Configure an Arctic Wolf GPO Advanced Audit Policy

To capture security and operational events on Windows servers using AD Sensor, you must configure audit policies for each domain to generate events in the Windows Event Log. These policy settings generate events that give your Concierge Security® Team (CST) visibility into your Windows environment.

When you configure the Arctic Wolf® Group Policy Object (GPO) Advanced Audit Policy using the Group Policy Management Console (GPMC), advanced security audit policy settings apply to all clients and servers in your domain.

These resources are required:

Windows Server 2008 R2 and newer

These actions are required:

Make sure you have an audit policy configured for each domain to generate events in the Windows Event Log. This enables Arctic Wolf to monitor security and operational events on your Windows server.
Make sure that there are no other auditing policies linked to the domain, site, or other organizational units defined at the Domain Controller (DC) to prevent a conflict with the Arctic Wolf Advanced Audit Policy controls.

Note:

If you already have a policy with basic audit policy settings configured under Computer Management > Policies > Windows Settings > Security Settings > Local Policies > Security Policies, this procedure replaces that policy with advanced settings.
Auditing additional items can cause delays in observations. For example, enabling auditing of object access. See Advanced security auditing FAQ (Windows 10) - Are there any differences in auditing functionality between versions of Windows? for more information.

Configure Active Directory Certificate Service (AD CS) auditing.

Open or create an Arctic Wolf GPO Advanced Audit Policy

Click Start, and then open the GPMC.
In the navigation menu, click Forest: <DomainName>, where DomainName is the name of your domain, and then click the Domains folder.
Right-click the domain name. If you:
- Already have an AD Sensor GPO — Select Link an Existing GPO, and then click Edit.
- Do not have an existing AD Sensor GPO — Create a new GPO:
  1. Select Create a GPO in this domain, and Link it here.
  2. In the New GPO dialog box, enter a name for the new GPO.
  3. Verify that the Source Starter GPO menu says (none).
  4. Click OK.
    Tip:
    To assign a security group and make sure that Agent is deployed to the correct group of computers, see Assign Security Group Filters to the GPO.
  5. Right-click the new GPO, and then click Enforced to enable it.
    The GPO is enabled. A lock appears on the GPO icon in the navigation menu.
  6. Right-click the new GPO, and then select Edit.

Configure Advanced Audit Policy settings

Set the Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy to Enabled:
1. In the Group Policy Management Editor navigation menu, click Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.
2. Right-click Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings, and then select Properties.
3. Click the Security Policy Setting tab.
4. Select the Define this policy setting checkbox, and then select Enabled.
5. Click OK.
  
  See the Microsoft documentation for this security option for more information.
In the Group Policy Management Editor, in the navigation menu, click Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

Tip:
Resize the window and enable tree view to completely view the policy tree.

Edit the audit policy settings:

In the Audit Policies section, select the category. For example, Account Logon.
Double-click the corresponding subcategory. For example, Audit Credential Validation.
Edit the policy setting as indicated in the table.
Verify that each setting has these checkboxes selected:
- Configure the following audit events
- Success or Failure, according to the Audit Events listed in the table.

This table lists the policy setting checkboxes to select:


Category	Subcategory	Audit event settings
Account Logon	Audit Credential Validation	Success and Failure
Account Logon	Audit Kerberos Authentication Service	Success and Failure
Account Logon	Audit Kerberos Service Ticket Operations	Success and Failure
Account Logon	Audit Other Account Logon Events	Success and Failure
Account Management	Audit Computer Account Management	Success and Failure
Account Management	Audit Other Account Management Events	Success and Failure
Account Management	Audit Security Group Management	Success and Failure
Account Management	Audit User Account Management	Success and Failure
Detailed Tracking	Audit DPAPI Activity	Success
Detailed Tracking	Audit Process Creation	Success
Detailed Tracking	Audit Process Termination	Success
Detailed Tracking	Audit Token Right Adjusted	Success
DS Access	Audit Directory Service Access	Success
DS Access	Audit Directory Service Changes	Success
Logon/Logoff	Audit Account Lockout	Success and Failure
Logon/Logoff	Audit Logoff	Success and Failure
Logon/Logoff	Audit Logon	Success and Failure
Logon/Logoff	Audit Network Policy Server	Success and Failure
Logon/Logoff	Audit Other Logon/Logoff Events	Success and Failure
Logon/Logoff	Audit Special Logon	Success and Failure
Object Access	Audit Detailed File Share	Success and Failure
Policy Change	Audit Audit Policy Change	Success and Failure
Policy Change	Audit Authentication Policy Change	Success and Failure
Policy Change	Audit Authorization Policy Change	Success and Failure
Policy Change	Audit MPSSVC Rule-Level Policy Change	Success
Privilege Use	Audit Sensitive Privilege Use	Success and Failure
System	Audit IPsec Driver	Success
System	Audit Other System Events	Success and Failure
System	Audit Security State Change	Success and Failure
System	Audit Security System Extension	Success and Failure
System	Audit System Integrity	Success and Failure

In the same Group Policy, enable these command-line policies:
Note:
These configuration options do not appear unless the functional level of the domain is Windows Server 2012 R2 or higher. See Active Directory Domain Services Functional Levels in Windows Server for more information.
- Click Computer Configuration > Policies > Administrative Templates > System > Audit Process Creation, and then set Include command line in process creation events to Enabled.
- Click Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell, and then set Turn on PowerShell Script Block Logging to Enabled.
Close the Group Policy Management Editor window after completing all audit and command-line policy changes.
In the navigation menu, click AWN Audit Policy.
Click the Settings tab.
Compare the policy configuration settings to the audit policy settings you edited earlier in this procedure.

Note:
Even if the settings here are correct, they might not have been applied yet.
Verify that the AD audit settings were applied by running auditpol.exe /get /category:* on every DC in your environment. Review the results of the command against the settings from the previous step. If the results are incorrect or return No Auditing:
1. Run gpupdate /force, followed by auditpol.exe /get /category:* again. If the results are still incorrect, proceed to the next step.
2. Navigate back to Audit Policies and complete these steps for those that did not update:
  Note:
  You do not need to follow this procedure for every policy. You only need to do this for one policy.
  1. Clear the applicable checkboxes, and then click Apply.
  2. Reselect the appropriate checkboxes, and then click Apply.
  3. Run gpupdate /force.
  4. Run auditpol.exe /get /category:* again. If the results are still incorrect, proceed to the next step.
3. Run gpresult /h auditsettings.html and send the HTML file that is created to Arctic Wolf for further investigation.

Enforce the Arctic Wolf GPO Advanced Audit Policy

Enabling this option ensures that the policy settings defined in a higher-level GPO take precedence, preventing any lower-level GPOs within Active Directory from overriding them.

When multiple GPOs are linked to the same site, domain, or organizational unit (OU), and have the Enforced option enabled, the GPO with the highest link order and enforcement takes priority.

For more information, see Group Policy processing.

Right-click your Arctic Wolf GPO Audit Policy, and then select Enforced.

A lock appears on the GPO icon indicating that it is enforced.

Set the precedence of an Advanced Audit Policy

The Arctic Wolf GPO requires precedence over other GPOs.

In the navigation menu, click Forest: DomainName, where DomainName is the name of your domain, and then click the Domains folder.
Click the Linked Group Policy Objects tab.
In the GPO column, locate and click the Arctic Wolf GPO, and then use the up and down arrows to move the GPO to the top of the list.
Verify that the Arctic Wolf GPO has these settings:
- Link Order — 1.
- Enforced — Yes.
Close the Group Policy Management window.

Update the domain controller Group Policy

Click Start > Windows PowerShell or Command Prompt.
Run this command:
SHELL
gpupdate /force
```
gpupdate /force
```
Note:
If you are prompted to sign off or restart after the user and computer policy updates complete, press N, and then press Enter.
Close Windows PowerShell or the Command Prompt.

The audit settings are now successfully applied with Group Policy.

Review your log settings

After updating audit settings, review log settings to make sure they align with your company best practices.

See Newer versions of Windows or Older versions of Windows for more information.

Validate the GPO Audit Policy against Arctic Wolf recommendations

You can run the Arctic Wolf PowerShell script awn_gpo_checker.ps1 to validate your GPO Audit Policy against Arctic Wolf's recommended settings. The script does not make any changes to your environment configuration.

The awn_gpo_checker.ps1 script compares the GPO Audit Policy to Arctic Wolf policy recommendations. For any failed tests, remediation steps for any misconfigured settings are displayed in the terminal and in the text file AWN_GPO_Results.txt.

This script is code signed and is compatible with non-English versions of Windows.

Note:

For the script to run correctly:

The script requires Administrator permissions.
The script should be run on at least one domain controller for each domain in your environment.

Download awn_gpo_checker.zip.
Unzip the script.
Open a PowerShell terminal with Administrator permissions and go to the location of the unzipped script.
Run the script by entering this command
CODE
.\awn_gpo_checker.ps1
```
.\awn_gpo_checker.ps1
```
Note: With Administrator permission, you can also run the script in PowerShell ISE.
The script displays the results in the terminal and creates this file:
- AWN_GPO_Results.txt
Reconfigure the GPO Audit Policy configuration for any failed tests based on the remediation steps displayed in the script output.
Re-run the script to make sure that all tests pass after making changes to the GPO.
If there are any failures or you need any further assistance with the GPO Audit Policy settings, attach the AWN_GPO_Results.txt file to your ticket.