Share via

Security Auditing Overview

Updated: August 15, 2012

Applies To: Windows 8, Windows Server 2012

This technical overview for the IT professional describes the security auditing features in Windows 8 and Windows Server 2012 and how your organization can benefit from using these technologies to enhance the security and manageability of your network.

Did you mean…

Security Policy

Event Viewer

Feature description

Security auditing is a powerful tool to help maintain the security of an enterprise. Auditing can be used for a variety of purposes – forensic analysis, regulatory compliance, monitoring user activity, and troubleshooting. Industry regulations in various countries or regions require enterprises to implement a strict set of rules related to data security and privacy. Security audits can help implement such policies and prove that these policies have been implemented. Also, security auditing can be used for forensic analysis and help administrators detect anomalous behavior, identify and mitigate gaps in security policies, and deter irresponsible behavior by tracking critical user activities

Practical applications

You can use Windows security and system logs to record and store security events tracking key system and network activities associated with potentially harmful behaviors and to mitigate those risks. You can enable auditing based on categories of security events such as:

  • Changes to user account and resource permissions.

  • Failed attempts by users to log on.

  • Failed attempts to access resources.

  • Changes to system files.

In Windows Server 2008 R2 and Windows 7, the number of security audit policy settings was increased from nine to 53, and all auditing capabilities were integrated with Group Policy. This allows administrators to configure, deploy, and manage a wide range of settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). Windows Server 2008 R2 and Windows 7 made it easier for IT professionals to track when precisely defined, significant activities take place on the network. For more information, see Advanced Security Audit Policy Settings.

New and changed functionality

In Windows Server 2012, changes to security auditing have been introduced to:

  • Reduce the volume of audits. Windows Server 2012 enables you to target audit policies to specific files and users based on resource attributes and user and device claims.

  • Improve the manageability of audit policies. The introduction of Global Object Access Auditing in Windows Server 2008 R2 provided an effective means for enforcing application of security audit policy on resources. Combining Global Object Access Auditing with claims and Dynamic Access Control allows you to take this global enforcement mechanism and apply it to a more precise set of activities of potential interest.

  • Improve ability to locate critical security audit data. In Windows Server 2012 enhances existing data access events by logging additional information regarding user, computer, and resource claims. This makes it easier for event collection and analysis tools to be configured to get the most relevant event data quickly.

  • Enable security auditing of removable storage devices. The growing popularity of removable storage devices makes their attempted use a significant security concern that needs to be monitored.

Dynamic claim-based auditing leads to more precise and easier-to-manage audit policies. It enables scenarios that until now were impossible or too difficult to configure. In addition to these improvements we have added new audit events and categories for tracking changes to Dynamic Access Control (DAC) policy elements, including:

  • Changes to resource attributes on files.

  • Changes to central access policies associated with files

  • User and device claims.

  • Changes to user and device claims and resource property definitions.

  • Changes to central access policy and central access rule definitions.

The following are examples of audit policies that administrators can author:

  • Anyone without a “High” security clearance who attempts to access documents classified as High Business Impact (HBI). For example, Audit | Everyone | All-Access | Resource.BusinessImpact=HBI AND User.SecurityClearance!=High.

  • Audit all vendors when they access documents related to projects that they are not working on. For example, Audit | Everyone | All-Access | User.EmploymentStatus=Vendor AND User.Project Not_AnyOf Resource.Project.

These policies help regulate the volume of audit events and limit them to only the most relevant data or users.

To provide a full view of events across the organization, Microsoft is working with partners to provide event collection and analysis tools, such as Microsoft System Center.

For more information, see What's New in Security Auditing.

Managing security auditing

To use security auditing, you need to configure the system access control list (SACL) for an object, and apply the appropriate security audit policy to the user or computer. For more information, see Managing Security Auditing.

See also

Content type References

Product evaluation

What's New in Security Auditing


Not yet available


Dynamic Access Control: Scenario Overview


Using Windows 8 Advanced Security Auditing Options to Monitor Dynamic Access Control Objects


Not yet available

Tools and settings

Not yet available

Community resources

Advanced Security Auditing in Windows 7 and Windows Server 2008 R2

Related technologies

Active Directory Domain Services