Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2010-07-30) Auditing In Windows Server 2008 R2

Posted by Jorge on 2010-07-30

Auditing In Windows Server 2008 also provided granular audit policies, but those were only configurable locally on each server through the utility called AUDITPOL. From within a GPO you could only configure the global auditing policies. Windows Server 2008 R2 now also allows you to configure the granular audit policies through a GPO.

The Granular Audit Policies can be found in a GPO at the following location:

–> Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration

It contains the following node and sub nodes:

  • Audit Policies
    • Account Logon
      • Audit Credential Validation
      • Audit Kerberos Authentication Service
      • Audit Kerberos Service Ticket Operations
      • Audit Other Account Logon Events
    • Account Management
      • Audit Application Group Management
      • Audit Computer Management
      • Audit Distribution Group Management
      • Audit Other Account Management Events
      • Audit Security Group Management
      • Audit User Account Management
    • Detailed Tracking
      • Audit DPAPI Activity
      • Audit Process Creation
      • Audit Process Termination
      • Audit RPC Events
    • DS Access
      • Audit Detailed Directory Service Replication
      • Audit Directory Service Access
      • Audit Directory Service Changes
      • Audit Directory Service Replication
    • Logon/Logoff
      • Audit Account Lockout
      • Audit IPSec Extended Mode
      • Audit IPSec Main Mode
      • Audit IPSec Quick Mode
      • Audit Logoff
      • Audit Logon
      • Audit Network Policy Server
      • Audit Other Logon/Logoff Events
      • Audit Special Logon
    • Object Access
      • Audit Application Generated
      • Audit Certification Services
      • Audit Detailed File Share
      • Audit File Share
      • Audit File System
      • Audit Filtering Platform Connection
      • Audit Filtering Platform Packet Drop
      • Audit Handle Manipulation
      • Audit Kernel Object
      • Audit Other Object Access Events
      • Audit Registry
      • Audit SAM
    • Policy Change
      • Audit Audit Policy Change
      • Audit Authentication Policy Change
      • Audit Authorization Policy Change
      • Audit Filtering Platform Policy Change
      • Audit MPSSVC Rule-Level Policy Change
      • Audit Other Policy Change Events
    • Privilege Use
      • Audit Non-Sensitive Privilege Use
      • Audit Sensitive Privilege Use
      • Audit Other Privilege Use Events
    • System
      • Audit IPsec Driver
      • Audit Other System Events
      • Audit Security State Change
      • Audit Security System Extension
      • Audit System Integrity
    • Global Object Access Auditing
      • File System (Global Object Access Auditing)
      • Registry (Global Object Access Auditing)

More detailed information about each auditing topic (including events) can be found:

* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############
######### ########


2 Responses to “(2010-07-30) Auditing In Windows Server 2008 R2”

  1. Hi Dude,

    This is the marvellous post that I have come over after huge searches. I am really thankful to you for providing this unique information.

  2. Thanks for sharing step-wise instructions to enable auditing on file server.
    I also find one another informative PDF guide that provides a depth information to enable auditing on file server and track every critical changes into real time :

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: