CIS Benchmark SYSTEM HARDENING VULNERABILITY MANAGEMENT

The Windows Advanced Audit Policy Configuration

Since the introduction of the Windows Advanced Audit Policy, fine-grain control has been provided to system activity auditing. This allows detailed auditing to be applied more precisely with unwanted events being suppressed at source. The audit policy settings work in conjunction with a 'System Access Control List' (SACL). The SACL is defined for each system object (e.g. folder, file etc) and defines the access attempts to be logged.

Recommended Settings for the Windows Advanced Audit Policy

The following provides a recommended policy suitable for providing compliance with any security, governance or regulatory standard, such as the PCI DSS Requirement 10. This particcular audit policy is derived from the CIS 2012R2 Benchmark Level 2 Member Server.

group policy icon
Download a free Group Policy Template to instantly apply the following Audit Policy to your Windows 2012R2 Estate – Just import to Active Directory and apply!

N.B. make sure that the Advanced Audit Policy Settings are not over-written by the Group Policy by setting the 'Audit: Force Audit Policy Subcategory Settings (Windows Vista or later) to Override Audit Policy Category Settings' to 'Enable'

Account Logon

Audit Policy: Account Logon: Credential Validation' to 'Success and Failure'
Audit Policy: Account Logon: Kerberos Authentication Service' to 'No Auditing'
Audit Policy: Account Logon: Kerberos Service Ticket Operations' to 'No Auditing'
Audit Policy: Account Logon: Other Account Logon Events' to 'No Auditing'

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Account Management

Audit Policy: Account Management: Application Group Management' to 'Success and Failure'
Audit Policy: Account Management: Computer Account Management' to 'Success and Failure'
Audit Policy: Account Management: Distribution Group Management' to 'No Auditing'
Audit Policy: Account Management: Other Account Management Events' to 'Success and Failure'
Audit Policy: Account Management: Security Group Management' to 'Success and Failure'
Audit Policy: Account Management: User Account Management' to 'Success and Failure'

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Detailed Tracking

Audit Policy: Detailed Tracking: DPAPI Activity' to 'No Auditing'
Audit Policy: Detailed Tracking: Process Creation' to 'Success and Failure' *Note: This setting should be reviewed carefully - may give noisy results
Audit Policy: Detailed Tracking: Process Termination' to 'No Auditing'
Audit Policy: Detailed Tracking: RPC Events' to 'No Auditing'

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

DS Access

Audit Policy: DS Access: Detailed Directory Service Replication' to 'No Auditing'
Audit Policy: DS Access: Directory Service Access' to 'Success and Failure' (Domain Controllers only)
Audit Policy: DS Access: Directory Service Access' to 'No Auditing'
Audit Policy: DS Access: Directory Service Replication' to 'No Auditing'
Audit Policy: DS Access: Directory Service Changes' to 'Success and Failure' (Domain Controllers only)
Audit Policy: DS Access: Directory Service Changes' to 'No Auditing'

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Logon/Logoff

Audit Policy: Logon-Logoff: Account Lockout' to 'Success'
Audit Policy: Logon-Logoff: User / Device Claims' to 'No Auditing'
Audit Policy: Logon-Logoff: IPsec Extended Mode' to 'No Auditing'
Audit Policy: Logon-Logoff: IPsec Main Mode' to 'No Auditing'
Audit Policy: Logon-Logoff: IPsec Quick Mode' to 'No Auditing'
Audit Policy: Logon-Logoff: Logon' to 'Success and Failure'
Audit Policy: Logon-Logoff: Logoff' to 'Success'
Audit Policy: Logon-Logoff: Network Policy Server' to 'No Auditing'
Audit Policy: Logon-Logoff: Other Logon/Logoff Events' to 'Success and Failure'
Audit Policy: Logon-Logoff: Special Logon' to 'Success'
Audit Policy: Object Access: Registry' to 'No Auditing'
Audit Policy: Object Access: Kernel Object' to 'No Auditing'
Audit Policy: Object Access: Filtering Platform Connection' to 'No Auditing'
Audit Policy: Object Access: File Share' to 'No Auditing'
Audit Policy: Object Access: Other Object Access Events to 'No Auditing' 

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Object Access

Audit Policy: Object Access: Application Generated' to 'No Auditing'
Audit Policy: Object Access: Certification Services' to 'No Auditing'
Audit Policy: Object Access: Detailed File Share' to 'No Auditing'
Audit Policy: Object Access: File Share' to 'No Auditing'
Audit Policy: Object Access: File System' to 'No Auditing'
Audit Policy: Object Access: File System' to 'No Auditing'
Audit Policy: Object Access: Filtering Platform Packet Connection' to 'No Auditing'
Audit Policy: Object Access: Filtering Platform Packet Drop' to 'No Auditing'
Audit Policy: Object Access: Handle Manipulation' to 'No Auditing'
Audit Policy: Object Access: Kernel Object' to 'No Auditing'
Audit Policy: Object Access: Other Object Access Events'
Audit Policy: Object Access: Registry' to 'No Auditing'
Audit Policy: Object Access: Removable Storage' to 'Success and Failure'
Audit Policy: Object Access: SAM' to 'No Auditing'
Audit Policy: Object Access: Central Access Policy Staging' to 'No Auditing'

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Policy Change

Audit Policy: Policy Change: Audit Policy Change' to 'Success and Failure'
Audit Policy: Policy Change: Authentication Policy Change' to 'Success'
Audit Policy: Policy Change: Authorization Policy Change' to 'No Auditing'
Audit Policy: Policy Change: Filtering Platform Policy Change' to 'No Auditing'
Audit Policy: Policy Change: MPSSVC Rule-Level Policy Change' to 'No Auditing'
Audit Policy: Policy Change: Other Policy Change Events' to 'No Auditing'

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Privilege Use

Audit Policy: Privilege Use: Non Sensitive Privilege Use' to 'No Auditing'
Audit Policy: Privilege Use: Other Privilege Use Events' to 'No Auditing'
Audit Policy: Privilege Use: Sensitive Privilege Use' to 'Success and Failure'

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

System

Audit Policy: System: IPsec Driver' to 'Success and Failure'
Audit Policy: System: Other System Events' to 'Success and Failure'
Audit Policy: System: Security State Change' to 'Success'
Audit Policy: System: Security System Extension' to 'Success and Failure'
Audit Policy: System: System Integrity' to 'Success and Failure'

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

Global Object Access Auditing

Note: The more precise 'Object Access Auditing' is defined earlier
Audit Policy: System: File System to 'No Auditing'
Audit Policy: System: Registry to 'No Auditing'

For a free automated system compliance audit:

Request a free trial of NNT Change Tracker

For audit policies for other platforms and for a free automated system compliance audit request a free trial of NNT Change Tracker here

System Audit Policies: Local Group Policy Object

Since the introduction of the Windows Advanced Audit Policy, fine-grain control has been provided to system activity auditing. This allows detailed auditing to be applied more precisely with unwanted events being suppressed at source. The audit policy settings work in conjunction with a 'System Access Control List' (SACL). The SACL is defined for each system object (e.g. folder, file etc) and defines the access attempts to be logged.

The Advanced Audit Policy can be applied directly using the Local Security Policy console, the Local Group Policy Editor (gpedit.msc) or via Group Policy if the machine is part of a Domain.

The Local Security Policy can be applied using the Local Security Policy console or the Local Group Policy Editor
Figure 1: The Local Security Policy can be applied using the Local Security Policy console or the Local Group Policy Editor

Defining the SACL comprises the object, the users, and the auditing rules to apply.

The SACL defines the object, user and access conditions to log
Figure 2: The SACL defines the object, user and access conditions to log

For audit policies for other platforms and for a free automated system compliance audit request a free trial of NNT Change Tracker here

Products
USA Offices
New Net Technologies Ltd
Naples
9128 Strada Place
Naples, Florida, 34108
Atlanta
201 17th Street, Suite 300
Atlanta, Georgia, 30363.

Tel: 1-888-898-0674
email USinfo@nntws.com
NNT Logo
UK Office
New Net Technologies Ltd
Spectrum House, Dunstable Road
Redbourn,
St Albans

Herts
AL3 7PR

Tel: 08456 585 005
Fax: 08456 122 031
email info@newnettechnologies.com
Connect with NNT
Google+ Linkedin Twitter - Change Tracker Facebook rss feed YouTube
Sign up to NNT's IT security and compliance monthly newsletter. Get breaking security news, how-to tips, trends and commentary direct to your inbox.

Sign up to the NNT newsletter