Advanced Audit Policy Configuration Settings (Windows)

Objective:

  • Audit “Advanced Audit Policy Configuration Settings”
  • Hardening / Configuring “Advanced Audit Policy Configuration Settings”

Overview

“Advanced Audit Policy Configuration Settings” can be configured via Group Policy.

Basic and advanced audit policy configurations should not be mixed.
Force the use of “Audit Policy Subcategory Settings”.

Available Settings

Category Policy Name Stigviewer
Finding ID
Success
Stigviewer
Finding ID
Failure
Account Logon Audit Credential Validation V-26529 V-26530
Account Logon Audit Kerberos Authentication Service
Account Logon Audit Kerberos Service Ticket Operations
Account Logon Audit Other Account Logon Events
Account Management Audit Application Group Management
Account Management Audit Computer Account Management V-26531 V-26532
Account Management Audit Distribution Group Management
Account Management Audit Other Account Management Events V-26533 V-26534
Account Management Audit Security Group Management V-26535 V-26536
Account Management Audit User Account Management V-26537 V-26538
Detailed Tracking Audit DPAPI Activity
Detailed Tracking Audit PNP Activity V-63451
Detailed Tracking Audit Process Creation V-26539
Detailed Tracking Audit Process Termination
Detailed Tracking Audit RPC Events
Detailed Tracking Audit Token Right Adjusted
DS Access Audit Detailed Directory Service Replication
DS Access Audit Directory Service Access V-33663 V-33664
DS Access Audit Directory Service Changes V-33665 V-33666
DS Access Audit Directory Service Replication
Logon/Logoff Audit Account Lockout
Logon/Logoff Audit User / Device Claims
Logon/Logoff Audit Group Membership V-63457
Logon/Logoff Audit IPsec Extended Mode
Logon/Logoff Audit IPsec Main Mode
Logon/Logoff Audit IPsec Quick Mode
Logon/Logoff Audit Logoff V-26540
Logon/Logoff Audit Logon V-26541 V-26542
Logon/Logoff Audit Network Policy Server
Logon/Logoff Audit Other Logon/Logoff Events
Logon/Logoff Audit Special Logon V-26543
Object Access Audit Application Generated
Object Access Audit Certification Services
Object Access Audit Detailed File Share
Object Access Audit File Share
Object Access Audit File System
Object Access Audit Filtering Platform Connection
Object Access Audit Filtering Platform Packet Drop
Object Access Audit Handle Manipulation
Object Access Audit Kernel Object
Object Access Audit Other Object Access Events
Object Access Audit Registry
Object Access Audit Removable Storage
Object Access Audit SAM
Object Access Audit Central Access Policy Staging
Policy Change Audit Audit Policy Change V-26546 V-26547
Policy Change Audit Authentication Policy Change V-26548
Policy Change Audit Authorization Policy Change V-57633 V-57635
Policy Change Audit Filtering Platform Policy Change
Policy Change Audit MPSSVC Rule-Level Policy Change
Policy Change Audit Other Policy Change Events
Privilege Use Audit Non Sensitive Privilege Use
Privilege Use Audit Other Privilege Use Events
Privilege Use Audit Sensitive Privilege Use V-26549 V-26550
System Audit IPsec Driver V-26551 V-26552
System Audit Other System Events
System Audit Security State Change V-26553 V-26554
System Audit Security System Extension V-26555 V-26556
System Audit System Integrity V-26557 V-26558
Global Object Access Auditing File system
Global Object Access Auditing Registry

Commandline check

PS C:\WINDOWS\system32> auditpol /get /category:*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               Success and Failure
  System Integrity                        Success and Failure
  IPsec Driver                            Success and Failure
  Other System Events                     Success and Failure
  Security State Change                   Success
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success
  Account Lockout                         Success
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           Success
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   No Auditing
  User / Device Claims                    No Auditing
  Group Membership                        Success
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
  Removable Storage                       Success and Failure
  Central Policy Staging                  No Auditing
Privilege Use
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
  Sensitive Privilege Use                 Success and Failure
Detailed Tracking
  Process Creation                        Success
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Plug and Play Events                    Success
  Token Right Adjusted Events             No Auditing
Policy Change
  Audit Policy Change                     Success and Failure
  Authentication Policy Change            Success
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
Account Management
  Computer Account Management             Success and Failure
  Security Group Management               Success and Failure
  Distribution Group Management           No Auditing
  Application Group Management            Success and Failure
  Other Account Management Events         Success and Failure
  User Account Management                 Success and Failure
DS Access
  Directory Service Access                No Auditing
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
Account Logon
  Kerberos Service Ticket Operations      No Auditing
  Other Account Logon Events              No Auditing
  Kerberos Authentication Service         No Auditing
  Credential Validation                   Success and Failure

Nessus audit file check

Nessus can verify the “Advanced Audit Policy Configuration Settings” via an auditfile.
An check example is show below:

<custom_item>
 type : AUDIT_POLICY_SUBCATEGORY
 description : "CCE-37741-6:The system must be configured to audit Account Logon - Credential Validation Successes and Failure"
 info : "Windows Server 2012 R2 Server"
 info : "STIG V-26529"
 info : "STIG V-26530"
 value_type : AUDIT_SET
 value_data : "Success, Failure"
 audit_policy_subcategory : "Credential Validation"
</custom_item>

References