Group Policy Auditing Standards

Group Policy Auditing Standards

By Samantha Agather –  Information Security Associate – Intrinium

In a digital world like ours has become, it is more important than ever to be aware and stay ahead of attackers as much as possible.  But there is not only the external hacker or organization to be concerned about:  internal threats.  A disgruntled employee who, for one reason or another, has come to the end of their rope and proceeds to steal data, grant himself or others administrative privileges, and compromise your network security.

A powerful tool in your metaphorical toolbox is your Group Policy.  Here, you can set restrictions on groups that you add your users to, and ensure that only authorized users have access to administrative privileges, and you can monitor the use of removable storage media.

Audit logging is critical- our users are creative and we can’t come up with a way to block them from doing everything; it’s like calculating pi:  it’s a chore that never ends.  Having a way to track what they’re doing helps us to begin to anticipate the unexpected.  So, to help shine a light in a maze of technological complexity, we bring you our recommendations for audit settings in your group policy, and where you can find them.

To modify the GPO:  Open “Group Policy Management” and drill down until you see *.local (where * is replaced by your company name or another predetermined prefix.

Click on “Default Domain Policy”, then on the “Settings” tab.  You will get a message reading “Generating report”; wait for it to populate.

Once it populates, navigate to the below path and verify each of the settings.  If a setting is incorrect, then right click and select edit.  On the left hand side, navigate to “Windows Settings”-> “Security Settings” and then to the setting that needs to be changed.  Double click on the setting, and select the options that match the below descriptions.

Path:   Default Domain Policy->Computer Configuration->Policies->Windows Settings->Security Settings

Local Polices/Audit Policy

Policy Setting Why this is important Related codes More information
Audit account logon events Success/Failure This tracks logon events for another device in which the current device is used to validate the account. 4624,
Microsoft’s Website
Audit logon events Success/Failure This tracks all logging on and off of devices. It logs the username that attempts to logon, and helps track down instances that may have had unauthorized users access or attempt to access the system. 4624,
4625, 4648, 4649, 4800, 4801, 4964, 5378
Microsoft’s Website


Local Polices/Security Options/Other

Policy Setting Why this is important Related codes More information
Audit:  Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings Enabled This allows auditing events at a categorical level without revising a policy. Microsoft’s Website
Audit use of backup and restore privileges Enabled We want to ensure that only authorized persons are able to access backup and restore functions- it could otherwise be used to cover up malicious activity. Microsoft’s Website


Advanced Audit Configuration/Account Management, Account Logon, Object Access, and Policy Change

Policy Setting Why this is important Related codes More information
Account Management/Audit Security Group Management Success/Failure This allows auditing of events generated by changes to security groups, like a group created/changed/deleted, a member is added or removed, or the group type is changed. 4728, 4729, 4732, 4733, 4735, 4737, 4755, 4756, 4757, 4764 Microsoft’s Website
Account Management/Audit User Account Management Success/Failure This determines whether or not the operating system generates audit events when specific user account management tasks are performed, such as account creation, password is changed, or permissions are changed. 4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4794 Microsoft’s Website
Account Logon/Audit Kerberos Service Ticket Operations Success/Failure This can help detect replay attacks. 4769, 4770, 4773 Microsoft’s Website
Object Access/Audit Kernel Object This keeps track of users and processes that attempt to modify the kernel object.  This can help detect attempts to conceal malicious activity. 4656, 4658, 4660, 4663 Microsoft’s Website
Object Access/Audit Registry This monitors any changes a program or a user makes to the registry 4663, 4656, 4658, 4660, 4657, 5039, 4670 Microsoft’s Website
Object Access/Audit Removable Storage Monitors use of removable storage to keep confidential information from being removed from computers. 4663, 4656, 4658, 4660, 4657, 5039, 4670 Microsoft’s Website
Logon/Logoff/Audit Logoff Success/Failure Determines whether the operating system generates audit events when logon sessions are terminated.  They occur on the machine that was logged onto.  This is essential to understanding user activity and detecting potential attacks.  Logoff events aren’t entirely reliable, for instance, failed logoffs do not generate audit records. 4634, 4647 Microsoft’s Website
Logon/Logoff/Audit Logon Success/Failure Records logon success and failures, logon attempts using explicit credentials, and SIDs filtered. 4624, 4625, 4648 Microsoft’s Website
Logon/Logoff/Audit Network Policy Server Success/Failure Audits events generated by RADIUS and NAP activity related to user access requests (Grant, Deny, Discard, etc.). 6272, 6273, 6274, 6275, 6276, 6277, 6278, 6279, 6280 Microsoft’s Website
Policy Change/Audit Audit Policy Change Success/Failure Keeps track of the Audit Policy.  If it is changed, it could be an indicator of an attack or a compromise.  For example, if the Audit Policy changes and the “Audit Removable Storage” setting switches from “Enabled” to “Disabled”, it could be a sign that someone is going to transfer data without permission. 4720, 4722, 4723, 4724, 4725, 4726, 4738, 4740, 4765, 4766, 4767, 4780, 4794 Microsoft’s Website

Testing methods:

->Testing user changes:

  1.  Open “Event Viewer” and navigate to Windows Logs/Security, keep it open on half of your screen.
  2. Open “Active Directory Users and Computers” and in your “xxxx.local”, navigate to “Users”
  3. Create a new user
    -Right click in the right hand side interface, select new, and select user.
    -Set up your dummy user
    -Once your user is set up, switch to your Event Viewer and refresh.  You should see the logs for that user.
  4. Modify the user
    -Open your dummy user, make a change, and hit apply
    -Switch to Event Viewer and refresh to check the logs.
  5. Delete the user
    -Right click on your dummy user and delete it.
    -Switch to your Event Viewer and refresh to check the logs


->Testing logon/logoff

**Before you begin, testing for this section works best with two computers or VM’s, and during a time where there are few users or applications generating logon/logoff events.**

  1. Have a user log on
  2. Refresh Event Viewer
  3. Have the user log off
  4. Refresh Event Viewer


->Testing group changes

  1. Edit user, navigate to “Member of”, and then add a group
  2. Change view to Event Viewer and refresh

Pin It on Pinterest

Share This