How to Configure Advanced Audit Policies on Windows Server 2012 R2
Windows Server 2012 R2 provides a granular audit policy framework through Advanced Audit Policy Configuration that goes far beyond the nine basic categories available in the legacy audit settings. With advanced auditing, you can control exactly which events are logged for each of 58 subcategories, dramatically reducing log noise while ensuring that every security-relevant event is captured. This guide covers configuring the full set of recommended audit subcategories via Group Policy and command-line tools, and explains which event IDs to monitor for the most common threat scenarios.
Prerequisites
- Windows Server 2012 R2 with Domain Admin or local Administrator access
- GPMC for domain-wide deployment
- Understanding that Advanced Audit Policies and the legacy Basic Audit Policy should not be mixed—the setting Force audit policy subcategory settings to override audit policy category settings must be enabled
Step 1: Enable Advanced Audit Policy Override
When Advanced Audit Policies and legacy Basic Audit policies conflict, Windows defaults to the basic settings unless you enable the override. Configure this via Group Policy or registry:
Via Group Policy: Computer Configuration → Windows Settings → Security Settings → Local Policies → Security Options → Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings — set to Enabled.
Via registry:
Set-ItemProperty -Path "HKLM:SYSTEMCurrentControlSetControlLsa" `
-Name "SCENoApplyLegacyAuditPolicy" -Value 1 -Type DWordStep 2: Configure Account Logon Subcategories
Account Logon events track authentication against the credential database (domain controllers for domain accounts, SAM for local accounts):
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enableKey event IDs: 4768 (Kerberos TGT requested), 4769 (Kerberos service ticket requested), 4776 (NTLM authentication), 4771 (Kerberos pre-authentication failed).
Step 3: Configure Account Management Subcategories
Account management events track creation, deletion, and modification of user and group accounts:
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enableKey event IDs: 4720 (account created), 4722 (account enabled), 4723 (password changed by user), 4724 (password reset by admin), 4725 (account disabled), 4726 (account deleted), 4728/4732/4756 (member added to security/local/universal group).
Step 4: Configure Detailed Tracking Subcategories
Detailed tracking provides visibility into process creation and termination—essential for detecting malware execution:
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Process Termination" /success:enable
auditpol /set /subcategory:"DPAPI Activity" /success:enable /failure:enable
auditpol /set /subcategory:"RPC Events" /success:enable /failure:enableKey event IDs: 4688 (process created—enable command line logging for full value), 4689 (process exited).
Enable command-line logging in process creation events via Group Policy or registry—this is one of the highest-value settings for threat detection:
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemAudit" `
-Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -Type DWordStep 5: Configure Directory Service Access (Domain Controllers Only)
On domain controllers, enable DS Access to track Active Directory object changes:
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Replication" /failure:enable
auditpol /set /subcategory:"Detailed Directory Service Replication" /failure:enableKey event IDs: 4662 (object accessed), 5136 (AD object modified), 5137 (AD object created), 5138 (AD object undeleted), 5139 (AD object moved), 5141 (AD object deleted).
Step 6: Configure Logon and Logoff Subcategories
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Main Mode" /failure:enable
auditpol /set /subcategory:"IPsec Quick Mode" /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enableKey event IDs: 4624 (successful logon—note logon type: 2=interactive, 3=network, 10=remote interactive), 4625 (failed logon), 4634 (logoff), 4647 (user-initiated logoff), 4648 (explicit credential logon), 4675 (SIDs filtered), 4800 (workstation locked), 4801 (workstation unlocked).
Step 7: Configure Object Access Subcategories
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
auditpol /set /subcategory:"Kernel Object" /failure:enable
auditpol /set /subcategory:"SAM" /failure:enable
auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable
auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enableNote: File System and Registry auditing only logs events for objects that have auditing enabled in their SACL (System Access Control List). Configure SACLs separately on sensitive folders and registry keys.
Step 8: Configure Policy Change and Privilege Use
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Filtering Platform Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable
auditpol /set /subcategory:"Non Sensitive Privilege Use" /failure:enableStep 9: Deploy via Group Policy
For domain-wide deployment, apply advanced audit policies through a GPO. Navigate to:
Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies
Each subcategory listed above has a corresponding node in the GPO editor. Set Success and Failure checkboxes as per the steps above.
Export the configured policy to a template for documentation:
auditpol /backup /file:C:AuditPolicyAdvancedAuditPolicy.csv
# Or in human-readable form:
auditpol /get /category:* > C:AuditPolicyCurrentAuditPolicy.txtStep 10: Increase Security Event Log Size
Advanced auditing generates significantly more events than basic auditing. Increase the Security log size to prevent overwrite before events can be collected:
# Set Security log to 256 MB with auto-overwrite
wevtutil sl Security /ms:268435456 /rt:true /ab:false
# Verify
wevtutil gl SecuritySummary
Advanced Audit Policies on Windows Server 2012 R2 give you precise control over which events populate the Security event log, enabling effective threat detection without log flooding. By enabling the override setting, configuring all relevant subcategories across Account Logon, Account Management, Detailed Tracking, Logon/Logoff, and Policy Change categories, and increasing log size to match the higher event volume, you have built a comprehensive audit trail. Feed these logs into a WEF collector or SIEM to correlate events across your server fleet and detect attacks in real time.
