

      Success and Failure

      Security System Extension

      Success and Failure

      System Integrity

      Success and Failure

      Global Object Access Auditing

       

      File System

      No Auditing

      Registry

      No Auditing

      Advanced Microsoft Command Line Logging

      For advanced Microsoft command line and PowerShell module logging, make the following changes to group policy:

      1. Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Configuration > Detailed Tracking > Audit Process Creation > Enable
      2. Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation > Include command line in process creation events > Enable
      3. User Configuration > Policies > Administrative Templates > Windows Components > Windows Powershell
        • Turn on Module Logging
          • Enable and set module names to *

      • Turn on PowerShell Script Block Logging
        • Enable and select Log script block invocation start / stop events

      Summary

      Windows offers an incredible amount of power with the settings that Group Policy can control, while these are just a portion of the logging GPO settings that can massively increase the visibility into an environment. Without a large portion of these settings, many different system attacks and malicious activities may end up being missed, such as brute-force authentication attempts, command and control traffic, and the addition of settings, software, or users to maintain a persistent connection on an endpoint.

      Combining advanced auditing with log collection, correlation, alerting and reports can give security teams deeper insights and the ability to react as needed to respond to or mitigate potential threats.

       

      Looking for other ways to proactively improve your security posture?

      Take your security to the next level. Get a comprehensive Domain Security Assessment (DSA) to uncover potential vulnerabilities across your Windows environment. The DSA provides insight into the domain security of your environment in minutes, including existing CVEs or vulnerabilities you may be exposed to and recommendations on how to improve your security. Sign up for your free DSA report here.

    Amanda Berlin

    Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...

    More from the blog

    View All Posts