GPO Advanced Policy Configuration
Overview of Arctic Wolf GPO Advanced Audit Policy Configuration Direct link to this section
To capture security and operational events on Windows servers, you must configure audit policies for each domain to generate events in the Windows Event Log. In Windows Server 2008 R2 and newer, the default auditing policies combined with the Arctic Wolf® recommended settings generate events that give your Concierge Security® Team (CST) visibility into your Windows environment.
This document describes how to configure a Group Policy Object (GPO) with a default set of Advanced Audit Policy Configuration settings and Arctic Wolf-recommended settings to ensure that your Windows host produces the expected set of audit events.
Configure your Arctic Wolf GPO Advanced Audit Policy Direct link to this section
The Arctic Wolf GPO Advanced Audit Policy applies advanced security audit policy settings to all computers in your domain.
Notes:
-
These instructions apply to Server 2008 R2 and newer.
-
If you already have a policy with basic audit policy settings configured under Computer Management > Policies > Windows Settings > Security Settings > Local Policies > Security Policies, this procedure replaces that policy with advanced settings.
-
Audit policies, for each domain, must be configured to generate events in the Windows Event Log. This enables Arctic Wolf to monitor security and operational events on your Windows server.
Note: Auditing additional items can cause delays in observations, for example, enabling auditing of object access.
-
To prevent a conflict with the Arctic Wolf Advanced Audit Policy controls, ensure that there are no other auditing policies linked to the domain, site, or other organizational units defined at the Domain Controller.
See the following for more information:
To configure your Arctic Wolf GPO Advanced Audit Policy:
- Open or create your Arctic Wolf GPO Advanced Audit Policy.
- Configure Advanced Audit Policy settings.
- Enforce the Arctic Wolf GPO Advanced Audit Policy,
- Set the precedence of an Advanced Audit Policy.
- Update domain controller Group Policy.
- Review your log settings.
Open or create an Arctic Wolf GPO Advanced Audit Policy Direct link to this section
-
Click Start > Group Policy Management.
-
In the navigation pane, expand Forest:
<DomainName>
, where<DomainName>
is the name of your domain, and then expand the Domains folder. -
If you already have an Arctic Wolf GPO Advanced Audit Policy, complete the following steps; otherwise, proceed to the next step:
- Right-click the domain name, select Link an Existing GPO, and then select Edit.
- Proceed to Configure Advanced Audit Policy Settings.
-
If you do not have an existing Arctic Wolf GPO Advanced Audit Policy, complete the following:
-
Right-click the domain name and select Create a GPO in this domain, and Link it here.
The New GPO dialog appears.
-
In the Name field, enter AWN Audit Policy.
-
From the Source Starter GPO list, select (none).
-
Click OK.
-
Right-click the new GPO and select Edit.
-
Proceed to Configure Advanced Audit Policy Settings.
-
Configure Advanced Audit Policy settings Direct link to this section
-
Verify that the Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting is Enabled.
To enable this setting:
- In the left pane of the Group Policy Management Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
- Locate and then right-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, and then select Properties.
- Click the Security Policy Setting tab.
- Select the Define this policy setting checkbox, and then select Enabled.
- Click OK.
Tip: See the Microsoft documentation for this security option for more information.
-
In the left pane of the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
Tip: Resize the window and tree view to completely view the policy tree.
-
Edit the audit policy settings:
- Under Audit Policies, select the category. For example, Account Logon.
- Double-click the corresponding subcategory. For example, Audit Credential Validation.
- Edit the policy setting as indicated in the table.
- Verify that each setting has these checkboxes selected:
- Configure the following audit events
- Success or Failure according to the Audit Events listed in the table.
This table lists the policy setting checkboxes to select:
Category Subcategory Audit event settings Account Logon Audit Credential Validation Success and Failure Account Logon Audit Kerberos Authentication Service Success and Failure Account Logon Audit Kerberos Service Ticket Operations Success and Failure Account Logon Audit Other Account Logon Events Success and Failure Account Management Audit Computer Account Management Success and Failure Account Management Audit Other Account Management Events Success and Failure Account Management Audit Security Group Management Success and Failure Account Management Audit User Account Management Success and Failure Detailed Tracking Audit DPAPI Activity Success Detailed Tracking Audit Process Creation Success Detailed Tracking Audit Process Termination Success Detailed Tracking Audit Token Right Adjusted Success DS Access Audit Directory Service Access Success DS Access Audit Directory Service Changes Success Logon/Logoff Audit Account Lockout Success and Failure Logon/Logoff Audit Logoff Success and Failure Logon/Logoff Audit Logon Success and Failure Logon/Logoff Audit Network Policy Server Success and Failure Logon/Logoff Audit Other Logon/Logoff Events Success and Failure Logon/Logoff Audit Special Logon Success and Failure Policy Change Audit Audit Policy Change Success and Failure Policy Change Audit Authentication Policy Change Success and Failure Policy Change Audit Authorization Policy Change Success and Failure Policy Change Audit MPSSVC Rule-Level Policy Change Success Privilege Use Audit Sensitive Privilege Use Success and Failure System Audit IPsec Driver Success System Audit Other System Events Success and Failure System Audit Security State Change Success and Failure System Audit Security System Extension Success and Failure System Audit System Integrity Success and Failure -
In the same Group Policy, enable these command-line policies:
Note: These configuration options do not appear unless the domain functional level is Windows Server 2012 R2 or higher. See Active Directory Domain Services Functional Levels in Windows Server for more information.
-
Navigate to Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation, and then set Include command line in process creation events to Enabled.
-
Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell, and then set Turn on PowerShell Script Block Logging to Enabled.
-
-
Close the Group Policy Management Editor window after completing all audit and command-line policy changes.
-
In the navigation pane, select AWN Audit Policy.
-
Click the Settings tab.
-
Compare the policy configuration settings to the audit policy settings you edited earlier in this procedure.
Note: Even if the settings here are correct, they may not have been applied yet.
-
Verify that the AD audit settings were applied by running
auditpol.exe /get /category:*
on every domain controller in your environment. Review the results of the command against the settings from above. If the results are incorrect or returnNo Auditing
:- Run
gpupdate /force
, followed byauditpol.exe /get /category:*
again. If the results are still incorrect, proceed to the next step. - Navigate back to Audit Policies and complete the following steps for those that did not update:
Note: You do not need to follow this procedure for every policy. You only need to do this for one policy.
- Deselect the applicable checkboxes, and then click Apply.
- Reselect the appropriate checkboxes, and then click Apply.
- Run
gpupdate /force
. - Run
auditpol.exe /get /category:*
again. If the results are still incorrect, proceed to the next step.
- Run
gpresult /h auditsettings.html
and send the HTML file that is created to Arctic Wolf for further investigation.
- Run
Enforce the Arctic Wolf GPO Advanced Audit Policy Direct link to this section
-
Right-click your Arctic Wolf GPO Audit Policy, and select Enforced if it is not already selected.
-
Verify that a lock overlay appears in the policy icon.
This confirms that the Audit Policy is enforced on the domain.
Set the precedence of an Advanced Audit Policy Direct link to this section
The Arctic Wolf GPO requires precedence over other GPOs.
- In the navigation pane, click Forest:
<DomainName>
, where<DomainName>
is the name of your domain. - Click the Group Policy Inheritance tab.
- In the GPO column, locate your GPO, and then click and drag it to the top of the list.
- In the Precedence column, verify that your GPO is 1 (Enforced).
- Close the Group Policy Management window.
Update the domain controller Group Policy Direct link to this section
-
Click Start > Windows PowerShell or Command Prompt.
-
Run the following command:
gpupdate /force
Note: If you are prompted to sign off or restart after the user and computer policy updates complete, press N and then press Enter.
-
Close Windows PowerShell or the Command Prompt. The audit settings are now successfully applied with Group Policy.
Review your log settings Direct link to this section
After updating audit settings, review log settings to ensure that they align with your company best practices. Microsoft recommends specific settings for: