Full Report
The Audit Policies Nobody ConfiguresIn Part 1, we looked at why relying on a single telemetry source is a recipe for blind spots. Now let's get practical. Windows has a rich set of security auditing capabilities…
Analysis Summary
# Best Practices: Windows Security Event Logging
## Overview
This guide focuses on moving beyond default Windows logging to establish a robust detection foundation. By transitioning from legacy local policies to **Advanced Audit Policy Configuration**, organizations can achieve granular visibility into lateral movement, account misuse, and process execution patterns.
## Key Recommendations
### Immediate Actions
1. **Switch to Advanced Auditing:** Navigate to `Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration` to gain granular control.
2. **Enable Command Line Auditing:** Activate "Include command line in process creation events" via Group Policy or Registry to see the specific arguments used by attackers.
3. **Audit Logon Success/Failure:** Ensure Event ID 4624 (Logon) and 4625 (Failure) are captured across the environment to track session types (e.g., Network vs. Interactive).
### Short-term Improvements (1-3 months)
1. **Implement Process Tracking:** Enable Event ID 4688 (Process Creation) and 4689 (Process Termination) to map every executable running on the network.
2. **Correlate via LogonID:** Train SOC analysts to use the `LogonID` field to link process execution (4688) back to the specific network authentication event (4624) that launched it.
3. **Audit Scheduled Tasks:** Enable "Other Object Access Events" to track the creation and modification of scheduled tasks (common persistence methods).
### Long-term Strategy (3+ months)
1. **Centralized Log Aggregation:** Deploy a SIEM or log management solution to ingest these high-fidelity events for cross-machine correlation.
2. **Audit Policy Enforcement:** Use GPOs to ensure "Audit: Force audit policy subcategory settings" is enabled, preventing legacy policies from overriding your advanced settings.
3. **Address Visibility Gaps:** Integrate Sysmon (Part 4 of this series) and PowerShell Logging (Part 3) to capture in-memory attacks and network connection details that native logs miss.
## Implementation Guidance
### For Small Organizations
- Focus on Domain Controllers and critical servers first.
- Turn on Command Line logging immediately; it is the highest-value, lowest-effort telemetry gain.
### For Medium Organizations
- Implement Advanced Audit Policies via Group Policy (GPO).
- Prioritize **Logon/Logoff** and **Detailed Tracking** (Process Creation) categories.
### For Large Enterprises
- Use the `auditpol.exe` command-line tool for scripted deployment and verification across large fleets.
- Be prepared for increased log volume; tune Object Access auditing carefully to avoid "log noise" from high-frequency system files.
## Configuration Examples
### Command Line Deployment (AuditPol)
Run these commands in an elevated prompt to quickly enable core foundation categories:
cmd
:: Enable Process Creation
auditpol /set /subcategory:"Process Creation" /success:enable
:: Enable Audit Policy Changes (Anti-tampering)
auditpol /set /subcategory:"Security System Extension" /success:enable
:: Enable Scheduled Task Tracking
auditpol /set /subcategory:"Other Object Access Events" /success:enable
:: Enable Command Line Logging (Registry)
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Audit" /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f
## Compliance Alignment
- **NIST SP 800-53:** AU (Audit and Accountability) controls.
- **CIS Controls:** Control 8 (Audit Log Management).
- **MITRE ATT&CK:** Directly supports detection for over 450 techniques (via Event ID 4688).
## Common Pitfalls to Avoid
- **The "Check-Box" Fallacy:** Assuming "Auditing is Enabled" means you are capturing useful data. Default settings often miss the context needed for an investigation.
- **Ignoring Logon Types:** Failing to distinguish between Logon Type 2 (Interactive) and Type 3 (Network) during an investigation, leading to misidentification of lateral movement.
- **Neglecting the Termination:** Only logging process starts (4688) but not ends (4689), making it impossible to determine the duration of a malicious tool's execution.
## Resources
- **Microsoft Documentation:** Advanced security audit policy settings (defanged: *learn[.]microsoft[.]com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings*)
- **TrustedSec Blog:** Part 1 - The Single Source Problem
- **Coming Soon:** Part 3 (PowerShell) and Part 4 (Sysmon) for filling telemetry gaps.