Recommended Windows Audit Policy Settings

Auditing Windows

September 29, 2021September 30, 2021Editorial Team

Recommended Windows Audit Policy Settings

This post includes recommend Windows audit policy settings. No two environments are the same so after running for a week inspect how much data is being recorded and if any can be removed. Ideally you will be after more than 24hrs worth of data held with a security event log size set to 2GB (2GB is not large for some environments).

This table lists the audit setting recommendations for the below operating systems:

Windows Server 2008
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows 10

Setting	Success \| Failure
Account Management
Audit Application Group Management	Yes \| Yes
Audit Computer Account Management	Yes \| Yes
Audit Distribution Group Management
Audit Other Account Management Events	Yes \| Yes
Audit Security Group Management	Yes \| Yes
Audit User Account Management	Yes \| Yes
Account Logon
Audit Credential Validation	Yes \| Yes
Audit Kerberos Authentication Service	Domain Controller \| Domain Controller
Audit Kerberos Service Ticket Operations	Domain Controller \| Domain Controller
Audit Other Account Logon Events	Yes \| No
Detailed Tracking
Audit DPAPI Activity	Yes \| Yes
Audit Process Creation	Yes \| Yes
Audit Process Termination
Audit RPC Events
DS Access
Audit Detailed Directory Service Replication
Audit Directory Service Access	Domain Controller \| Domain Controller
Audit Directory Service Changes	Domain Controller \| Domain Controller
Audit Directory Service Replication
Logon and Logoff
Audit Account Lockout	Yes \| No
Audit User/Device Claims
Audit IPsec Extended Mode
Audit IPsec Main Mode
Audit IPsec Quick Mode
Audit Logoff	Yes \| No
Audit Logon	Yes \| Yes
Audit Network Policy Server
Audit Other Logon/Logoff Events	Yes \| Yes
Audit Special Logon	Yes \| Yes
Object Access
Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events	Yes \| Yes
Audit Registry
Audit Removable Storage	Yes \| Yes
Audit SAM
Audit Central Access Policy Staging
Policy Change
Audit Audit Policy Change	Yes \| Yes
Audit Authentication Policy Change	Yes \| Yes
Audit Authorization Policy Change	Yes \| Yes
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change	Yes \| Yes
Audit Other Policy Change Events	No \| Yes
Privilege Use
Audit Non Sensitive Privilege Use
Audit Other Privilege Use Events
Audit Sensitive Privilege Use	Yes \| Yes
System
Audit IPsec Driver	Yes \| Yes
Audit Other System Events	Yes \| No
Audit Security State Change	Yes \| Yes
Audit Security System Extension	Yes \| No
Audit System Integrity	Yes \| Yes
Global Object Access Auditing
Audit IPsec Driver
Audit Other System Events	Yes \| No
Audit Security State Change	Yes \| Yes
Audit Security System Extension	Yes \| No
Audit System Integrity	Yes \| Yes

Editorial Team

Back To Top