More granular audit policy in Vista and Windows 2008 Server
Over the years there's been a lot of complaints about how unflexible the audit policy in Windows. I've long pointed out that "You just can't configure the noise out of the security log; that's the job of your log management solution." Well, Microsoft attempted to address that complaint in Vista and Windows Server 2008.
Now instead of just 9 audit policies they have created sub categories for a total of 50 different audit policies. You can either manage auditing at the category level (original 9 policies) or at the subcategory level.
How much of an improvement is the new approach? Minor at best. There are a few subcategories you might be able to totally disable but in general I find that most categories have events that you need. That's because the noise can't be defined in terms of discreet event IDs. For instance, event ID 672 may or may not be noise depending on values within the description of the event. I want 627 if it's for a user who just attempted to authenticate but not if it was triggered by a computer authenticating to the domain controller in order to apply group policy. What we really need is something more akin to firewall rules that allow you to keep or discard events based on custom criteria.
One other caveat: you can't control the audit subcategories via group policy, only with the auditpol command. Hard to believe, right? Maybe that will change in Windows Server 2008 but Vista requires you to execute the auditpol command on each computer where you need to enable or disable audit subcategories. Run auditpol /h for details on this command.
Here are the new audit subcategories in relation to the original 9.
| Top level category |
Sub category |
Audit policy name |
System |
Security State Change |
Audit system events |
Security System Extension |
System Integrity |
IPsec Driver |
Other System Events |
Logon/Logoff |
Logon |
Audit logon events |
Logoff |
Account Lockout |
IPsec Main Mode |
IPsec Quick Mode |
IPsec Extended Mode |
Special Logon |
Other Logon/Logoff Events |
| Network Policy Server |
Object Access |
File System |
Audit object access |
Registry |
Kernel Object |
SAM |
Certification Services |
Application Generated |
Handle Manipulation |
File Share |
Filtering Platform Packet Drop |
Filtering Platform Connection |
Other Object Access Events |
Privilege Use |
Sensitive Privilege Use |
Audit privilege use |
Non Sensitive Privilege Use |
| Other Privilege Use Events |
Detailed Tracking |
Process Creation |
Audit process tracking |
Process Termination |
DPAPI Activity |
RPC Events |
Policy Change |
Audit Policy Change |
Audit policy change |
Authentication Policy Change |
Authorization Policy Change |
MPSSVC Rule-Level Policy Change |
Filtering Platform Policy Change |
Other Policy Change Events |
Account Management |
User Account Management |
Audit account management |
Computer Account Management |
Security Group Management |
Distribution Group Management |
Application Group Management |
Other Account Management Event |
DS Access |
Directory Service Access |
Audit directory service access |
Directory Service Changes |
Directory Service Replication |
Detailed Directory Service Replication |
Account Logon |
Kerberos Service Ticket Operations |
Audit account logon events |
| Credential Validation |
Kerberos Authentication Service |
Other Account Logon Events |
|
