Active Directory and AD Group Policy are foundational elements of any Microsoft Windows environment because of the critical role they play in account management, authentication, authorization, access management and operations. Accordingly, proper Active Directory auditing is essential for both cybersecurity and regulatory compliance. For example, organizations need to know who created new accounts and keep a close eye on access rights by reviewing changes to the membership of user and administrative groups.
However, Active Directory does not audit all security events by default — you must explicitly enable auditing of important events so that they are recorded in the Security event log. This article provides recommendations for setting up auditing in your Active Directory environment, using the Netwrix Audit Policy Best Practices as a reference.
Getting Started with AD Auditing
Using Audit Policy
To specify which system events and user activity to track, you use the Audit Policy settings in Active Directory Group Policy. Basically, you determine which types of events you want to audit and specify the settings for each one. For instance, you can log all events when a user account is disabled or a bad password is entered.
Like other Group Policy settings, auditing is configured using the Group Policy Management Editor (GPME) tool in the Group Policy Management console (GPMC). Note that by default for devices that are joined to a domain, audit settings for the event categories are set at relatively low minimum level and should be refined. On domain controllers, auditing is often enhanced but not necessarily to the level that you want to track by default.
To audit Active Directory, you can use either the basic (local) security audit policy settings or the advanced security audit policy settings, which enable more granularity. Microsoft does not recommend using both, since that can lead to “unexpected results in audit reporting.” In most cases, when you turn the Advanced auditing on, legacy auditing will be ignored, even if you later turn the Advanced Auditing off. As such, it is recommended to use Advanced auditing if you are not currently performing any auditing.
- Basic policies can be set by going to Computer Configuration > Policies à Windows Settings > Security Settings > Local Policies à Audit Policy.
- Advanced policy settings can be found under Computer Configuration > Policies à Windows Settings > Advanced Audit Policy Configuration > Audit Policies.
Audit policy scope
You can define auditing policies for both the entire domain and individual organizational units (OUs). Note that a setting configured at the OU level has higher priority than a domain-level setting and will override it in case of conflicts. You can check the resulting policies using the auditpol command-line utility.
Configuring the Security log
You’ll also need to specify the maximum size and other properties of the Security log using the Event Logging policy settings. To change settings via GPME, navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log and double-click the policy name, such as “Maximum security log size policy” or “Retain security log”. According to Microsoft, the recommended maximum log size for modern OS versions is 4Gb, and the recommended maximum total size for all logs is 16Gb. You can view the logs with Event Viewer.
Which AD security log events to track
The key to effective auditing is knowing which events to log. If you track too many events, your logs will be so full of noise that they’ll be hard to analyze and they’ll overwrite themselves quickly. But if you fail to track critical events, you’ll be unable to detect malicious activity and investigate security incidents. Here are the recommended events to track to strike the right balance.
Audit account logon events
To detect unauthorized attempts to log in to a domain, it is necessary to audit logon events — both successful and failed. Audit account logon events provides a way to track authentication events, such as NTLM and Kerberos authentication. It should not be confused with Audit logon events, which defines the auditing of every user attempt to log on to or log off from a computer, as explained in the next section.
Here are the recommended settings for the advanced Audit account logon events policy:
- Audit Credential Validation: Failure
- Audit Kerberos Authentication Service: Success, Failure
- Audit Kerberos Service Ticket Operations: Failure
- Audit Other Account Logon Events: Success, Failure
Note that logoff events are not tracked on domain controllers, unless you are actually logging into that specific Domain Controller.
Audit logon events
This policy can record all successful and failed attempts to log on or off a local computer, whether by using a domain account or a local account. This information is useful for intruder detection and post-incident forensics. Microsoft provides descriptions of the various event IDs that can be logged.
The minimum recommended advanced settings are:
- Audit Account Lockout: Success, Failure
- Audit Group Membership: Success
- Audit Logoff: Success, Failure
- Audit Logon: Success, Failure
- Audit Special Logon: Success, Failure
Carefully monitoring all changes to user accounts helps minimize the risk of business disruption and system unavailability.
At a minimum, it is recommended to set the basic Audit account Management policy to “Success”. If you are using Advanced audit policies, set them as following:
- Audit Application Group Management: Success, Failure
- Audit Computer Account Management: Success
- Audit Distribution Group Management: Success
- Audit Other Account Management Events: Success
- Audit Security Group Management: Success
- Audit User Account Management: Success, Failure
Directory service access
Monitor this only if you need to see when someone accesses an AD object that has its own system access control list (for example, an OU). In that case, it is recommended to configure the following settings:
- Audit Directory Service Access: Success, Failure
- Audit Directory Service Changes: Success, Failure
Audit this only if you need to see when someone used privileges to access, copy, distribute, modify or delete files on file servers. Enabling this setting can generate a large volume of Security log entries, so use it only if you have a specific use for that data. The recommended advanced settings are:
- Audit Detailed File Share: Failure
- Audit File Share: Success, Failure
- Audit Other Object Access Events: Success, Failure
- Audit Removable Storage: Success, Failure
Improper changes to a GPO can lead to security incidents and violations of data privacy mandates. To reduce your risk, set up following advanced settings:
- Audit Policy Change: Success, Failure
- Audit Authentication Policy Change: Success, Failure
- Audit MPSSVC Rule-Level Policy Change: Success, Failure
- Audit Other Policy Change Events: Failure
Turn this on only if you want to track each instance of user privileges being used. Enabling this policy can generate a large volume of entries in your Security logs, so do so only if you have a specific use for that data. To enable this policy, configure the following:
- Audit Sensitive Privilege Use: Success, Failure
Process tracking (sometimes called Detailed Tracking)
Available only in advanced audit policy, this setting is focused on process-related audit events, such as process creation, process termination, handle duplication and indirect object access. It can be useful for incident investigations, but it can generate a large volume of entries in your Security logs, so enable it only if you have a specific use for the data. The recommended settings are:
- Audit PNP Activity: Success
- Audit Process Creation: Success
It is wise to log all attempts to start, shut down or restart of a computer, as well as all attempts by a process or program to do something that it does not have permissions to do, such as malicious software trying to change settings on your computer. Recommended advanced settings are:
- Audit Security State Change: Success, Failure
- Audit Other System Events: Success, Failure
- Audit System Integrity: Success, Failure
- Audit Security System Extension: Success
Conclusion and next steps
Setting up the correct audit policies is a great start — but it’s only half the battle. You also need to be able to analyze the logs. Unfortunately, modern IT environments are so complex and busy that logs often become too large to sift through effectively, and the audit log can even overwrite itself. Single-purpose software tools can help with particular tasks, but the resulting patchwork of solutions hurt system performance without delivering the broad and deep visibility you need.
Netwrix Auditor efficiently monitors Active Directory and Group Policy changes, logon activity and configuration states, and puts actionable data about who did what in your Active Directory at your fingertips throughout-of-the-box and custom reports and alerts. The interactive search enables you to find the information you need in an instant, while the behavior anomaly discovery and risk assessment capabilities take AD security to the new level. With the two-tiered data storage, you can retain your audit trail as long as required in the long-term archive, while keeping recent audit events readily available for quick access. Netwrix Auditor can even configure proper audit settings automatically during installation, taking the burden of audit setup off your shoulders.