(2010-07-30) Auditing In Windows Server 2008 R2
Posted by Jorge on 2010-07-30
Auditing In Windows Server 2008 also provided granular audit policies, but those were only configurable locally on each server through the utility called AUDITPOL. From within a GPO you could only configure the global auditing policies. Windows Server 2008 R2 now also allows you to configure the granular audit policies through a GPO.
The Granular Audit Policies can be found in a GPO at the following location:
–> Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration
It contains the following node and sub nodes:
-
Audit Policies
-
Account Logon
- Audit Credential Validation
- Audit Kerberos Authentication Service
- Audit Kerberos Service Ticket Operations
- Audit Other Account Logon Events
-
Account Management
- Audit Application Group Management
- Audit Computer Management
- Audit Distribution Group Management
- Audit Other Account Management Events
- Audit Security Group Management
- Audit User Account Management
-
Detailed Tracking
- Audit DPAPI Activity
- Audit Process Creation
- Audit Process Termination
- Audit RPC Events
-
DS Access
- Audit Detailed Directory Service Replication
- Audit Directory Service Access
- Audit Directory Service Changes
- Audit Directory Service Replication
-
Logon/Logoff
- Audit Account Lockout
- Audit IPSec Extended Mode
- Audit IPSec Main Mode
- Audit IPSec Quick Mode
- Audit Logoff
- Audit Logon
- Audit Network Policy Server
- Audit Other Logon/Logoff Events
- Audit Special Logon
-
Object Access
- Audit Application Generated
- Audit Certification Services
- Audit Detailed File Share
- Audit File Share
- Audit File System
- Audit Filtering Platform Connection
- Audit Filtering Platform Packet Drop
- Audit Handle Manipulation
- Audit Kernel Object
- Audit Other Object Access Events
- Audit Registry
- Audit SAM
-
Policy Change
- Audit Audit Policy Change
- Audit Authentication Policy Change
- Audit Authorization Policy Change
- Audit Filtering Platform Policy Change
- Audit MPSSVC Rule-Level Policy Change
- Audit Other Policy Change Events
-
Privilege Use
- Audit Non-Sensitive Privilege Use
- Audit Sensitive Privilege Use
- Audit Other Privilege Use Events
-
System
- Audit IPsec Driver
- Audit Other System Events
- Audit Security State Change
- Audit Security System Extension
- Audit System Integrity
-
Global Object Access Auditing
- File System (Global Object Access Auditing)
- Registry (Global Object Access Auditing)
-
More detailed information about each auditing topic (including events) can be found:
- Advanced Security Audit Policy Settings
- Advanced Security Audit Policy Step-by-Step Guide
- Planning and Deploying Advanced Security Audit Policies
- Advanced Security Auditing FAQ
- Security Audit Events for Windows 7 and Windows Server 2008 R2
–
Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————
Exchange Folder said
Hi Dude,
This is the marvellous post that I have come over after huge searches. I am really thankful to you for providing this unique information.
LikeLike
Denial Parl said
Thanks for sharing step-wise instructions to enable auditing on file server.
I also find one another informative PDF guide that provides a depth information to enable auditing on file server and track every critical changes into real time : http://www.lepide.com/guide/enable-file-folder-access-auditing.pdf
LikeLike