Audit Policy Subcategories
Windows Server 2008 R2
allows more granularity in the setting of the audit policies. In
previous versions of the Windows Server platform, the audit policies
could only be set on the general categories. This usually resulted in a
large number of security events, many of which are not of interest to
the administrator. System management software was usually needed to help
parse all the security events to find and report on the relevant
entries. Windows Server 2008 R2 exposes additional subcategories under
each of the general categories, which can each be set to No Auditing,
Success, Failure, or Success and Failure. These subcategories allow
administrators to fine-tune the audited events.
Unfortunately, the audit categories do not quite match the audit policies. Table 3 shows how the categories match the policies.
Table 3. Matching Audit Policies to Audit Categories
| Audit Policy | Audit Category |
|---|
| Audit account logon events | Account Logon |
| Audit account management | Account Management |
| Audit directory service access | DS Access |
| Audit logon events | Logon/Logoff |
| Audit object access | Object Access |
| Audit policy change | Policy Change |
| Audit privilege use | Privilege Use |
| Audit process tracking | Detailed Tracking |
| Audit system events | System |
There are over 50 different
subcategories that can be individually set. These give the administrator
and security professionals unprecedented control over the events that
will generate security log entries. Table 4 lists the categories and the subcategories of audit policies.
Table 4. Audit Subcategories
| Audit Category | Audit Subcategory |
|---|
| System | Security State Change |
| | Security System Extension |
| | System Integrity |
| | IPSec Driver |
| | Other System Events |
| Logon/Logoff | Logon |
| | Logoff |
| | Account Lockout |
| | IPSec Main Mode |
| | IPSec Quick Mode |
| | IPSec Extended Mode |
| | Special Logon |
| | Network Policy Server |
| | Other Logon/Logoff Events |
| Object Access | File System |
| | Registry |
| | Kernel Object |
| | SAM |
| | Certification Services |
| | Application Generated |
| | Handle Manipulation |
| | File Share |
| | Filtering Platform Packet Drop |
| | Detailed File Share
Filtering Platform Connection |
| | Other Object Access Events |
| Privilege Use | Sensitive Privilege Use |
| | Non-Sensitive Privilege Use |
| | Other Privilege Use Events |
| Detailed Tracking | Process Creation |
| | Process Termination |
| | DPAPI Activity |
| | RPC Events |
| Policy Change | Audit Policy Change |
| | Authentication Policy Change |
| | Authorization Policy Change |
| | MPSSVC Rule-Level Policy Change |
| | Filtering Platform Policy Change |
| | Other Policy Change Events |
| Account Management | User Account Management |
| | Computer Account Management |
| | Security Group Management |
| | Distribution Group Management |
| | Application Group Management |
| | Other Account Management Event |
| DS Access | Directory Service Access |
| | Directory Service Changes |
| | Directory Service Replication |
| | Detailed Directory Service Replication |
| Account Logon | Kerberos Service Ticket Operations |
| | Credential Validation |
| | Kerberos Authentication Service |
| | Other Account Logon Events |
You
can use the AUDITPOL command to get and set the audit categories and
subcategories. To retrieve a list of all the settings for the audit
categories and subcategories, use the following command:
auditpol /get /category:*
To enable auditing of the
Distribution Group Management subcategory of the Account Management
category for both success and failure events, the following command can
be used:
auditpol /set /subcategory:"Distribution Group Management"
/success:enable /failure:enable
This command would need to be
run on each domain controller for the policy to have a uniform effect.
To get all the options for the Audit Policy command, use the following
command:
