none
Need to define an audit policy RRS feed

  • Question

  • I have been asked to define an audit policy baseline for a (2016) domain

    Couple things that have always confused me, the basic and advanced settings, none of the MS articles even mention the basic ones anymore, yet I always see them configured on cust domains. Is there any reason to have them enabled in both places | does it cause a double-up of events if both are enabled? (say for account logon for instance)

    DD Policy:
    This doc contains recommendations:
    https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

    Every domain I have even seen has the account login and other common audit settings enabled in the DD policy, yet the above article doesn't mention those as a setting to apply to domain controllers. is this correct?  Certainly the DC security logs are currently capturing user logon events to the domain when those are enabled in the DDP

    Does anyone have a recommended settings for a balance between capturing events and sensible sec log size. I currently have a situation where we are over auditing, the PDC has a 6gb sec log file and it's only holding records for about 4 days, literally millions of records in the log.

    TIA
    Friday, September 13, 2019 2:36 AM

Answers

  • Hi,

    Local audit policies are more basic and simple, while the advanced settings are much more granular and allow us to audit very specific items.

    Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings

    So it won't cause a double-up of events if both are enabled.

    For more information about the difference, you can refer to the following link:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-auditing-faq

     

    For Planning and deploying advanced security audit policies 

    you can refer to the following link:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies

     

    Best Regards,

    Fan



    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by Geezer32 Wednesday, September 18, 2019 2:06 AM
    Monday, September 16, 2019 3:05 AM

All replies

  • Hi,

    Local audit policies are more basic and simple, while the advanced settings are much more granular and allow us to audit very specific items.

    Basic audit policy settings are not compatible with advanced audit policy settings that are applied by using Group Policy. When advanced audit policy settings are applied by using Group Policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using Group Policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings

    So it won't cause a double-up of events if both are enabled.

    For more information about the difference, you can refer to the following link:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-auditing-faq

     

    For Planning and deploying advanced security audit policies 

    you can refer to the following link:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies

     

    Best Regards,

    Fan



    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Marked as answer by Geezer32 Wednesday, September 18, 2019 2:06 AM
    Monday, September 16, 2019 3:05 AM
  • thanks for the info
    Wednesday, September 18, 2019 2:06 AM
  • Thanks for your posting here .

    If there is anything else we can do for you, please feel free to post in the forum.

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, September 18, 2019 7:57 AM