Auditing with advanced audit policy

Similar Messages

• Advanced Audit Policy in Windows 2008R2

  Hi,
  This is in regards to Advanced Audit Policy configurations in Windows 2008R2.
  1. What is the correct way to configure the Audit policies if we have to audit mix of settings from both Legacy & Advanced policies..? For example I would like to audit Account lockouts from Advanced policy along with existing Legacy settings.
  2. When I tried last time, the moment I enable Account lockout setting, none of the Legacy settings are applying to the DC.
  3. Ned has confirmed this behaviour in his article but his suggestion in such case is to DISABLE the setting “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings”
  http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
  3. If we DISABLE the specified security setting - both the settings from Legacy & Advanced policies will get applied as long as there is no conflict, but in case of a conflict, Legacy policy will take precedence over Advanced policy. Is my understanding
  correct..?
  Thanks in advance for your help!
  Ashok

  Hi Ashok,
  Yes, you understand this policy correctly.
  By default, if you define a value for a policy in one of the top-level categories—either in the computer's Local Security Policy or in an applicable GPO—then that top-level
  policy will usually override any configurations that you make at the subcategory level with the auditpol command. In other words,  setting audit policy by using basic audit policy categories will override the subcategory audit policy
  settings in Advanced Audit Policy Configuration. Enabling the
  Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings policy setting allows audit policy to be managed by using subcategories without requiring a change to Group Policy. 
  Regards,
  Lany Zhag

• Domain advanced audit policy not taking effect on DC.

  Hi.
   I'm having a strange problem getting an advance audit policy to take effect on one of my domain controllers, we'll call it DC1. I have two DCs on this network, and both are in the same OU, however behave wildly differently with the same policy.
  For example, on DC1 when I run group policy results wizard from GPMC, I can see the local policy/audit policy settings, but no settings for advanced audit configuration are shown. However, if I log into DC1 itself and look at local security policy,
  it shows settings in both areas.
  No matter what changes I made to either area in the domain policy nothing would change in the local security policy on the system when refreshing group policy on the DC. It was as if it were stuck somehow. If I used the auditpol /get /category:* command
  it showed default audit settings, and that's it.
  I figured I would try to clear them and set them manually, and so I did an auditpol /clear, and now it says No Auditing for all categories. In addition to this, I did a gpupdate /force and it still said no auditing in all cagegories after displaying them
  with auditpol /get /cagories:*. On DC2 which is in the same OU, when running the group policy result wizard, it shows both advance audit, and basic auditing settings being applied.
  If I look in the local security policy it shows no auditing for all basic audit settings, and all the advanced audit settings as being set. Which should be the case when Audit: force audit policy subcategory settings is set (which it is). However, unlike
  DC1, instead of showing No auditing, it shows all of the advanced audit configuration settings when I type auditpol /get /categories: * at the command prompt, and it's gpresults look good. I even cleared the audit policy off of DC2, and got it to show "no
  auditing" before doing a gpupdate, and all it's settings came back. Not so with DC1. DC1 seems to apply all other group policy settings without issue.

  Hi,
  Based on your description, we can use the command auditpol/clear to remove all audit settings, find the audit.csv file existing in the GPOs in which we configured audit settings,
  delete the audit.csv file, and then configure the audit setting via group policy to see if it works as expected.
  The path for the audit.csv file:
  %systemroot%\Sysvol\sysvol\domainname\Policies\GPOs\Machine\
  Microsoft\Windows NT\Audit
  In addition, regarding audit policy, the following blog can be referred to for more information.
  Getting the Effective Audit Policy in Windows 7 and 2008 R2
  http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx
  TechNet Subscriber Support
  If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.
  Best regards,
  Frank Shen

• Not Understanding Audit Policy with SCM 8.1 Baseline

  We want to configure Audit Policy on all standalone Windows 8.1 computers to log Success and Failure for Logon attempts.
  The Beta Baseline for Windows 8.1 contains a setting for this, but it is read only and you cannot change it.  Why?
  When that baseline is put into effect on the computer with the LocalGPO tool from the command line, Logon attempts are logged.   However what is bizarre is that both SecPol.msc and GPEdit.msc fail to see this setting for Audit policy.  Why?
  Equally bizarre, if you modify the settings for Audit Policy in SecPol.msc and GPEdit.msc, they show as modified, but as soon as you quit and restart those tools, the settings are lost and the items show up as not configured again.
  So, I'm not understand the behavior at any level here, which looks quite different than other settings in the Baseline.  For other settings, we are able to edit them in the Baseline, and further the local SecPol and GPEdit tools are able to change them.
  Will

  Turns out this question is actually fairly complicated to answer.   The historical "audit policy" contains fewer options than what Windows Vista or later can express.  So, for example, instead of just auditing Logon and Logoff with a single setting,
  later versions of Windows are able to audit Logon and Logoff through separate settings.
  The SCM baseline for 8.1 and the GPEdit both have access to a setting to affect whether Windows uses the historical audit behavior or the newer finer-category "subcategory" settings.  Under local policies | security options there is a setting "Audit:
  Force audit policy subcategory settings"   When this is enabled, your attempts to use the historical audit settings will not change behavior on the computer, and when you quit GPEdit and restart your changes to the historical settings will simply have
  disappeared.
  Will

• Reboot domain controller changes audit policy on Default Domain Controller Policy

  This has been happening for a long time no matter whether my DCs were running Windows Server 2003 or, as they are now, are running Windows Server 2012 R2. It happens on DCs in one particular site, but the policy change it causes is domain-wide.
  I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
  Default Domain Controllers Policy - Computer Configuration - Policies - Windows Settings - Security Settings - Local Policies/Audit Policy.
  I have monitoring application relying on this policy being turned on, and if it's off, it's being reported. The monitoring application knows the change, but it doesn't know how the change was made.
  All my DCs are running Windows Server 2012 R2, DFL 2008 R2.
  Thanks and regards.

  Hi,
  >>I have 2 DCs at that site, every time one of them is rebooted, the following policy is turned off, from Success and Failure to No auditing:
  Did we try to run command gpresult/h report.html with admin privileges to collect group policy result report to check how the policy setting was  applied after rebooting?  Besides, we can also try to run command
  auditpol /get / category:* from an elevated command prompt to check what audit settings are applied.
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Audit Policy setting in GPO

  HI,
  I would like to setup the audit setting for our company which will include mainly the "DS access" category. Also, we would like to disable the success logon / logoff as default and only enable the failure option in order to decrease the size of
  our security log.
  Should all those setting be set in the "Default Domain Policy" GPO or "Default Domain Controller Policy"? Or we need to setup another GPO for the setting as, suggest by MS, the "Default Domain Policy" should only contain the
  Password and Lockout policy.
  Thanks,
  Jerald Leung

  Hi Jerald,
  >>I would like to setup the audit setting for our company which will include mainly the "DS access" category.
  According to me, for auditing DS access, we can configure this setting in the default domain controller group policy.
  DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). These audit events
  are logged only on domain controllers.
  The following article has provided the step-by-step guide for configuring DS access audit settings.
  AD DS Auditing Step-by-Step Guide
  http://technet.microsoft.com/en-us/library/cc731607(v=WS.10).aspx
  Note: Audit events will only be generated on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL
  settings.
  >>we would like to disable the success logon / logoff as default and only enable the failure option in order to decrease the size of our security log.
  Audit "logon events" records logons on the PC(s) targeted by the policy and the results appear in the Security Log on that PC(s).
  If you want to just audit failure logon, you can configure the settings in the default domain policy or configure it in another GPO which links to the domain.
  In addition, we can set the maximum size of security log via group policy. Regarding this point, the following article can be referred to for more information.
  Maximum security log size
  http://technet.microsoft.com/en-us/library/cc776342(v=ws.10).aspx
  Best regards,
  Frank Shen

• Audit Policy and Event Viewer

  Hi everyone,
  I'm a junior IT auditor seeking for answers about audit policy and event viewer.
  First of all I would like to know what are the difference of log that we obtain from audit policy and event viewer?
  I would like to know that can event viewer show these logs:
  Audit account logon events
  Audit account management
  Audit directory service access
  Audit logon events
  Audit object access
  Audit policy change
  Audit privilege user
  Audit process tracking
  Audit system events
  Thanks in advanced :)

  Hi sally_scrubb,
  As you said, if you configure audit policy, it can provide broad security audit capabilities for client computers and servers. And if you configure this policy, you will find the related events in the Event Viewer.
  For your information, please refer to the following article:
  Audit Policy Settings Under Local Policies\Audit Policy
  In this article, you can find the several links which deliver more detailed information about the items which were listed in your post. From the links, you can learn how to configure the item, what you can get from the item, and the related events about
  the item.
  Hope that helps!
  Regards,
  Lany Zhang

• Default Audit policy in 11g

  Hi all,
  11.2.0.3.11
  aix6
  What v$view can I select all information about our database Audit Policy Setting? That shows type of actions, events, and captured information?
  Thanks,
  mk

  Thanks all,
  Another question for PCIDSS audit: Can I expire&lock all the db users which I do not know of?
  For example instead of changing password or removing, I will expire and lock the following :
  1.1 Change the Oracle default account passwords .................................................................................... 12
  1.1.1 Change the default password for 'APEX_040000' (Scored) ................................................ 12
  1.1.2 Change the default password for 'APPQOSSYS' (Scored) ..................................................... 13
  1.1.3 Change the default password for 'CTXSYS' (Scored) ............................................................... 14
  1.1.4 Change the default password for 'DBSNMP' (Scored) ............................................................ 15
  1.1.5 Change the default password for 'DIP' (Scored) ........................................................................ 16
  1.1.6 Change the default password for 'EXFSYS' (Scored) ............................................................... 17
  1.1.7 Change the default password for 'MDDATA' (Scored) ........................................................... 17
  1.1.8 Change the default password for 'MDSYS' (Scored) ................................................................ 18
  1.1.9 Change the default password for 'LBACSYS' (Scored)............................................................ 19
  1.1.10 Change the default password for 'OLAPSYS' (Scored) ........................................................ 20
  1.1.11 Change the default password for 'ORACLE_OCM' (Scored).............................................. 21
  1.1.12 Change the default password for 'ORDDATA' (Scored) ...................................................... 21
  1.1.13 Change the default password for 'ORDPLUGINS' (Scored)............................................... 22
  1.1.14 Change the default password for 'ORDSYS' (Scored) ........................................................... 23
  1.1.15 Change the default password for 'OUTLN' (Scored) ............................................................. 24
  1.1.16 Change the default password for 'OWBSYS_AUDIT' (Scored) ........................................ 25
  1.1.17 Change the default password for 'OWBSYS' (Scored).......................................................... 26
  1.1.18 Change the default password for 'SI_INFORMTN_SCHEMA' (Scored) ....................... 26
  1.1.19 Change the default password for 'SPATIAL_CSW_ADMIN_USR' (Scored) ............... 27
  1.1.20 Change the default password for 'SPATIAL_WFS_ADMIN_USR' (Scored) ............... 28
  1.1.21 Change the default password for 'SYS' (Scored) ..................................................................... 29
  1.1.22 Change the default password for 'SYSTEM' (Scored)........................................................... 30
  1.1.23 Change the default password for 'WK_TEST' (Scored) ....................................................... 31
  1.1.24 Change the default password for 'WKPROXY' (Scored) ..................................................... 32
  1.1.25 Change the default password for 'WKSYS' (Scored) ............................................................. 33
  1.1.26 Change the default password for 'WMSYS' (Scored) ............................................................ 33
  1.1.27 Change the default password for 'XDB' (Scored).................................................................... 34
  1.2 Remove Oracle Sample Users ......................................................................................................................... 35
  1.2.1 Remove the sample user 'BI' (Scored) ............................................................................................. 35
  1.2.2 Remove the sample user 'HR' (Scored) ........................................................................................... 36
  1.2.3 Remove the sample user 'IX' (Scored).............................................................................................. 37
  1.2.4 Remove the sample user 'OE' (Scored) ............................................................................................ 37
  1.2.5 Remove the sample user 'PM' (Scored) ........................................................................................... 38
  1.2.6 Remove the sample user 'SCOTT' (Scored) ................................................................................... 39
  1.2.7 Remove the sample user 'SH' (Scored) ............................................................................................ 40
  1.3 Ensure the latest version/patches for Oracle software is installed (Not Scored) ..... 40
  Regards,

• How can I collect the oracle database audit policy?

  hi, buddies
  When I touch a new database, which tables or views do record the database all the audit policy exclude fpa? These records I prefer to the normal audit, for example:
  audit select on ysj.test by access;
  Thanks.

  If you are asking about which views to query for the audit options which are set in the database:
  DBA_OBJ_AUDIT_OPTS
  DBA_PRIV_AUDIT_OPTS
  DBA_STMT_AUDIT_OPTS
  For the audit records created:
  DBA_AUDIT_TRAIL

• AGPM 4.0 SP2 Editors cannot open "Windows Firewall with Advanced Security" area of a GPO

  When attempting to Edit a checked-out GPO in AGPM, & navigating to "Computer Configuration\Policies\Windows Settings\Security Settings\Windows Firewall with Advanced Security\Windows Firewall with Advanced Security - LDAP://CN...." Editors
  get:
  "There was an error opening the Windows Firewall with Advanced Security snap-in
  An error occurred while trying to open the policy.
  Error: The system cannot find the path specified
  Code 0x3"
  This happens with GPOs that existed prior to AGPM install where the GPO was "controlled", and with new Controlled GPOs created within AGPM.  A workaround is to grant the user Full Control within AGPM (and have them re-launch Group Policy Management
  MMC via Shift right-click "Run as different user"), but this circumvents the Change Control we are attempting to use AGPM for.  Any ideas of how to fix this, or how to file a bug report?
  Also, changes made to Incoming Firewall rules do not show up in the AGPM Settings or Differences reports.  I'd imagine this is related to the known issue described on the Release Notes page here:
  http://technet.microsoft.com/en-us/library/dn458958.aspx

  Hi Fabian - Thanks for the response.  I checked & the AGPM Server is on a subnet that was not mapping to any AD Site.  Based on its subnet/location, it actually should be in the same Site as the PDCe.  I added a new Subnet definition to
  AD & waited until "nltest /dsgetsite" was reporting the correct Site on the AGPM Server.  Now, with just Editor role, I can access the Advanced Firewall area of a checked out GPO from my AGPM Client, which is correctly in a different AD Site. 
  I think this might have solved it.
  Should this requirement be added to AGPM documentation?  "AGPM Server must be installed on a server that is in the same AD Site as the DC holding the PDCe role."
  Thanks for the tip!

• Unable to install SQL Server Express 2012 with advanced services

   Unable to get file (SQLEXPRADV_x64_ENU) to execute (to start installation process).  I'm on Window7-64 - did move file from download area to its own folder within C drive.  Did find post about converting file to a zip (I'm using winRAR) but
  I only get AUTORUN text file with but will not unzip.
  [autorun]
  OPEN=SETUP.EXE
  ICON=SETUP.EXE,0
  Help  Thanks Brian

  Hello,
  Can you use below site to downloadSQL express with advanced services.1-3 G file is one you need to download .this would be direct executable file.
  http://www.microsoft.com/en-gb/download/details.aspx?id=29062
  Please mark this reply as the answer or vote as helpful, as appropriate, to make it useful for other readers

• Error when creating a travel request with Advance amount

  Hi Gurus,
  When I create a travel request with an Advance amount and try to save the same, the system throws up an error msg : "Trip country does not exist in the system (T005).
  However, it allows me to create the travel request without this error if i dont enter any advance amount in the travel request.
  I checked the tables V_T706L and V_T706O and found my trip county to be existing.
  Regards
  Prakash

  Hello Prakash,
  The following are the prerequisites for transferring trip costs to accounting.  In other words when you try to create and save a travel request with advance you are involving accounting entries and therefore the following needed to be checked:
  1.Travel Management and Accounting are both at Release 4.5A. If at least one of the systems
  has a release level lower than 4.5A, follow the instructions in Customizing for ALE.
  2. For payment to be effected, vendor accounts must exist in Accounting for the respective
  personnel numbers.
  3. The following Accounting tables must be replicated in the Travel Management System using
  Customizing transports:
    Company Codes (T001)
    Countries (T005)
    Input Tax Codes (T007A, T007S)
    Document Types (T003)
  4. The transfer of settlement results
  More relevant in your case would be the point 3. Countries(T005) not defined in TM.
  Hope the above provided you more information.
  Rgds
  CONMJI

• Unable to start SSIS Projects : SQL Server 2008R2 Dev edition installed on top on SQL Express 2008 with Advanced Services

  Hello,
  I first installed SQL Serrver Express Edition 2008 with Advanced Services (As a part of some client's software)
  Now I have isntalled SQL Server Developer Edition 2008, by selecting ALL features and client tools.
  Now, with BIDS, I can start SSRS and SSAS Projects, but I can't start SSIS Projects.
  I am getting below error message :
  To design Integration Services packages in Business Intelligence Development Studio, Integration Services has to be installed by one of these editions of SQL Server 2008: Standard, Enterprise, Developer, or Evaluation. To install Integration
  Services, run SQL Server Setup and select Integration Services.
  Please let me know how do I resolve this issue "Without un-installing Express Edition installed earlier on my machine"
  Please help !
  Thanks
  DP

  This is a common pitfall with the SQL Express editions. It cannot co-exist. You
  need to un-install the "Express".
  What works is having a VM with Express Tools if I you (strangely) need them.
  Arthur My Blog

• I have a Win7Pro SP1 PC locked down with a Group Policy as it is a public facing PC. PDF fillable forms cannot be completed when logged on as the restricted user. The forms work as a normal user. What are the user requirements/permissions needed to fill f

  I have a Win7Pro SP1 PC locked down with a Group Policy as it is a public facing PC. PDF fillable forms cannot be completed when logged on as the restricted user. The forms work as a normal user. What are the user requirements/permissions needed to fill forms?

  Well, try this (I was able to fix my with these steps):
  Go Utilities > Disk Utility
  Select your Startup Disk, e.g. Macintosh HD
  Then, under the First Aid Tab, click Verify Disk Permissions.
  If there are errors, then click repair Disk Permissions.
  After it is done, restart the computer and see if your problem is resolved.
  I hope this help.
  Zeke
  www.ZekeYuen.com/blog/

• Is it a bug if a training 'nX' specifier is ignored with advance='NO'?

  I found that Sun Fortran does not count blanks from an 'nX' specifier when writing with advance='NO'. For example, this code:
  write(*,'(A,4X)',advance='NO') '1'
  write(*,'(A)') '2'
  write(*,'(A,4(" "))',advance='NO') '1'
  write(*,'(A)') '2'
  end
  results in:
  12
  1 2
  I recall some discussion that the standards were a bit vague on trailing 'nX' with non-advancing I/O.

  I found that Sun Fortran does not count blanks from
  an 'nX' specifier when writing with advance='NO'. For
  example, this code:
  write(*,'(A,4X)',advance='NO') '1'
  write(*,'(A)') '2'
  write(*,'(A,4(" "))',advance='NO') '1'
  write(*,'(A)') '2'
  end
  results in:
  12
  1 2
  I recall some discussion that the standards were a
  bit vague on trailing 'nX' with non-advancing I/O.The language in the standard was vague, but the standard
  committee recently issued an interpretation that makes it clear.
  Unfortunately, it makes it clear that what Sun f95 is doing is
  wrong. CR 6580748 has been filed against the bug.
  Bob Corbett