WinSecWiki > Security Settings > Local Policies > Audit Policy > Recommened Baseline

Recommended Baseline Audit Policy for Windows Server 2008

If you enable too wide an audit policy you will be innundated with "noise" events. I recommend starting with this and tweaking from there. This policy turns off the worst offenders and other categories whose events aren't typically worth much.

Before using this recommendation make sure you review my article on auditpol and its related articles as well!

(Running all these commands at once also makes your hard drive emit a really cool sound pattern,too!)

auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable

auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable

auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable

auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable

auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

auditpol /set /subcategory:"Logoff" /success:enable /failure:enable

auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable

auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable

auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable

auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable

auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable

auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable

auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

auditpol /set /subcategory:"File System" /success:enable /failure:enable

auditpol /set /subcategory:"Registry" /success:enable /failure:enable

auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable

auditpol /set /subcategory:"SAM" /success:disable /failure:disable

auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable

auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable

auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable

auditpol /set /subcategory:"File Share" /success:enable /failure:enable

auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable

auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable

auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable

auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable

auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable

auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable

auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable

auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable

auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable

auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable

auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable

auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable

auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable

auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable

auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable

auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable

auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable

auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable

auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable

auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable

auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable

auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable

auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable

Upcoming Webinars

Additional Resources

Audit Policy

•	Account Logon
•	Account Management
•	DS Access
•	Audit Logon
•	Object Access
•	Policy Change
•	Privilege Use
•	Process Tracking
•	System Events
•	Non Audit
•	Uncategorized
•	Auditpol
•	Recommened Baseline

User name:
Password:
	/ Forgot?
	Register

April 2024 Patch Tuesday	"Patch Tuesday - One Zero Day and Record Number of Patches! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2024 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.