With Win7-W2008 R2 you can configure audit subcategories using Group Policy; look under Security Settings\Advanced Audit Policy.

Whether you apply advanced audit policy by using Group Policy or by using logon scripts, do not use both the basic audit policy settings under Local Policies\Audit Policy and the advanced settings under Security Settings\Advanced Audit Policy Configuration. Using both advanced and basic audit policy settings can cause unexpected results.

To see the full syntax for this command run “auditpol /?” at the command line.

To get a listing of all categories and their subcategories, run:

auditpol /list /subcategory:*

To display the current audit policy for all subcategories run:

auditpol /get /category:*

Here’s an example of enabling the File System subcategory for success and failure:

AUDITPOL /SET /SUBCATEGORY:”file system” /SUCCESS:ENABLE /FAILURE:ENABLE

Best Practices:

  • Do not use Local Security Policy
  • Do not use auditpol /set
  • Use group policy objects in AD to configure audit policy
  • Always enable “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” and, for Win2008R2+ systems, ignore the 9 legacy audit categories.
  • Configure all of the advanced audit policy subcategories even if it is just to explicitly disable them
  • Do not use Local Security Policy, Group Policy Results Wizard, RSOP or gpresults to verify what your true audit policy is
  • Use only “auditpol /get /category:*” to verify what your true audit policy is on a given system
  • Monitor for 4719 where user is not the system itself.  This indicates someone is temporarily overriding your official audit policy defined in AD GPOs.

More information:

AuditPol Help: http://technet.microsoft.com/en-us/library/cc731451%28v=ws.10%29.aspx

Planning and Deploying Advanced Security Audit Policy: http://technet.microsoft.com/en-us/library/ee513968%28v=ws.10%29.aspx

Details about advanced security audit settings: http://technet.microsoft.com/fr-fr/library/dd772712(v=ws.10).aspx

AD DS Auditing Step-by-Step Guide : http://technet.microsoft.com/en-us/library/cc731607%28v=ws.10%29.aspx

Advanced Security Auditing FAQ : http://technet.microsoft.com/en-us/library/ff182311%28v=ws.10%29.aspx

TIP:  You cannot deploy advanced security audit policy settings to Windows Server 2008 R2 Server Core: http://support.microsoft.com/kb/2477932

Recommended Settings for Windows Domains

Here are my selection of security audit settings after tests and validation:

Category/Subcategory                     Setting
System
Security System Extension           Success and Failure
System Integrity                              Success and Failure
IPsec Driver                                     No Auditing
Other System Events                     Success and Failure
Security State Change                   Success and Failure

Logon/Logoff
Logon                                                Success and Failure
Logoff                                                Success and Failure
Account Lockout                              Success and Failure
IPsec Main Mode                             No Auditing
IPsec Quick Mode                            No Auditing
IPsec Extended Mode                     No Auditing
Special Logon                                   Success and Failure
Other Logon/Logoff Events            Success and Failure
Network Policy Server                     Success and Failure

Object Access
File System                               Success and Failure
Registry                                     Success and Failure
Kernel Object                           Success and Failure
SAM                                           No Auditing
Certification Services                     Success and Failure
Application Generated                   Success and Failure
Handle Manipulation                     No Auditing
File Share                              Success and Failure
Filtering Platform Packet Drop          No Auditing
Filtering Platform Connection           No Auditing
Other Object Access Events              No Auditing
Detailed File Share                             No Auditing

Privilege Use
Sensitive Privilege Use                 No Auditing
Non Sensitive Privilege Use         No Auditing
Other Privilege Use Events          No Auditing

Detailed Tracking
Process Termination                 Success and Failure
DPAPI Activity                             Success and Failure
RPC Events                                  Failure
Process Creation                        Success and Failure

Policy Change
Audit Policy Change                             Success and Failure
Authentication Policy Change            Success and Failure
Authorization Policy Change              Success and Failure
MPSSVC Rule-Level Policy Change         No Auditing
Filtering Platform Policy Change           No Auditing
Other Policy Change Events                   No Auditing

Account Management
User Account Management                 Success and Failure
Computer Account Management        Success and Failure
Security Group Management               Success and Failure
Distribution Group Management        Success and Failure
Application Group Management         Success and Failure
Other Account Management Events    Success and Failure

DS Access
Directory Service Changes                      Success and Failure
Directory Service Replication                  Failure
Detailed Directory Service Replication  Failure
Directory Service Access                          Success and Failure

Account Logon
Kerberos Service Ticket Operations      Failure
Other Account Logon Events                  Success and Failure
Kerberos Authentication Service           Failure
Credential Validation                               Success and Failure