(2010-07-30) Auditing In Windows Server 2008 R2

Auditing In Windows Server 2008 also provided granular audit policies, but those were only configurable locally on each server through the utility called AUDITPOL. From within a GPO you could only configure the global auditing policies. Windows Server 2008 R2 now also allows you to configure the granular audit policies through a GPO.

The Granular Audit Policies can be found in a GPO at the following location:

–> Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration

It contains the following node and sub nodes:

• Audit Policies
  • Account Logon
    • Audit Credential Validation
    • Audit Kerberos Authentication Service
    • Audit Kerberos Service Ticket Operations
    • Audit Other Account Logon Events
  • Account Management
    • Audit Application Group Management
    • Audit Computer Management
    • Audit Distribution Group Management
    • Audit Other Account Management Events
    • Audit Security Group Management
    • Audit User Account Management
  • Detailed Tracking
    • Audit DPAPI Activity
    • Audit Process Creation
    • Audit Process Termination
    • Audit RPC Events
  • DS Access
    • Audit Detailed Directory Service Replication
    • Audit Directory Service Access
    • Audit Directory Service Changes
    • Audit Directory Service Replication
  • Logon/Logoff
    • Audit Account Lockout
    • Audit IPSec Extended Mode
    • Audit IPSec Main Mode
    • Audit IPSec Quick Mode
    • Audit Logoff
    • Audit Logon
    • Audit Network Policy Server
    • Audit Other Logon/Logoff Events
    • Audit Special Logon
  • Object Access
    • Audit Application Generated
    • Audit Certification Services
    • Audit Detailed File Share
    • Audit File Share
    • Audit File System
    • Audit Filtering Platform Connection
    • Audit Filtering Platform Packet Drop
    • Audit Handle Manipulation
    • Audit Kernel Object
    • Audit Other Object Access Events
    • Audit Registry
    • Audit SAM
  • Policy Change
    • Audit Audit Policy Change
    • Audit Authentication Policy Change
    • Audit Authorization Policy Change
    • Audit Filtering Platform Policy Change
    • Audit MPSSVC Rule-Level Policy Change
    • Audit Other Policy Change Events
  • Privilege Use
    • Audit Non-Sensitive Privilege Use
    • Audit Sensitive Privilege Use
    • Audit Other Privilege Use Events
  • System
    • Audit IPsec Driver
    • Audit Other System Events
    • Audit Security State Change
    • Audit Security System Extension
    • Audit System Integrity
  • Global Object Access Auditing
    • File System (Global Object Access Auditing)
    • Registry (Global Object Access Auditing)

More detailed information about each auditing topic (including events) can be found:

• Advanced Security Audit Policy Settings
• Advanced Security Audit Policy Step-by-Step Guide
• Planning and Deploying Advanced Security Audit Policies
• Advanced Security Auditing FAQ
• Security Audit Events for Windows 7 and Windows Server 2008 R2

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————