Nothing is more critical during a security investigation (incident response, or “IR”) than the quality of the information coming from your log sources. During a recent incident, progress stopped due to insufficient auditing settings. The IR closed with inconclusive findings and a remediation project to standardize and enable Microsoft Advanced Security Auditing. Microsoft released Advanced Security Auditing with Windows Vista and Windows Server 2008. After 12 years, I still see environments that have not configured it. In today’s threat landscape, most businesses are one incident from regretting it.
What is Advanced Security Auditing?
Here is an explanation from Microsoft:
“Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows operating systems, the definition of security auditing is the features and services that enable an administrator to log and review events for specified security-related activities.
Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.”
Microsoft goes on to explain the difference between audit policies located in “Local Policies\Audit” and in the Advanced Audit Policy Configuration:
“The basic security audit policy settings in Security Settings\Local Policies\Audit Policy and the advanced security audit policy settings in Security Settings\Advanced Audit Policy Configuration\System Audit Policies appear to overlap, but they are recorded and applied differently. When you apply basic audit policy settings to the local computer by using the Local Security Policy snap-in (secpol.msc), you are editing the effective audit policy, so changes made to basic audit policy settings will appear exactly as configured in Auditpol.exe.
There are a number of additional differences between the security audit policy settings in these two locations.
There are nine basic audit policy settings under Security Settings\Local Policies\Audit Policy and settings under Advanced Audit Policy Configuration. The settings available in Security Settings\Advanced Audit Policy Configuration address similar issues as the nine basic settings in Local Policies\Audit Policy, but they allow administrators to be more selective in the number and types of events to audit.
For example, the basic audit policy provides a single setting for account logon, and the advanced audit policy provides four. Enabling the single basic account logon setting would be the equivalent of setting all four advanced account logon settings. In comparison, setting a single advanced audit policy setting does not generate audit events for activities that you are not interested in tracking.
In addition, if you enable success auditing for the basic Audit account logon events setting, only success events will be logged for all account logon–related behaviors. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or no auditing.”
What does this mean for my organization?
Where possible, SecurIT360 recommends implementing Microsoft Advanced Security Auditing at the domain level. This, in combination, with Event Log Policies force retaining security log information as long as possible on all machines.
SecurIT360 has teamed up with the Center for Internet Security to establish best practice settings. These settings can be the difference between an IR that ends with a conclusion vs. an IR that ends inconclusively.
For more information on how SecurIT360 can assist you with Security Monitoring, Auditing, Managed Detection and Response Services, and Endpoint Detection and response, contact us.