What's New in Windows Security Auditing

Applies To: Windows Server 2008 R2

What are the major changes?

There are a number of auditing enhancements in Windows Server® 2008 R2 and Windows® 7 that increase the level of detail in security auditing logs and simplify the deployment and management of auditing policies. These enhancements include:

  • Global Object Access Auditing. In Windows Server 2008 R2 and Windows 7, administrators can define computer-wide system access control lists (SACLs) for either the file system or registry. The specified SACL is then automatically applied to every single object of that type. This can be useful both for verifying that all critical files, folders, and registry settings on a computer are protected, and for identifying when an issue with a system resource occurs.

  • "Reason for access" reporting. This list of access control entries (ACEs) provides the privileges on which the decision to allow or deny access to the object was based. This can be useful for documenting the permissions, such as group memberships, that allow or prevent the occurrence of a particular auditable event.

  • Advanced audit policy settings. These 53 new settings can be used in place of the nine basic auditing settings under Local Policies\Audit Policy to allow administrators to more specifically target the types of activities they want to audit and eliminate the unnecessary auditing activities that can make audit logs difficult to manage and decipher.

The following sections describe these enhancements in greater detail.

What do these auditing enhancements do?

In Windows XP, administrators have nine categories of security auditing events that they can monitor for success, failure, or both success and failure. These events are fairly broad in scope and can be triggered by a variety of similar actions, some of which can generate a large number of event log entries.

In Windows Vista® and Windows Server 2008, the number of auditable events is expanded from nine to 53, which enables an administrator to be more selective in the number and types of events to audit. However, unlike the nine basic Windows XP events, these new audit events are not integrated with Group Policy and can only be deployed by using logon scripts generated with the Auditpol.exe command-line tool.

In Windows Server 2008 R2 and Windows 7, all auditing capabilities have been integrated with Group Policy. This allows administrators to configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). Windows Server 2008 R2 and Windows 7 make it easier for IT professionals to track when precisely defined, significant activities take place on the network.

Audit policy enhancements in Windows Server 2008 R2 and Windows 7 allow administrators to connect business rules and audit policies. For example, applying audit policy settings on a domain or OU basis will allow administrators to document compliance with rules such as:

  • Track all group administrator activity on servers with finance information.

  • Track all the files that are accessed by defined groups of employees.

  • Confirm that the correct SACL is applied to every file, folder, and registry key when they are accessed.

Who will be interested in this feature?

Auditing enhancements in Windows Server 2008 R2 and Windows 7 support the needs of IT professionals who are responsible for implementing, maintaining, and monitoring the ongoing security of an organization's physical and information assets.

These settings can help administrators answer questions such as the following:

  • Who is accessing our assets?

  • What assets are they accessing?

  • When and where did they access them?

  • How did they obtain access?

Security awareness and the desire to have a forensic trail are significant motivators behind these questions. The quality of this information is required and evaluated by auditors in a growing number of organizations.

Are there any special considerations?

A number of special considerations apply to various tasks associated with auditing enhancements in Windows Server 2008 R2 and Windows 7:

  • Creating an audit policy. To create an advanced Windows security auditing policy, you must use the GPMC or Local Security Policy snap-in on a computer running Windows Server 2008 R2 or Windows 7. (You can use the GPMC on a computer running Windows 7 after installing the Remote Server Administration Tools.)

  • Applying audit policy settings. If you are using Group Policy to apply the advanced audit policy settings and global object access settings, client computers must be running Windows Server 2008 R2 or Windows 7. In addition, only computers running Windows Server 2008 R2 or Windows 7 can provide "reason for access" reporting data.

  • Developing an audit policy model. To plan advanced security audit settings and global object access settings, you must use the GPMC targeting a domain controller running Windows Server 2008 R2.

  • Distributing the audit policy. After a Group Policy Object (GPO) that includes advanced security auditing settings has been developed, it can be distributed by using domain controllers running any Windows server operating system. However, if you cannot put client computers running Windows 7 in a separate OU, you should use Windows Management Instrumentation (WMI) filtering to ensure that the advanced policy settings are applied only to client computers running Windows 7.

Note

Advanced audit policy settings can also be applied to client computers running Windows Vista. However, the audit policies for these client computers must be created and applied separately by using Auditpol.exe logon scripts.

Important

Using both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined. If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting under Local Policies\Security Options. This will prevent conflicts between similar settings by forcing basic security auditing to be ignored.

In addition, to plan and deploy security event auditing policies, administrators need to address a number of operational and strategic questions, including:

  • Why do we need an audit policy?

  • Which activities and events are most important to our organization?

  • Which types of audit events can we omit from our auditing strategy?

  • How much administrator time and network resources do we want to devote to generating, collecting, and storing events, and analyzing the data?

Which editions include this feature?

All versions of Windows Server 2008 R2 and Windows 7 that can process Group Policy can be configured to use these security auditing enhancements. Versions of Windows Server 2008 R2 and Windows 7 that cannot join a domain do not have access to these features. There is no difference in security auditing support between 32-bit and 64-bit versions of Windows 7.

What new functionality does this feature provide?

The following new functionality is provided by Windows Server 2008 R2 and Windows 7:

  • Global Object Access Auditing

  • "Reason for access" settings

  • Advanced audit policy settings

Global Object Access Auditing

With Global Object Access Auditing, administrators can define computer SACLs per object type for either the file system or registry. The specified SACL is then automatically applied to every object of that type.

Auditors will be able to prove that every resource in the system is protected by an audit policy by just viewing the contents of the Global Object Access Auditing policy setting. For example, a policy setting "track all changes made by group administrators" will be enough to show that this policy is in effect.

Resource SACLs are also useful for diagnostic scenarios. For example, setting a Global Object Access Auditing policy to log all the activity for a specific user and enabling the Access Failures audit policies in a resource (file system, registry) will help administrators quickly identify which object in a system is denying a user access.

Note

If both a file or folder SACL and a Global Object Access Auditing policy (or a single registry setting SACL and a Global Object Access Auditing policy) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches either the file or folder SACL or the Global Object Access Auditing policy.

"Reason for access" settings

There are several events in Windows to audit whenever an operation was successful or unsuccessful. The events usually include the user, the object, and the operation, but they lack the reason why the operation was allowed or denied. Forensics analysis and support scenarios are improved in Windows Server 2008 R2 and Windows 7 by logging the reason, based on specific permissions, why someone had access to corporate resources.

Advanced audit policy settings

In Windows Server 2008 R2 and Windows 7, enhanced audit policies can be configured and deployed by using domain Group Policy, which reduces management cost and overhead and significantly enhances the flexibility and effectiveness of security auditing.

The following sections describe the new events and event categories that are available in the Advanced Audit Policy Configuration node of Group Policy.

Account logon events

The events in this category help document domain attempts to authenticate account data, either to a domain controller or a local Security Accounts Manager (SAM). Unlike logon and logoff events, which track attempts to access a particular computer, events in this category report on the account database that is being used.

Setting Description

Credential Validation

Audit events generated by validation tests on user account logon credentials.

Kerberos Service Ticket Operations

Audit events generated by Kerberos service ticket requests.

Other Account Logon Events

Audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.           

Kerberos Authentication Service

Audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests.

Account management events

The settings in this category can be used to monitor changes to user and computer accounts and groups.

Setting Description

User Account Management

Audit changes to user accounts.

Computer Account Management

Audit events generated by changes to computer accounts, such as when a computer account is created, changed, or deleted.                                        

Security Group Management

Audit events generated by changes to security groups.

Distribution Group Management

Audit events generated by changes to distribution groups.

Note
Events in this subcategory are logged only on domain controllers.

Application Group Management

Audit events generated by changes to application groups.

Other Account Management Events

Audit events generated by other user account changes that are not covered in this category.

Detailed tracking events

Detailed tracking events can be used to monitor the activities of individual applications to understand how a computer is being used and the activities of users on that computer.

Setting Description

Process Creation

Audit events generated when a process is created or starts. The name of the application or user that created the process is also audited.

Process Termination                           

Audit events generated when a process ends.

DPAPI Activity

Audit events generated when encryption or decryption requests are made to the Data Protection application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. For more information about DPAPI, see Windows Data Protection.

RPC Events

Audit inbound remote procedure call (RPC) connections.

DS access events

DS access events provide a low-level audit trail of attempts to access and modify objects in Active Directory® Domain Services (AD DS). These events are logged only on domain controllers.

Setting Description

Directory Service Access

Audit events generated when an AD DS object is accessed.

Only AD DS objects with a matching SACL are logged.

Events in this subcategory are similar to the Directory Service Access events available in previous versions of Windows.

Directory Service Changes

Audit events generated by changes to AD DS objects. Events are logged when an object is created, deleted, modified, moved, or undeleted.                                

Directory Service Replication

Audit replication between two AD DS domain controllers.

Detailed Directory Service Replication

Audit events generated by detailed AD DS replication between domain controllers.

Logon/logoff events

Logon and logoff events allow you to track attempts to log on to a computer interactively or over a network. These events are particularly useful for tracking user activity and identifying potential attacks on network resources.

Setting Description

Logon

Audit events generated by user account logon attempts on a computer.

Logoff

Audit events generated by closing a logon session. These events occur on the computer that was accessed. For an interactive logon, the security audit event is generated on the computer that the user account logged on to.

Account Lockout

Audit events generated by a failed attempt to log on to an account that is locked out.

IPsec Main Mode

Audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.

IPsec Quick Mode

Audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.

IPsec Extended Mode

Audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.

Special Logon

Audit events generated by special logons.

Other Logon/Logoff Events                  

Audit other events related to logon and logoff that are not included in the Logon/Logoff category.

Network Policy Server

Audit events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.

Object access events

Object access events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit a file, directory, registry key, or any other object, you must enable the Object Access category for success and failure events. For example, the File System subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry access.

Proving that this policy is in effect to an external auditor is difficult. There is no easy way to verify that the proper SACLs are set on all inherited objects.

Setting Description

File System

Audit user attempts to access file system objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Write, Read, or Modify, and the account making the request match the settings in the SACL.

Registry

Audit attempts to access registry objects. A security audit event is generated only for objects that have SACLs and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.

Kernel Object

Audit attempts to access the system kernel, which include mutexes and semaphores. Only kernel objects with a matching SACL generate security audit events.

Note
The Audit: Audit the access of global system objects policy setting controls the default SACL of kernel objects.

SAM

Audit events generated by attempts to access Security Accounts Manager (SAM) objects.

Certification Services

Audit Active Directory Certificate Services (AD CS) operations.

Application Generated

Audit applications that generate events by using the Windows Auditing application programming interfaces (APIs). Applications designed to use the Windows Auditing API use this subcategory to log auditing events related to their function.

Handle Manipulation

Audit events generated when a handle to an object is opened or closed. Only objects with a matching SACL generate security audit events.

File Share

Audit attempts to access a shared folder. However, no security audit events are generated when a folder is created, deleted, or its share permissions are changed.

Detailed File Share

Audit attempts to access files and folders on a shared folder. The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.

Filtering Platform Packet Drop              

Audit packets that are dropped by Windows Filtering Platform (WFP).

Filtering Platform Connection

Audit connections that are allowed or blocked by WFP.

Other Object Access Events

Audit events generated by the management of Task Scheduler jobs or COM+ objects.

Policy change events

Policy change events allow you to track changes to important security policies on a local system or network. Because policies are typically established by administrators to help secure network resources, any changes or attempts to change these policies can be an important aspect of security management for a network.

Setting Description

Audit Policy Change

Audit changes in security audit policy settings.

Authentication Policy Change

Audit events generated by changes to the authentication policy.

Authorization Policy Change

Audit events generated by changes to the authorization policy.

MPSSVC Rule-Level Policy Change

Audit events generated by changes in policy rules used by Windows Firewall.

Filtering Platform Policy Change

Audit events generated by changes to WFP.

Other Policy Change Events

Audit events generated by other security policy changes that are not audited in the Policy Change category.                                                       

Privilege use events

Privileges on a network are granted for users or computers to completed defined tasks. Privilege use events allow you to track the use of certain privileges on one or more computers.

Setting Description

Sensitive Privilege Use

Audit events generated by the use of sensitive privileges (user rights), such as acting as part of the operating system, backing up files and directories, impersonating a client computer, or generating security audits.

Non Sensitive Privilege Use                   

Audit events generated by the use of non-sensitive privileges (user rights), such as logging on locally or with a Remote Desktop connection, changing the system time, or removing a computer from a docking station.

Other Privilege Use Events

Not used.

System events

System events allow you to track high-level changes to a computer that are not included in other categories and that have potential security implications.

Setting Description

Security State Change

Audit events generated by changes in the security state of the computer.

Security System Extension

Audit events related to security system extensions or services.                                                                    

System Integrity

Audit events that violate the integrity of the security subsystem.

IPsec Driver

Audit events that are generated by the IPsec filter driver.

Other System Events

Audit any of the following events:

  • Startup and shutdown of the Windows Firewall.

  • Security policy processing by the Windows Firewall.

  • Cryptography key file and migration operations.

To learn more about security audit policy, see the following resources: