GPO Advanced Policy Configuration

Updated Sep 19, 2023

Arctic Wolf GPO Advanced Audit Policy

To capture security and operational events on Windows servers, you must configure audit policies for each domain to generate events in the Windows Event Log. In Windows Server 2008 R2 and newer, the default auditing policies, combined with the Arctic Wolf® recommended settings, generate events that give your Concierge Security® Team (CST) visibility into your Windows environment.

This document describes how to configure a Group Policy Object (GPO) with a default set of Advanced Audit Policy Configuration settings and Arctic Wolf-recommended settings to make sure your Windows host produces the expected set of audit events.

Configure an Arctic Wolf GPO Advanced Audit Policy

The Arctic Wolf GPO Advanced Audit Policy applies advanced security audit policy settings to all computers in your domain.

Requirements

Before you begin

Notes:

Steps

  1. Open or create an Arctic Wolf GPO Advanced Audit Policy.
  2. Configure Advanced Audit Policy settings.
  3. Enforce the Arctic Wolf GPO Advanced Audit Policy.
  4. Set the precedence of an Advanced Audit Policy.
  5. Update domain controller Group Policy.
  6. Review your log settings.

Step 1: Open or create an Arctic Wolf GPO Advanced Audit Policy

  1. From the Start menu, open the Group Policy Management application.

  2. In the navigation menu, click Forest: <DomainName>, where <DomainName> is the name of your domain, and then click the Domains folder.

  3. Right-click the domain name. If you:

    • Already have an Arctic Wolf GPO — Select Link an Existing GPO, and then select Edit.
    • Do not have an existing Arctic Wolf GPO — Create a new GPO:
      1. Select Create a GPO in this domain, and Link it here.
      2. In the New GPO dialog box, enter a name for the new GPO.
      3. Verify that the Source Starter GPO menu says (none).
      4. Click OK to create a new GPO.

        Tip: To assign a security group and ensure that Agent is deployed to the correct group of computers, see Assign Security Group Filters to the GPO.

      5. Right-click the new GPO, and then click Enforced to enable it.

        Tip: Once enabled, a lock appears over the GPO icon in the navigation menu.

      6. Right-click the new GPO, and then select Edit.

Step 2: Configure Advanced Audit Policy settings

  1. Set the Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy to Enabled:

    1. In the Group Policy Management Editor navigation menu, click Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
    2. Right-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, and then select Properties.
    3. Click the Security Policy Setting tab.
    4. Select the Define this policy setting checkbox, and then select Enabled.
    5. Click OK.

      Tip: See the Microsoft documentation for this security option for more information.

  2. In the Group Policy Management Editor navigation menu, click Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

    Tip: Resize the window and enable tree view to completely view the policy tree.


    Audit Policy location in the Group Policy Management Editor
  3. Edit the audit policy settings:

    1. Under Audit Policies, select the category. For example, Account Logon.
    2. Double-click the corresponding subcategory. For example, Audit Credential Validation.
    3. Edit the policy setting as indicated in the table.
    4. Verify that each setting has these checkboxes selected:
      • Configure the following audit events
      • Success or Failure, according to the Audit Events listed in the table.

    This table lists the policy setting checkboxes to select:

    Category Subcategory Audit event settings
    Account Logon Audit Credential Validation Success and Failure
    Account Logon Audit Kerberos Authentication Service Success and Failure
    Account Logon Audit Kerberos Service Ticket Operations Success and Failure
    Account Logon Audit Other Account Logon Events Success and Failure
    Account Management Audit Computer Account Management Success and Failure
    Account Management Audit Other Account Management Events Success and Failure
    Account Management Audit Security Group Management Success and Failure
    Account Management Audit User Account Management Success and Failure
    Detailed Tracking Audit DPAPI Activity Success
    Detailed Tracking Audit Process Creation Success
    Detailed Tracking Audit Process Termination Success
    Detailed Tracking Audit Token Right Adjusted Success
    DS Access Audit Directory Service Access Success
    DS Access Audit Directory Service Changes Success
    Logon/Logoff Audit Account Lockout Success and Failure
    Logon/Logoff Audit Logoff Success and Failure
    Logon/Logoff Audit Logon Success and Failure
    Logon/Logoff Audit Network Policy Server Success and Failure
    Logon/Logoff Audit Other Logon/Logoff Events Success and Failure
    Logon/Logoff Audit Special Logon Success and Failure
    Policy Change Audit Audit Policy Change Success and Failure
    Policy Change Audit Authentication Policy Change Success and Failure
    Policy Change Audit Authorization Policy Change Success and Failure
    Policy Change Audit MPSSVC Rule-Level Policy Change Success
    Privilege Use Audit Sensitive Privilege Use Success and Failure
    System Audit IPsec Driver Success
    System Audit Other System Events Success and Failure
    System Audit Security State Change Success and Failure
    System Audit Security System Extension Success and Failure
    System Audit System Integrity Success and Failure
  4. In the same Group Policy, enable these command-line policies:

    Note: These configuration options do not appear unless the functional level of the domain is Windows Server 2012 R2 or higher. See Active Directory Domain Services Functional Levels in Windows Server for more information.

    • Click Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation, and then set Include command line in process creation events to Enabled.

      Audit Policy location in the Group Policy Management Editor
    • Click Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell, and then set Turn on PowerShell Script Block Logging to Enabled.

      Audit Policy location in the Group Policy Management Editor
  5. Close the Group Policy Management Editor window after completing all audit and command-line policy changes.

  6. In the navigation menu, click AWN Audit Policy.

  7. Click the Settings tab.

  8. Compare the policy configuration settings to the audit policy settings you edited earlier in this procedure.

    Note: Even if the settings here are correct, they may not have been applied yet.

  9. Verify that the AD audit settings were applied by running auditpol.exe /get /category:* on every DC in your environment. Review the results of the command against the settings from the previous step. If the results are incorrect or return No Auditing:

    1. Run gpupdate /force, followed by auditpol.exe /get /category:* again. If the results are still incorrect, proceed to the next step.
    2. Navigate back to Audit Policies and complete these steps for those that did not update:

      Note: You do not need to follow this procedure for every policy. You only need to do this for one policy.

      1. Clear the applicable checkboxes, and then click Apply.
      2. Reselect the appropriate checkboxes, and then click Apply.
      3. Run gpupdate /force.
      4. Run auditpol.exe /get /category:* again. If the results are still incorrect, proceed to the next step.
    3. Run gpresult /h auditsettings.html and send the HTML file that is created to Arctic Wolf for further investigation.

Step 3: Enforce the Arctic Wolf GPO Advanced Audit Policy

  1. Right-click your Arctic Wolf GPO Audit Policy, and then select Enforced if it is not already selected.

  2. Verify that a lock overlay appears in the policy icon.

    This confirms that the Audit Policy is enforced on the domain.

Step 4: Set the precedence of an Advanced Audit Policy

The Arctic Wolf GPO requires precedence over other GPOs.

  1. In the navigation menu, click Forest: <DomainName>, where <DomainName> is the name of your domain, and then click the Domains folder.
  2. Click the Group Policy Inheritance tab.
  3. In the GPO column, locate your GPO, and then click and drag it to the top of the list.
  4. In the Precedence column, verify that your GPO is 1 (Enforced).
  5. Close the Group Policy Management window.

Step 5: Update the domain controller Group Policy

  1. Click Start > Windows PowerShell or Command Prompt.

  2. Run this command:

    gpupdate /force

    Note: If you are prompted to sign off or restart after the user and computer policy updates complete, press N, and then press Enter.

  3. Close Windows PowerShell or the Command Prompt.

    The audit settings are now successfully applied with Group Policy.

Step 6: Review your log settings