Menu 

Group Policy Auditing Standards

Group Policy Auditing Standards

By Samantha Agather –  Information Security Associate – Intrinium

In a digital world like ours has become, it is more important than ever to be aware and stay ahead of attackers as much as possible.  But there is not only the external hacker or organization to be concerned about:  internal threats.  A disgruntled employee who, for one reason or another, has come to the end of their rope and proceeds to steal data, grant himself or others administrative privileges, and compromise your network security.

A powerful tool in your metaphorical toolbox is your Group Policy.  Here, you can set restrictions on groups that you add your users to, and ensure that only authorized users have access to administrative privileges, and you can monitor the use of removable storage media.

Audit logging is critical- our users are creative and we can’t come up with a way to block them from doing everything; it’s like calculating pi:  it’s a chore that never ends.  Having a way to track what they’re doing helps us to begin to anticipate the unexpected.  So, to help shine a light in a maze of technological complexity, we bring you our recommendations for audit settings in your group policy, and where you can find them.

To modify the GPO:  Open “Group Policy Management” and drill down until you see *.local (where * is replaced by your company name or another predetermined prefix.

Click on “Default Domain Policy”, then on the “Settings” tab.  You will get a message reading “Generating report”; wait for it to populate.

Once it populates, navigate to the below path and verify each of the settings.  If a setting is incorrect, then right click and select edit.  On the left hand side, navigate to “Windows Settings”-> “Security Settings” and then to the setting that needs to be changed.  Double click on the setting, and select the options that match the below descriptions.

Path:   Default Domain Policy->Computer Configuration->Policies->Windows Settings->Security Settings

Local Polices/Audit Policy

PolicySettingWhy this is importantRelated codesMore information
Audit account logon eventsSuccess/FailureThis tracks logon events for another device in which the current device is used to validate the account.4624,
4625,
4648
Microsoft’s Website
Audit logon eventsSuccess/FailureThis tracks all logging on and off of devices. It logs the username that attempts to logon, and helps track down instances that may have had unauthorized users access or attempt to access the system.4624,
4625, 4648, 4649, 4800, 4801, 4964, 5378
Microsoft’s Website

 

Local Polices/Security Options/Other

PolicySettingWhy this is importantRelated codesMore information
Audit:  Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settingsEnabledThis allows auditing events at a categorical level without revising a policy.Microsoft’s Website
Audit use of backup and restore privilegesEnabledWe want to ensure that only authorized persons are able to access backup and restore functions- it could otherwise be used to cover up malicious activity.Microsoft’s Website

 

Advanced Audit Configuration/Account Management, Account Logon, Object Access, and Policy Change

PolicySettingWhy this is importantRelated codesMore information
Account Management/Audit Security Group ManagementSuccess/FailureThis allows auditing of events generated by changes to security groups, like a group created/changed/deleted, a member is added or removed, or the group type is changed.4728, 4729, 4732, 4733, 4735, 4737, 4755, 4756, 4757, 4764Microsoft’s Website
Account Management/Audit User Account ManagementSuccess/FailureThis determines whether or not the operating system generates audit events when specific user account management tasks are performed, such as account creation, password is changed, or permissions are changed.4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4794Microsoft’s Website
Account Logon/Audit Kerberos Service Ticket OperationsSuccess/FailureThis can help detect replay attacks.4769, 4770, 4773Microsoft’s Website
Object Access/Audit Kernel ObjectThis keeps track of users and processes that attempt to modify the kernel object.  This can help detect attempts to conceal malicious activity.4656, 4658, 4660, 4663Microsoft’s Website
Object Access/Audit RegistryThis monitors any changes a program or a user makes to the registry4663, 4656, 4658, 4660, 4657, 5039, 4670Microsoft’s Website
Object Access/Audit Removable StorageMonitors use of removable storage to keep confidential information from being removed from computers.4663, 4656, 4658, 4660, 4657, 5039, 4670Microsoft’s Website
Logon/Logoff/Audit LogoffSuccess/FailureDetermines whether the operating system generates audit events when logon sessions are terminated.  They occur on the machine that was logged onto.  This is essential to understanding user activity and detecting potential attacks.  Logoff events aren’t entirely reliable, for instance, failed logoffs do not generate audit records.4634, 4647Microsoft’s Website
Logon/Logoff/Audit LogonSuccess/FailureRecords logon success and failures, logon attempts using explicit credentials, and SIDs filtered.4624, 4625, 4648Microsoft’s Website
Logon/Logoff/Audit Network Policy ServerSuccess/FailureAudits events generated by RADIUS and NAP activity related to user access requests (Grant, Deny, Discard, etc.).6272, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280Microsoft’s Website
Policy Change/Audit Audit Policy ChangeSuccess/FailureKeeps track of the Audit Policy.  If it is changed, it could be an indicator of an attack or a compromise.  For example, if the Audit Policy changes and the “Audit Removable Storage” setting switches from “Enabled” to “Disabled”, it could be a sign that someone is going to transfer data without permission.4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4794Microsoft’s Website

Testing methods:

->Testing user changes:

  1.  Open “Event Viewer” and navigate to Windows Logs/Security, keep it open on half of your screen.
  2. Open “Active Directory Users and Computers” and in your “xxxx.local”, navigate to “Users”
  3. Create a new user
    -Right click in the right hand side interface, select new, and select user.
    -Set up your dummy user
    -Once your user is set up, switch to your Event Viewer and refresh.  You should see the logs for that user.
  4. Modify the user
    -Open your dummy user, make a change, and hit apply
    -Switch to Event Viewer and refresh to check the logs.
  5. Delete the user
    -Right click on your dummy user and delete it.
    -Switch to your Event Viewer and refresh to check the logs

 

->Testing logon/logoff

**Before you begin, testing for this section works best with two computers or VM’s, and during a time where there are few users or applications generating logon/logoff events.**

  1. Have a user log on
  2. Refresh Event Viewer
  3. Have the user log off
  4. Refresh Event Viewer

 

->Testing group changes

  1. Edit user, navigate to “Member of”, and then add a group
  2. Change view to Event Viewer and refresh

Pin It on Pinterest

Share This