Problem solve Get help with specific problems with your technologies, process and projects.

Configuring Windows 7 audit, group policy settings

Learn the ins and outs of Windows 7 audit and group policy settings, including account logon and management, and other factors to consider when configuring auditing controls.

Windows 7 and Windows Server 2008 local group policy settings and audit policies allow solution providers to have...

greater control of the events and settings in their customers' environments, so it's important to know how to configure and properly use these settings and policies.

Some versions of Windows 7 (Professional, Ultimate and Enterprise) and all versions of Windows Server 2008 were given access to 53 different audit settings for success and failure events. This series of articles delves into the settings available to you and explain the situations that call for you to change them.

The basic interface for the System Audit Policies is shown in Figure 1. Type "gpedit.msc" into the Start menu search box in Windows 7 or Windows Server 2008 to open the Local Group Policy Editor tool used here, which displays the available auditing options.

Figure 1: The nine category entries from older Windows versions go up to 10 with the addition of Global Object Access Auditing (other category names change slightly as well).

You cannot expand these categories on a system that's running Windows 7 Basic, Start, Home or Home Premium editions. These provide the only auditing controls available to those operating systems (OS). But the net effect of turning the whole category on is to enable auditing for all subcategory items — which we explore in the rest of this article — so even if you only work on such systems, it may still be helpful to keep reading.

Account logon

Figure 2: This screen capture shows the right-click accessible Properties window for one of the four subcategories for the Account Logon audit controls.

You must click the checkbox next to either "Success" and/or "Failure" for any auditing to actually occur. Checking the "Configure…" box as shown here only enables you to check one or both of those other two checkboxes. There is more information on creating and enforcing Advanced Audit Policy Configuration settings in an Active Directory environment, in this Technet article. For more information audit policy settings, check out the Technet Security Audit Policy Reference.

Here are the subcategory settings for Account Logon:

  • Audit Credential Validation: Determines if the OS generates audit events when credentials are submitted for a user account logon request. These are most likely to be of interest on domain controllers, as this setting only reports local account logins on other Windows machines.
  • Audit Kerberos Authentication: Determines whether the OS generates audit events for Kerberos authentication TGT (ticket-granting ticket) requests. This occurs primarily on client machines.
  • Audit Kerberos Service Ticket Operations: Determines if the OS generates audit events for Kerberos service ticket requests (which use the TGT to gain access to other resources under Kerberos control). This also occurs primarily on client machines.
  • Audit Other Account Logon Events: Tracks various other events that involve credential requests for user logons outside the preceding items. This includes items such as remote desktop session login and disconnect, locking or unlocking a workstation, invoking or dismissing a secure screen saver or detection of a Kerberos replay attack (same information submitted more than once). Wireless network access also falls into this subcategory.

Group policy settings: Account management

Figure 3: The account management audit settings may be used to audit changes to user and computer accounts and groups.

Here are the subcategory settings for Account Management:

  • Audit Application Group Management: Determines if the OS generates audit events when application group management tasks are performed. Such tasks include creating, changing, deleting an application group and adding or removing a member from that group.
  • Audit Computer Account Management: Determines whether the OS generates audit events when a computer account is created, changed or deleted. Most likely to be used for tracking account-related changes on computers that belong to a domain.
  • Audit Distribution Group Management: Decides if the OS generates audit events when distribution group management tasks are carried out. These occur only on computers running a version of Windows Server 2008.
  • Audit Other Account Management Events: Determines if the OS generates audit events when a password hash for an account is accessed (mainly occurs when the Active Directory Migration Tool is moving password data) or when the Password Checking Policy API is called (may be malicious).
  • Audit Security Group Management: Determines whether the OS generates audit events when various group management tasks are performed, including creating, changing or deleting a security group, adding or removing a member from a security group or changing the type associate with a security group. (Security groups are typically used to manage access control permissions and for distribution lists)
  • Audit User Account Management: Determines if the OS generates audit events when any of various user account management tasks occur. These include creating, changing, deleting, renaming, disabling or enabling and locking out or unlocking user accounts. Other items are setting or changing a user account password, adding SID history to a user account, setting a password for Directory Services Restore Mode (admins only), changing permissions on accounts belonging to administrator groups and backing up or restoring Credential Manager credentials. This will be enabled for both success and failure on a routine basis in high-security environments.

Detailed tracking

Figure 4: The detailed tracking subcategories, which are seldom used, enable auditing system activity at a low level, and can generate a great volume of events.

These are the subcategories for Detailed Tracking:

  • Audit DPAPI Activity: Determines whether the OS generates audit events when encryption or decryption calls invoked the data protection application interface (DPAPI), which is used to protect sensitive data such as stored passwords and keys.
  • Audit Process Creation: Determines if the OS generates audit events when a process is created, along with the name of the user or program that created it. This is used mostly for low-level analysis of computer behavior and user activity.
  • Audit Process Termination: Determines whether the OS generates audit events when a process is terminated (here tracking failure reports on failed termination attempts). This is used mostly for low-level analysis of computer behavior and user activity.
  • Audit RPC Events: Determines whether the OS generates audit events as inbound remote procedure call connections get made. This subcategory is seldom used.

Active Directory Domain Services access

Figure 5: These settings permit various activities related to access and modification of objects in Active Directory Domain Services, and are logged only on domain controllers. We skip the details here because they relate entirely to Windows 2008 R2 servers.

Ed Tittel is a full-time freelance writer and consultant who works in many areas of Windows security. Look for the revision of his Computer Forensics JumpStart, 2nd Edition (Sybex, 2011, with Neil Broom, Mike Chappell, K Rudolph, and Diane Barrett) to appear in the first quarter of 2011.


Next Steps

Windows 7 audit object access categories, user permissions

Windows 7 audit policies, user privileges configuration

This was last published in January 2011

Dig Deeper on Desktop management, sales and installation

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Using an administrator account log-on open the active directory users and computer tools click properties  then group policy tab click edit to edit the default domain policy group policy window expand computer configuration navigate to window setting security setting local policies audit policy double click audit directory service access click ojk