1.3.2 Audit Configuration Extension Overview

Advanced audit policies contain settings that enable the underlying audit subsystem to determine which activities to monitor and log in the security event log. Advanced audit policies contain three main types of settings:

  • Audit subcategory settings

  • Audit options

  • Global object access policy

The following major steps are involved in advanced audit policy configuration:

  1. Advanced audit policy authoring

  2. Advanced audit policy assignment

  3. Advanced audit policy distribution

Advanced audit policy authoring is enabled through an administrative tool for the Group Policy: Core Protocol specified in [MS-GPOL] with an administrative-side plug-in for behavior specific to this protocol. The plug-in allows an administrator to author advanced audit policies within an implementation-specific tool providing a graphical user interface. The plug-in then saves the advanced audit policies into files with a format specified in this document, and stores them on a file share that is accessible by file access protocol sequences as described in [MS-FASOD].

Advanced audit policy assignment is performed by the Group Policy: Core Protocol administrative tool, which constructs GPOs, as specified in [MS-GPOL] section 2.2.8.1. Each GPO contains a reference to the network path using the Universal Naming Convention (UNC) where the advanced audit policy files generated by the protocol administrative plug-in need to be fetched from using file access protocol sequences.

Advanced audit policy distribution involves a corresponding protocol-specific Group Policy plug-in on the client machine, which is invoked to process any GPO that refers to advanced audit policy settings. The advanced audit policy protocol client-side plug-in locates the advanced audit policy as specified in section 3.1.4, transfers the advanced audit policy files by using file access protocol sequences, and then uses the advanced audit policy files to configure the client's advanced audit policy, audit options, and global object access auditing settings.