GPO Advanced Policy Configuration

Overview of Arctic Wolf GPO Advanced Audit Policy Configuration Direct link to this section

To capture security and operational events on Windows servers, you must configure audit policies for each domain to generate events in the Windows Event Log. In Windows Server 2008 R2 and newer, the default auditing policies combined with the Arctic Wolf® recommended settings generate events that give your Concierge Security® Team (CST) visibility into your Windows environment.

This document describes how to configure a Group Policy Object (GPO) with a default set of Advanced Audit Policy Configuration settings and Arctic Wolf-recommended settings to ensure that your Windows host produces the expected set of audit events.

Configure your Arctic Wolf GPO Advanced Audit Policy Direct link to this section

The Arctic Wolf GPO Advanced Audit Policy applies advanced security audit policy settings to all computers in your domain.

To configure your Arctic Wolf GPO Advanced Audit Policy:

1. Open or create your Arctic Wolf GPO Advanced Audit Policy.
2. Configure Advanced Audit Policy settings.
3. Enforce the Arctic Wolf GPO Advanced Audit Policy,
4. Set the precedence of an Advanced Audit Policy.
5. Update domain controller Group Policy.
6. Review your log settings.

Open or create an Arctic Wolf GPO Advanced Audit Policy Direct link to this section

1. Click Start > Group Policy Management.

2. In the navigation pane, expand Forest: <DomainName>, where <DomainName> is the name of your domain, and then expand the Domains folder.

3. If you already have an Arctic Wolf GPO Advanced Audit Policy, complete the following steps; otherwise, proceed to the next step:

   1. Right-click the domain name, select Link an Existing GPO, and then select Edit.
   2. Proceed to Configure Advanced Audit Policy Settings.

4. If you do not have an existing Arctic Wolf GPO Advanced Audit Policy, complete the following:

   1. Right-click the domain name and select Create a GPO in this domain, and Link it here.

      The New GPO dialog appears.

   2. In the Name field, enter AWN Audit Policy.

   3. From the Source Starter GPO list, select (none).

   4. Click OK.

   5. Right-click the new GPO and select Edit.

   6. Proceed to Configure Advanced Audit Policy Settings.

Configure Advanced Audit Policy settings Direct link to this section

1. Verify that the Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting is Enabled.

   To enable this setting:

   1. In the left pane of the Group Policy Management Editor, navigate to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
   2. Locate and then right-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, and then select Properties.
   3. Click the Security Policy Setting tab.
   4. Select the Define this policy setting checkbox, and then select Enabled.
   5. Click OK.

      Tip: See the Microsoft documentation for this security option for more information.

2. In the left pane of the Group Policy Management Editor, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

   Tip: Resize the window and tree view to completely view the policy tree.

   
   

3. Edit the audit policy settings:

   1. Under Audit Policies, select the category. For example, Account Logon.
   2. Double-click the corresponding subcategory. For example, Audit Credential Validation.
   3. Edit the policy setting as indicated in the table.
   4. Verify that each setting has these checkboxes selected:
      • Configure the following audit events
      • Success or Failure according to the Audit Events listed in the table.

   This table lists the policy setting checkboxes to select:

   Category	Subcategory	Audit event settings
   Account Logon	Audit Credential Validation	Success and Failure
   Account Logon	Audit Kerberos Authentication Service	Success and Failure
   Account Logon	Audit Kerberos Service Ticket Operations	Success and Failure
   Account Logon	Audit Other Account Logon Events	Success and Failure
   Account Management	Audit Computer Account Management	Success and Failure
   Account Management	Audit Other Account Management Events	Success and Failure
   Account Management	Audit Security Group Management	Success and Failure
   Account Management	Audit User Account Management	Success and Failure
   Detailed Tracking	Audit DPAPI Activity	Success
   Detailed Tracking	Audit Process Creation	Success
   Detailed Tracking	Audit Process Termination	Success
   Detailed Tracking	Audit Token Right Adjusted	Success
   DS Access	Audit Directory Service Access	Success
   DS Access	Audit Directory Service Changes	Success
   Logon/Logoff	Audit Account Lockout	Success and Failure
   Logon/Logoff	Audit Logoff	Success and Failure
   Logon/Logoff	Audit Logon	Success and Failure
   Logon/Logoff	Audit Network Policy Server	Success and Failure
   Logon/Logoff	Audit Other Logon/Logoff Events	Success and Failure
   Logon/Logoff	Audit Special Logon	Success and Failure
   Policy Change	Audit Audit Policy Change	Success and Failure
   Policy Change	Audit Authentication Policy Change	Success and Failure
   Policy Change	Audit Authorization Policy Change	Success and Failure
   Policy Change	Audit MPSSVC Rule-Level Policy Change	Success
   Privilege Use	Audit Sensitive Privilege Use	Success and Failure
   System	Audit IPsec Driver	Success
   System	Audit Other System Events	Success and Failure
   System	Audit Security State Change	Success and Failure
   System	Audit Security System Extension	Success and Failure
   System	Audit System Integrity	Success and Failure

4. In the same Group Policy, enable these command-line policies:

   Note: These configuration options do not appear unless the domain functional level is Windows Server 2012 R2 or higher. See Active Directory Domain Services Functional Levels in Windows Server for more information.

   • Navigate to Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation, and then set Include command line in process creation events to Enabled.

     

   • Navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell, and then set Turn on PowerShell Script Block Logging to Enabled.

     

5. Close the Group Policy Management Editor window after completing all audit and command-line policy changes.

6. In the navigation pane, select AWN Audit Policy.

7. Click the Settings tab.

8. Compare the policy configuration settings to the audit policy settings you edited earlier in this procedure.

   Note: Even if the settings here are correct, they may not have been applied yet.

9. Verify that the AD audit settings were applied by running auditpol.exe /get /category:* on every domain controller in your environment. Review the results of the command against the settings from above. If the results are incorrect or return No Auditing:

   1. Run gpupdate /force, followed by auditpol.exe /get /category:* again. If the results are still incorrect, proceed to the next step.
   2. Navigate back to Audit Policies and complete the following steps for those that did not update:

      Note: You do not need to follow this procedure for every policy. You only need to do this for one policy.

      1. Deselect the applicable checkboxes, and then click Apply.
      2. Reselect the appropriate checkboxes, and then click Apply.
      3. Run gpupdate /force.
      4. Run auditpol.exe /get /category:* again. If the results are still incorrect, proceed to the next step.
   3. Run gpresult /h auditsettings.html and send the HTML file that is created to Arctic Wolf for further investigation.

Enforce the Arctic Wolf GPO Advanced Audit Policy Direct link to this section

1. Right-click your Arctic Wolf GPO Audit Policy, and select Enforced if it is not already selected.

2. Verify that a lock overlay appears in the policy icon.

   This confirms that the Audit Policy is enforced on the domain.

Set the precedence of an Advanced Audit Policy Direct link to this section

The Arctic Wolf GPO requires precedence over other GPOs.

1. In the navigation pane, click Forest: <DomainName>, where <DomainName> is the name of your domain.
2. Click the Group Policy Inheritance tab.
3. In the GPO column, locate your GPO, and then click and drag it to the top of the list.
4. In the Precedence column, verify that your GPO is 1 (Enforced).
5. Close the Group Policy Management window.

Update the domain controller Group Policy Direct link to this section

1. Click Start > Windows PowerShell or Command Prompt.

2. Run the following command:

   gpupdate /force

   Note: If you are prompted to sign off or restart after the user and computer policy updates complete, press N and then press Enter.

3. Close Windows PowerShell or the Command Prompt. The audit settings are now successfully applied with Group Policy.

Review your log settings Direct link to this section

After updating audit settings, review log settings to ensure that they align with your company best practices. Microsoft recommends specific settings for:

• Newer versions of Windows
• Older versions of Windows