Windows
Configure audit policies for DCs on Server 2008 Monitor policy changes ----------------------- auditpol /set /subcategory:{0CCE922F-69AE-11D9-BED3-505054503030} /success:enable Directory service changes ----------------------- auditpol /set /subcategory:{0CCE923C-69AE-11D9-BED3-505054503030} /success:enable Managing User Accounts ----------------------- auditpol /set /subcategory:{0CCE9235-69AE-11D9-BED3-505054503030} /success:enable Managing computer accounts -------------------------- auditpol /set /subcategory:{0CCE9236-69AE-11D9-BED3-505054503030} /success:enable Managing security groups ------------------------- auditpol /set /subcategory:{0CCE9237-69AE-11D9-BED3-505054503030} /success:enable Managing distribution groups ---------------------------- auditpol /set /subcategory:{0CCE9238-69AE-11D9-BED3-505054503030} /success:enable Managing application groups --------------------------- auditpol /set /subcategory:{0CCE9239-69AE-11D9-BED3-505054503030} /success:enable Other account management events -------------------------------- auditpol /set /subcategory:{0CCE923A-69AE-11D9-BED3-505054503030} /success:enable Verify the audit policy settings You can verify the effectiveness of audit policies by starting the command prompt with admin rights and entering the following command: For english servers ------------------- Auditpol /get /category:"policy change,account management,ds access" For all languages ------------------ Auditpol /get /category:* auditpol.exe /get /category:* | clip auditpol /list /subcategory:* To get a list of currently configured auditing subcategories on a computer running Windows Server 2012, Windows Server 2008 R2, or Windows 2008, type the following: auditpol /get /category:* secedit /refreshpolicy machine_policy enforce. ######################## Monitor These Events for Compromise: Here is a list of events you should be monitoring and reporting on. Logon Failures – Event ID 4624, 4771 Successful logons – Event ID 4624 Failures due to bad passwords – Event ID 4625 User Account Locked out – Event ID 4740 User Account Unlocked – Event ID 4767 User changed password – Event ID 4723 User Added to Privileged Group – Event ID 4728, 4732, 4756 Member added to a group – Event ID 4728, 4732, 4756 , 4761, 4746, 4751 Member removed from group – Event ID 4729, 4733, 4757, 4762, 4747, 4752 Security log cleared – Event ID 1102 Computed Deleted – Event ID 4743 Active Directory Audit Checklist: 5 Planning Considerations ----------------------------------------------------------- 1.) Active Directory Governance 2.) Active Directory Design The organization’s Active Directory structure The segregation of duties related to Active Directory, such as: Administering Monitoring Making Changes The servers utilized for Domain Controllers. The configuration of the forest trust and the authorization required to establish trusts between forests. 3.) Active Directory Security 4.) Active Directory Logging and Audit 5.) Active Directory Administrator Access Configuring Advanced Audit Policy Manually for Domain Controllers ----------------------------------------------------------------- ADAudit Plus collects data logged in the security logs of Domain Controllers, Member Servers and File Servers and provides reports. Data logged in security logs of the above objects depends upon the Audit Policy / Advanced Audit Policy (Available in 2008 R2 & above) configured for those respective objects. Configuring the Advanced Audit Policy ensures only the required security logs for auditing are collected, ensuring the disk space does not fill fast with unwanted logs. Configuring Advanced Audit Policy for Domain Controllers that run in Windows Server (2008 R2 & above) Environment: Advanced audit policy in the 'Default Domain Controllers Policy' is to be configured for ADAudit Plus to collect only the required security logs for auditing. Know what Advanced Audit Policies are to be established in the Default Domain Controllers Policy? ☞ To audit Logon Events: Select Account Logon → Configure 'Kerberos Authentication Service (Success & Failure). ♯ To audit User, Group, Computer: Select Account Management → Configure 'Computer Account Management' (Success), 'Distribution Group Management' (Success), 'Security Group Management' (Success), 'User Account Management' (Success & Failure). ♯ To audit Tracking Processes: Select Detailed Tracking → Process Creation (Success), Process Termination (Success). ♯ To audit GPO, OU, Configuration, Schema, Contacts, Containers, Site: Select DS Access → Configure Directory Services Changes (Success), Directory Service Access (Success). ♯ To audit Logon / Logoff: Select Logon / Logoff → Configure Logon (Success & Failure), Audit Logoff (Success), Network Policy Server (Success & Failure), Other Logon / Logoff Events (Success). ♯ To audit Scheduled Tasks: Select Object Access → Other Object Access Events (Success). ♯ To audit Local Policy Changes: Select Policy Change → Authentication Policy Change (Success), Authorization Policy Change (Success). ♯ To audit System Events: Select System → Security State Change (Success). ---------------------------------------------------------------------------------- Step by Step Procedure to edit Default Domain Controllers Policy: ----------------------------------------------------------------- 1. Log on to Windows with an account that has Administrator rights. 2. Ensure that the Group Policy snap-in is installed. 3. Open the GPMC (Group Policy Management Console) in Windows 2003 / 2008 Servers. 4. Navigate to 'Default Domain Controller's Policy'. --Group Policy Management Console -> Domain Controllers -> Default Domain Controllers Policy 5. Right click the Default Domain Controllers Policy and Click on 'Edit'. 6. From the Group Policy Management Editor Navigate to 'Audit Policies' node,Computer Configuration -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration -> Audit Policies. 7. From the right pane, double-click the policy that you want to configure (enable / disable). I recommend you download the Microsoft Security compliance toolkit. It an excel document with recommended security and audit settings for windows 10, member servers, and domain controllers. In addition, the toolkit additional documents and files to help you apply security and audit settings.