Security Audit Policy Reference
Updated: July 18, 2009
Applies To: Windows 7, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Vista
You can use Windows security and system logs to record and store collected security events so that you can track key system and network activities to monitor potentially harmful behaviors and to mitigate those risks. You customize system log events by configuring auditing. You can enable auditing based on categories of security events such as:
Any changes to user account and resource permissions.
Any failed attempts for user logon.
Any failed attempts for resource access.
Any modification to the system files.
In versions of Windows earlier than Windows Vista, security auditing was enabled through nine basic settings under Security Settings\Local Policies\Audit Policy. For more information, see Audit Policy Settings Under Local Policies\Audit Policy.
Additional basic audit policy settings are also available under Security Settings\Local Policies\Security Options. For more information, see Audit Policy Settings Under Local Policies\Security Options.
In Windows Vista and Windows Server 2008, the number of auditable events was expanded from nine to 53, which enabled an administrator to be more selective in the number and types of events to audit. However, these new audit events were not integrated with Group Policy and could only be deployed by using logon scripts generated with the Auditpol.exe command-line tool.
Starting in Windows Server 2008 R2 and Windows 7, all auditing capabilities are integrated with Group Policy. This allows administrators to configure, deploy, and manage these settings in the Group Policy Management Console (GPMC) or Local Security Policy snap-in for a domain, site, or organizational unit (OU). Windows Server 2008 R2 and Windows 7 and later make it easier for IT professionals to track when precisely defined, significant activities take place on the network. For more information, see Advanced Security Audit Policy Settings.
The nine local audit policy settings under Security Settings\Local Policies\Audit Policy can still be used if client computers do not support advanced audit policy settings. However, where possible it is recommended that you use the more precise auditing capabilities provided by the advanced audit policy settings.
Using both the basic audit policy settings under Security Settings\Local Policies\Audit Policy and the advanced settings under Advanced Audit Policy Configuration can cause unexpected results. Therefore, the two sets of audit policy settings should not be combined. If you use Advanced Audit Policy Configuration settings, you should enable the Audit: Force audit policy subcategory settings (Windows Vista or later) policy setting under Security Settings\Local Policies\Security Options. This setting will override audit policy settings under Security Settings\Local Policies\Audit Policy and prevent conflicts between similar settings by forcing basic security auditing to be ignored.
Whichever audit policy settings you decide to use, obtaining the audit data you want depends on the reliable performance of the Windows Event Log service. For information about events that provide diagnostic data for the Windows Event Log service, see Event Log Performance Monitoring Events.
Whichever audit settings you choose, you also need to be able to understand and evaluate the event data that these settings generate. For more information about audit events that are generated in Windows Server 2008 R2 and Windows 7 and later, see Security Audit Events for Windows 7 and Windows Server 2008 R2 (http://go.microsoft.com/fwlink/?LinkId=157780).