Share via

Windows Audit Policy

Anonymous
2023-10-17T13:44:14+00:00

I did not set up any audit policies for my domain controllers and member servers (neither group policy nor local security policy). However events are being recorded on windows event viewer.

What kind of events are recorded by default and where can I see the default settings.?

I am using windows server 2019 datacenter (AWS EC2 instances)

Windows for business | Windows Server | Performance | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

0 comments
Accepted answer
  1. Anonymous
    2023-10-23T02:17:34+00:00

    The default audit policy settings are indeed part of the Windows Server operating system. They are not hardcoded, but they are set to sensible defaults that provide a balance between security and performance.

    You can view and modify these settings using the Group Policy Management Editor. Here’s how you can do it:

    Open Server Manager.

    Go to Tools > Group Policy Management.

    Expand Domain Controllers Policy.

    Right-click on Default Domain Controllers Policy and select Edit.

    Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

    This will show you the current audit policy settings. If nothing is configured, it means the settings are at their defaults. You can change these settings as needed for your environment.

    Step-By-Step: Enabling Advanced Security Audit Policy via Directory Services Access (microsoft.com)

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-10-18T01:18:20+00:00

    Hello

    Thank you for posting in Microsoft Community forum!

    Windows Server 2019 Datacenter, like other Windows Server versions, has a set of default audit policy settings. These settings determine which events are recorded in the Windows Event Viewer. The default audit policy settings, baseline recommended audit policy settings, and the more aggressive recommendations from Microsoft for workstation and server products are addressed in the Microsoft Security Compliance Manager tool.

    The following baseline audit policy settings are recommended for normal security computers that are not known to be under active, successful attack by determined adversaries or malware.

    To view these settings, you can follow these steps:

    Load Group Policy Management Editor using Server Manager > Tools > Group Policy Management.

    Expand Domain Controllers Policy.

    Right-click on Default Domain Controllers Policy and select Edit.

    Go to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.

    Please note that these are just starting points and each organization must make its own decisions regarding the threats they face, their acceptable risk tolerances, and what audit policy categories or subcategories they should enable. It’s recommended to start with these settings and then modify and test them prior to implementing in your production environment.

    For more detailed information about the default audit policies and recommendations for Windows Server 2019 Datacenter, you can refer to the Audit Policy Recommendations | Microsoft Learn and 4sysops.com. These resources provide comprehensive guides on configuring the audit policy for your specific needs.

    0 comments
  2. Anonymous
    2023-10-22T09:26:16+00:00

    Hi,

    Thanks for your response.

    Where can I see default audit policy settings.?

    When I check local policy and group policy in my server, I can see nothing is configured. Are these settings hardcoded into the Windows OS itself?

    0 comments