This post includes recommend Windows audit policy settings. No two environments are the same so after running for a week inspect how much data is being recorded and if any can be removed. Ideally you will be after more than 24hrs worth of data held with a security event log size set to 2GB (2GB is not large for some environments).
This table lists the audit setting recommendations for the below operating systems:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows 10
As a side note, exercise extreme caution if you ever go to enable logging for Security Auditing Success. Enabling this will fill not only your security event log with fairly useless data but this will also fill up any downstream areas where these logs may end up, such as if you were ingesting server security eventlogs into Microsoft sentinel.
| Setting | Success | Failure |
| Account Management | |
| Audit Application Group Management | Yes | Yes |
| Audit Computer Account Management | Yes | Yes |
| Audit Distribution Group Management | |
| Audit Other Account Management Events | Yes | Yes |
| Audit Security Group Management | Yes | Yes |
| Audit User Account Management | Yes | Yes |
| Account Logon | |
| Audit Credential Validation | Yes | Yes |
| Audit Kerberos Authentication Service | Domain Controller | Domain Controller |
| Audit Kerberos Service Ticket Operations | Domain Controller | Domain Controller |
| Audit Other Account Logon Events | Yes | No |
| Detailed Tracking | |
| Audit DPAPI Activity | Yes | Yes |
| Audit Process Creation | Yes | Yes |
| Audit Process Termination | |
| Audit RPC Events | |
| DS Access | |
| Audit Detailed Directory Service Replication | |
| Audit Directory Service Access | Domain Controller | Domain Controller |
| Audit Directory Service Changes | Domain Controller | Domain Controller |
| Audit Directory Service Replication | |
| Logon and Logoff | |
| Audit Account Lockout | Yes | No |
| Audit User/Device Claims | |
| Audit IPsec Extended Mode | |
| Audit IPsec Main Mode | |
| Audit IPsec Quick Mode | |
| Audit Logoff | Yes | No |
| Audit Logon | Yes | Yes |
| Audit Network Policy Server | |
| Audit Other Logon/Logoff Events | Yes | Yes |
| Audit Special Logon | Yes | Yes |
| Object Access | |
| Audit Application Generated | |
| Audit Certification Services | |
| Audit Detailed File Share | |
| Audit File Share | |
| Audit File System | |
| Audit Filtering Platform Connection | |
| Audit Filtering Platform Packet Drop | |
| Audit Handle Manipulation | |
| Audit Kernel Object | |
| Audit Other Object Access Events | Yes | Yes |
| Audit Registry | |
| Audit Removable Storage | Yes | Yes |
| Audit SAM | |
| Audit Central Access Policy Staging | |
| Policy Change | |
| Audit Audit Policy Change | Yes | Yes |
| Audit Authentication Policy Change | Yes | Yes |
| Audit Authorization Policy Change | Yes | Yes |
| Audit Filtering Platform Policy Change | |
| Audit MPSSVC Rule-Level Policy Change | Yes | Yes |
| Audit Other Policy Change Events | No | Yes |
| Privilege Use | |
| Audit Non Sensitive Privilege Use | |
| Audit Other Privilege Use Events | |
| Audit Sensitive Privilege Use | Yes | Yes |
| System | |
| Audit IPsec Driver | Yes | Yes |
| Audit Other System Events | Yes | No |
| Audit Security State Change | Yes | Yes |
| Audit Security System Extension | Yes | No |
| Audit System Integrity | Yes | Yes |
| Global Object Access Auditing | |
| Audit IPsec Driver | |
| Audit Other System Events | Yes | No |
| Audit Security State Change | Yes | Yes |
| Audit Security System Extension | Yes | No |
| Audit System Integrity | Yes | Yes |
