Fine Tune Your Security Audit Policies

**Security Tip of the Month – August 2008
**See other Security Tip of the Month columns

By Brian Lich, Technical Writer, Microsoft Corporation

If you have ever had to implement a security auditing policy for your organization, you know how frustrating it can be to filter out the noise and record only what is important to your organization. In previous versions of the Windows® operating system, audit policies were configured as all or nothing. For example, if you wanted to track account logons on a domain controller, you had to enable the “Audit Account Logon Events” category. This category audits both logon and logoff events and, especially on a domain controller, has the potential to generate many entries.

The Windows Vista® and Windows Server® 2008 operating systems introduce an expanded auditing policy feature that allows you to granularly configure the audit events recorded on a computer. Expanded auditing policies are configured by using auditpol.exe from the command prompt. You can add the auditpol commands to a startup script in a Group Policy Object and configure the audit policies for all computers on your network at once.

Here are a few examples of how to use auditpol.exe to configure your expanded auditing policy:

  • View the current audit policy settings applied to your computer: auditpol /get /category:*
  • Enable a subcategory for success and failure attempts: auditpol /set /subcategory:”<name of subcategory>” /success:enable /failure:enable.
  • Retrieve the full list of subcategories: auditpol /list /subcategory:*
  • Back up expanded audit policy settings to a text file: auditpol /backup /file:auditpolicy.txt
  • Clear the audit policy settings: auditpol /clear

Note: Some conflicts may arise if you are running a mixed environment with operating systems that support expanded auditing policies (e.g. Windows Vista and Windows Server 2008) and earlier operating systems that do not offer this feature. By default, legacy domain audit policies will overwrite the expanded Group Policy settings. To avoid this, you must enable the “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” found in Computer Configuration => Windows Settings => Local Policies => Security Options of a Group Policy Object.

Additional Resources

  • All of the new subcategories are documented in the Audit Policy section of the Threats and Countermeasures Guide ().
  • For more guidance on using Group Policy to configure expanded auditing policies, see Knowledge Base Article ID 921469 available on the Microsoft Help and Support Web site ().