We can enable auditing of various items in Windows Server 2016 by configuring both local audit policies and advanced audit policies with group policy. We will determine the differences and usage scenarios for using local audit policies and advanced auditing policies in this post.
This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.
Local Audit Policies and Advanced Auditing Policies
Let’s begin by discussing the differences between local audit policies and advanced auditing policies. Despite the names, both can be applied through group policy.
Local Audit Policies
Local audit policies are more simplistic, so there are fewer options available.
These more basic settings can be found in group policy under Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy. As we can see here we have 9 different policies that we can enable.
We can either double click or right click and select properties to open the policy. From here we can select the check box to enable the local audit policy, and then optionally select if we want to audit success, failure, or both types of events.
We can view the Explain tab for a detailed explanation on what the policy actually audits. I suggest doing this for all policies to get a good understanding of what’s available for auditing.
Advanced Auditing Policies
Advanced auditing policies are, as per the name, more advanced. They allow you to define a much higher level of auditing when compared to local audit policies.
These more advanced settings can be found in group policy under Computer Configuration > Policies > Windows Settings > Advanced Audit Policy Configuration > Audit Policies.
Under here there are 10 sections which closely align to the basic local audit policies. We can click any of these to view the more granular settings available for each, in total there are over 60 different advanced audit policies. For example in the local audit policy section there was the option for Audit Directory Service Access. In the advanced settings under DS access we instead have 4 different policies which give us many more options.
As you can see there are quite a lot of settings, I suggest that you carefully enable them one at a time and then check the amount of entries being logged once the GPO has been applied. It’s very easy for you to overload systems with too many logs that you’ll never be able to analyze or retrieve any use from. Auditing requires CPU resources to process the logs, and disk resources to save the logs, having too much logging can grind a system down to a halt.
By default Windows Server 2016 already has many of the advanced policies enabled. In order to view them we can use auditpol.exe.
Policy Conflicts
If you apply both local and advanced settings however, the local audit settings will be removed as the advanced auditing policies will take precedence.
Local policies were introduced in Windows Server 2000 and Windows XP, while advanced auditing policies were added in with Windows Server 2008 and Windows 7. If you use group policy to apply advanced auditing policies to a version of Windows prior to Server 2008 / 7, it will not work. These older operating systems are only capable of the basic local policies.
We could assign a policy that includes both local and advanced policies, this way if it is applied to a Server 2008 / 7 system the advanced policies will take precedence over the local policies. At the same time any older systems that the policy applies to will use the local policy settings as the advanced auditing policies will not apply.
Summary
We have shown you how to determine the differences and usage scenarios for using local audit policies and advanced auditing policies using group policy. Local audit policies are more basic and simple, while the advanced settings are much more granular and allow us to audit very specific items.
This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.
Thankyou for the notes, they’re awesome!