TEAM: Huntress Managed Security Information and Event Management (SIEM)
PRODUCT: SIEM
ENVIRONMENT: Windows
SUMMARY: Configuration Guide for Windows Security Logging
Device Configuration Checklist
Vendor Information
Vendor |
Microsoft |
---|---|
Supported Model Name/Number |
Windows Operating System |
Supported Software Version(s) |
Desktop: Windows 7 and later Server: Windows 2008R2 and later |
Collection Method |
Windows Event Log |
Provider Name |
Microsoft-Windows-Security-Auditing |
Additional Information |
Device Configuration Checklist
The security auditing configuration for Windows hosts can be controlled through two primary mechanisms depending on if the host is a domain-joined. If the host is domain-joined it, and other hosts within the domain, can have their configurations set through Group Policy Objects. If the host is not domain-joined it must be manually configured.
Controlled via Active Directory Group Policy
Group Policy provides a simple centralized mechanism to push the same configuration to all servers and workstations within a Domain. This feature can be utilized to push a common Advanced Audit configuration to all member servers/workstations.
- Create a new GPO. Configure the Advanced Audit section of the GPO with the settings in the below table.
The audit settings below are a baseline recommendation that will generate audit logs for events to assist with the detection and investigation of suspicious and malicious activity. It includes configuration for optional Windows services that may not be installed on the systems targeted by the GPO. Audit logs for these services will not be generated unless they are installed.
- Once configured and saved, apply to the top level of the domain and to all computers and users
Advanced Audit Policy Configuration
Category | Subcategory | Audit Setting | Notes |
---|---|---|---|
Account Logon | Audit Credential Validation | Success and Failure | |
Account Logon |
Audit Kerberos Authentication Service |
Success and Failure |
|
Account Logon |
Audit Kerberos Service Ticket Operations |
Success and Failure |
|
Account Logon |
Audit Other Account Logon Events |
No Auditing |
No events are generated within this category. |
Account Management |
Audit Application Group Management |
No Auditing |
All events related to deprecated Authorization Manager product. |
Account Management |
Audit Computer Account Management |
Success and Failure |
|
Account Management |
Audit Distribution Group Management |
Success and Failure |
|
Account Management |
Audit Other Account Management Events |
Success |
No failure events are generated. |
Account Management |
Audit Security Group Management |
Success and Failure |
|
Account Management |
Audit User Account Management |
Success and Failure |
|
Detailed Tracking |
Audit DPAPI Activity |
No Auditing |
Informational events for troubleshooting DPAPI activity. |
Detailed Tracking |
Audit PNP Activity |
Success |
No failure events are generated. |
Detailed Tracking |
Audit Process Creation |
No Auditing |
All process activity is covered by the Huntress EDR. If not using the Huntress EDR, set to Success. |
Detailed Tracking |
Audit Process Termination |
No Auditing |
All process activity is covered by the Huntress EDR. |
Detailed Tracking |
Audit RPC Events |
No Auditing |
No events generated within this category. |
Detailed Tracking |
Audit Token Right Adjustment |
No Auditing |
Starting in Windows 10, events are produced at an extreme rate diluting the value provided. |
DS Access |
Audit Detailed Directory Service Replication |
No Auditing |
Informational events for troubleshooting AD replication. |
DS Access |
Audit Directory Service Access |
Success and Failure |
|
DS Access |
Audit Directory Service Changes |
Success |
No failure events are generated. |
DS Access |
Audit Directory Service Replication |
No Auditing |
Informational events for troubleshooting AD replication. |
Logon/Logoff |
Audit Account Lockout |
Failure |
No success events are generated. |
Logon/Logoff |
Audit User/Device Claims |
No Auditing |
Informational events. No extra value is provided beyond monitoring authentication activity. |
Logon/Logoff |
Audit Group Membership |
No Auditing |
Informational events. Capturing full group membership data at the start of every session is excessive and is best obtained on an as needed basis. |
Logon/Logoff |
Audit IPsec Extended Mode |
No Auditing |
Informational events for troubleshooting IPsec tunnels. |
Logon/Logoff |
Audit IPsec Main Mode |
No Auditing |
Informational events for troubleshooting IPsec tunnels. |
Logon/Logoff |
Audit IPsec Quick Mode |
No Auditing |
Informational events for troubleshooting IPsec tunnels. |
Logon/Logoff |
Audit Logoff |
Success |
No failure events are generated. |
Logon/Logoff |
Audit Logon |
Success and Failure |
|
Logon/Logoff |
Audit Network Policy Server |
Success and Failure |
|
Logon/Logoff |
Audit Other Logon/Logoff Events |
Success and Failure |
|
Logon/Logoff |
Audit Special Logon |
Success |
No failure events are generated. |
Object Access |
Audit Application Generated |
No Auditing |
All events related to deprecated Authorization Manager product. |
Object Access |
Audit Certification Services |
No Auditing |
Set to Success and Failure if using Microsoft Certificate Services. |
Object Access |
Audit Detailed File Share |
Success and Failure |
|
Object Access |
Audit File Share |
Success and Failure |
|
Object Access |
Audit File System |
No Auditing |
Event generation is dependent on configuring explicit System Access Control Lists (SACLs). Due to this extra configuration, and ability to detect malicious behavior through other means, it is not recommended to enable these events. |
Object Access |
Audit Filtering Platform Connection |
Failure |
Connection success logs generate at a high volume, especially in a domain environment. Value provided from host firewall logs are available through other mechanisms. |
Object Access |
Audit Filtering Platform Packet Drop |
No Auditing |
Generates a high volume of events with limited value beyond what is provided through connection monitoring. |
Object Access |
Audit Handle Manipulation |
No Auditing |
|
Object Access |
Audit Kernel Object |
Success and Failure |
Must have “Audit the access of global system objects” disabled to prevent significant event generation. |
Object Access |
Audit Other Object Access Events |
Success and Failure |
|
Object Access |
Audit Registry |
No Auditing |
Event generation is dependent on configuring explicit System Access Control Lists (SACLs). Due to this extra configuration, and ability to detect malicious behavior through other means, it is not recommended to enable these events. |
Object Access |
Audit Removable Storage |
Success and Failure |
|
Object Access |
Audit SAM |
No Auditing |
Informational events. The type of data contained in these events are available through Account Management events. |
Object Access |
Audit Central Access Policy Staging |
No Auditing |
Informational events for troubleshooting Dynamic Access Control policies. |
Policy Change |
Audit Audit Policy Change |
Success |
No failure events are generated. |
Policy Change |
Audit Authentication Policy Change |
Success |
No failure events are generated. |
Policy Change |
Audit Authorization Policy Change |
Success |
No failure events are generated. |
Policy Change |
Audit Filtering Platform Policy Change |
Success |
No failure events are generated. |
Policy Change |
Audit MPSSVC Rule-Level Policy Change |
Success and Failure |
|
Policy Change |
Audit Other Policy Change Events |
Success and Failure |
|
Privilege Use |
Audit Non Sensitive Privilege Use |
No Auditing |
Informational event that will generate in high volume and provide little value. |
Privilege Use |
Audit Other Privilege Use Events |
No Auditing |
Informational events for troubleshooting Transaction Manager. |
Privilege Use |
Audit Sensitive Privilege Use |
Success and Failure |
|
System |
Audit IPsec Driver |
No Auditing |
Information events for troubleshooting the IPsec service. |
System |
Audit Other System Events |
Success and Failure |
|
System |
Audit Security State Change |
Success |
No failure events are generated. |
System |
Audit Security System Extension |
Success |
No failure events are generated. |
System |
Audit System Integrity |
Success and Failure |
|
As noted above, the setting for “Audit the access of global system objects” should be disabled to prevent excessive event generation for Kernel access events. This setting can be found in the following GPO configuration object: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options.
In addition to the above, the settings governing the Windows Security Event Log itself need definition. The following settings are under Computer Configuration > Policies > Windows Settings > Security Settings > Event Log. These settings will set the maximum size of the Security event log to 512MB and allow it to overwrite old events when max size is reached.
Policy | Setting |
---|---|
Maximum security log size |
512000 |
Retention method for security log |
Overwrite events as needed |
Locally Managed
Without the centralized management, the above configuration needs to be applied to each server or workstation individually. This can be accomplished through the command line and PowerShell.
The following commands will set the Advanced Audit Policy to match the GPO table above. It will not remove existing configurations only enable additional configurations. They must be run as an administrator.
auditpol /set /subcategory:{0CCE923F-69AE-11D9-BED3-505054503030},{0CCE9242-69AE-11D9-BED3-505054503030},{0CCE9240-69AE-11D9-BED3-505054503030},{0CCE9236-69AE-11D9-BED3-505054503030},{0CCE9238-69AE-11D9-BED3-505054503030},{0CCE9237-69AE-11D9-BED3-505054503030},{0CCE9235-69AE-11D9-BED3-505054503030},{0CCE923B-69AE-11D9-BED3-505054503030},{0CCE9215-69AE-11D9-BED3-505054503030},{0CCE9243-69AE-11D9-BED3-505054503030},{0CCE921C-69AE-11D9-BED3-505054503030},{0CCE9244-69AE-11D9-BED3-505054503030},{0CCE9224-69AE-11D9-BED3-505054503030},{0CCE921F-69AE-11D9-BED3-505054503030},{0CCE9227-69AE-11D9-BED3-505054503030},{0CCE9245-69AE-11D9-BED3-505054503030},{0CCE9232-69AE-11D9-BED3-505054503030},{0CCE9234-69AE-11D9-BED3-505054503030},{0CCE9228-69AE-11D9-BED3-505054503030},{0CCE9214-69AE-11D9-BED3-505054503030},{0CCE9212-69AE-11D9-BED3-505054503030} /success:enable /failure:enable
auditpol /set /subcategory:{0CCE923A-69AE-11D9-BED3-505054503030},{0CCE9248-69AE-11D9-BED3-505054503030},{0CCE923C-69AE-11D9-BED3-505054503030},{0CCE9216-69AE-11D9-BED3-505054503030},{0CCE921B-69AE-11D9-BED3-505054503030},{0CCE922F-69AE-11D9-BED3-505054503030},{0CCE9230-69AE-11D9-BED3-505054503030},{0CCE9231-69AE-11D9-BED3-505054503030},{0CCE9233-69AE-11D9-BED3-505054503030},{0CCE9210-69AE-11D9-BED3-505054503030},{0CCE9211-69AE-11D9-BED3-505054503030} /success:enable
auditpol /set /subcategory:{0CCE9217-69AE-11D9-BED3-505054503030},{0CCE9226-69AE-11D9-BED3-505054503030} /failure:enable
Verification:
auditpol /get /category:*
The following PowerShell command will alter the configuration of the Security Event Log to match what is defined in the Domain managed section. This must be run as an administrator. Note: This will set the Max Size to be 512MB. This can be adjusted as needed to meet the needs of the org. It must be in intervals of 64KB.
Limit-EventLog -LogName Security -MaximumSize 512000KB -OverflowAction OverwriteAsNeeded
Verification:
Get-EventLog -List
Example Log Messages
Logon Event - Event ID 4624
<?xml version='1.0'?><Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}'/><EventID>4624</EventID><Version>2</Version><Level>0</Level><Task>12544</Task><Opcode>0</Opcode><Keywords>0x8020000000000000</Keywords><TimeCreated SystemTime='2015-11-12T00:24:35.079785200Z'/><EventRecordID>211</EventRecordID><Correlation ActivityID='{00D66690-1CDF-0000-AC66-D600DF1CD101}'/><Execution ProcessID='716' ThreadID='760'/><Channel>Security</Channel><Computer>workstation1</Computer><Security/></System><EventData><Data Name='SubjectUserSid'>S-1-5-18</Data><Data Name='SubjectUserName'>workstation1$</Data><Data Name='SubjectDomainName'>workstation1</Data><Data Name='SubjectLogonId'>0x3e7</Data><Data Name='TargetUserSid'>S-1-5-21-1377283216-344919071-3415362939-500</Data><Data Name='TargetUserName'>user1</Data><Data Name='TargetDomainName'>workstation1</Data><Data Name='TargetLogonId'>0x8dcdc</Data><Data Name='LogonType'>2</Data><Data Name='LogonProcessName'>User32</Data><Data Name='AuthenticationPackageName'>Negotiate</Data><Data Name='WorkstationName'>workstation1</Data><Data Name='LogonGuid'>{00000000-0000-0000-0000-000000000000}</Data><Data Name='TransmittedServices'>-</Data><Data Name='LmPackageName'>-</Data><Data Name='KeyLength'>0</Data><Data Name='ProcessId'>0x44c</Data><Data Name='ProcessName'>C:\\Windows\\System32\\svchost.exe</Data><Data Name='IpAddress'>127.0.0.1</Data><Data Name='IpPort'>0</Data><Data Name='ImpersonationLevel'>%%1833</Data><Data Name='RestrictedAdminMode'>-</Data><Data Name='TargetOutboundUserName'>-</Data><Data Name='TargetOutboundDomainName'>-</Data><Data Name='VirtualAccount'>%%1843</Data><Data Name='TargetLinkedLogonId'>0x0</Data><Data Name='ElevatedToken'>%%1842</Data></EventData></Event>
Member Added to Local Group - Event ID 4732
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-A5BA-3E3B0328C30D}' /><EventID>4732</EventID><Version>0</Version><Level>0</Level><Task>13826</Task><Opcode>0</Opcode>0x8020000000000000</Keywords><TimeCreated SystemTime='2015-08-19T03:02:38.563110400Z' /><EventRecordID>174856</EventRecordID><Correlation /><Execution ProcessID='512' ThreadID='1092' /><Channel>Security</Channel><Computer>hostname1</Computer><Security /></System><EventData><Data Name='MemberName'>CN=user1,OU=Users,DC=domain,DC=com</Data><Data Name='MemberSid'>S-1-5-21-3457937927-2839227994-823803824-500</Data><Data Name='TargetUserName'>Group01</Data><Data Name='TargetDomainName'>domainname</Data><Data Name='TargetSid'>S-1-5-21-3457937927-2839227994-823803824-6605</Data><Data Name='SubjectUserSid'>domainname\admin</Data><Data Name='SubjectUserName'>admin</Data><Data Name='SubjectDomainName'>domainname</Data><Data Name='SubjectLogonId'>0x3031e</Data><Data Name='PrivilegeList'>-</Data></EventData></Event>