How to Configure Audit Policy on Windows Server 2012 R2

How to Configure Audit Policy on Windows Server 2012 R2

A well-configured audit policy is the foundation of security monitoring and forensic investigation on Windows Server 2012 R2. Audit policies generate security event log entries when specific activities occur — such as logon attempts, privilege use, object access, or policy changes. Windows Server 2012 R2 provides two levels of audit policy: the legacy basic audit policy (9 categories) and the advanced audit policy subcategory system (53 subcategories) which provides much finer-grained control. This guide focuses on the advanced audit policy system using both Group Policy and the auditpol command-line tool.

Prerequisites

Configuring audit policy requires local Administrator or Domain Admin rights. For domain environments, audit policy should be configured via Group Policy and linked at the domain or OU level for consistent coverage. Ensure the Security event log has sufficient size configured — the default 20 MB is inadequate for a busy server. Windows Event Collector or a SIEM solution should be in place to aggregate and retain logs beyond what the local machine can store. The auditpol.exe command is available natively on Server 2012 R2.

Understanding Basic vs Advanced Audit Policy

The legacy basic audit policy in Group Policy under Security Settings > Local Policies > Audit Policy controls 9 broad categories. The advanced audit policy under Security Settings > Advanced Audit Policy Configuration provides 53 subcategories for precise control. When both are configured, the advanced policy takes precedence if the Group Policy setting “Force audit policy subcategory settings to override audit policy category settings” is enabled. Enable this via GPO or locally:

# Enable advanced audit policy override
auditpol /set /option:CrashOnAuditFail /value:disable
# Configure via GPO: Computer Configuration > Windows Settings > Security Settings >
# Local Policies > Security Options > "Audit: Force audit policy subcategory settings..."

Viewing Current Audit Policy

Use auditpol to view the current configuration for all categories and subcategories:

# View all audit policy settings
auditpol /get /category:*

# View a specific category
auditpol /get /category:"Logon/Logoff"

# Export current settings to a file for backup
auditpol /backup /file:C:AuditPolicy-Backup.csv

Configuring Logon and Authentication Auditing

Logon events are among the most critical security events to capture. Configure auditing for both successful and failed logon attempts:

# Audit logon events (interactive, network, service logons)
auditpol /set /subcategory:"Logon" /success:enable /failure:enable

# Audit account logoff
auditpol /set /subcategory:"Logoff" /success:enable /failure:disable

# Audit other logon events (NLA, RemoteInteractive, etc.)
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable

# Audit special logon (admin-equivalent privileges used)
auditpol /set /subcategory:"Special Logon" /success:enable /failure:disable

# Audit account lockout
auditpol /set /subcategory:"Account Lockout" /success:disable /failure:enable

Configuring Account Management Auditing

Track all changes to user accounts, groups, and computer accounts in Active Directory:

# User account changes
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

# Security group management (Domain Admins, etc.)
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable

# Distribution group management
auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable

# Computer account management
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable

# Other account management
auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable

Configuring Privilege Use Auditing

Capture when sensitive privileges are exercised, which can indicate misuse of administrative rights:

# Audit sensitive privilege use (backup/restore, act as OS, etc.)
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable

# Audit non-sensitive privilege use (generate security audits, etc.) - produces high volume
auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable

Configuring Policy Change Auditing

Detect unauthorized changes to security policy, trust relationships, and audit policy itself:

# Audit policy changes
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable

# Authentication policy changes (Kerberos settings, etc.)
auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable

# MPSSVC rule-level policy change (Windows Firewall rules)
auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable

# Filtering platform policy change
auditpol /set /subcategory:"Filtering Platform Policy Change" /success:enable /failure:enable

Configuring Object Access Auditing

Object access auditing requires both the audit policy setting AND a System Access Control List (SACL) on the specific object. Enable file system auditing at the policy level:

# Enable file system object access auditing
auditpol /set /subcategory:"File System" /success:enable /failure:enable

# Enable registry object access auditing
auditpol /set /subcategory:"Registry" /success:enable /failure:enable

# Enable removable storage auditing (USB drives etc.)
auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable

# Enable SAM (local account database) access auditing
auditpol /set /subcategory:"SAM" /success:enable /failure:enable

After enabling the policy, add SACLs to specific files or folders. To audit access to a sensitive directory:

# Add audit SACL to D:SensitiveData for all users, all access
$Acl = Get-Acl "D:SensitiveData"
$AuditRule = New-Object System.Security.AccessControl.FileSystemAuditRule(
    "Everyone",
    "FullControl",
    "ContainerInherit,ObjectInherit",
    "None",
    "Success,Failure"
)
$Acl.AddAuditRule($AuditRule)
Set-Acl -Path "D:SensitiveData" -AclObject $Acl

Configuring Process and System Auditing

Track process creation and termination, which is valuable for detecting malicious execution chains:

# Process creation - generates Event 4688 with process command line
auditpol /set /subcategory:"Process Creation" /success:enable /failure:disable

# Process termination
auditpol /set /subcategory:"Process Termination" /success:enable /failure:disable

# System integrity events
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable

# Security system extension (driver loading)
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable

Enable command line logging in process creation events (requires additional registry setting):

reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemAudit" `
    /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

Configuring Security Event Log Size and Retention

Increase the Security event log size to prevent overwriting critical events:

# Set Security log to 1 GB maximum size with archive-and-clear policy
wevtutil sl Security /ms:1073741824 /rt:false /ab:true /sfn:C:EventLogArchiveSecurity

# Set via PowerShell
$LogConfig = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration("Security")
$LogConfig.MaximumSizeInBytes = 1073741824  # 1 GB
$LogConfig.LogMode = [System.Diagnostics.Eventing.Reader.EventLogMode]::AutoBackup
$LogConfig.SaveChanges()

Applying Audit Policy via Group Policy

Export your configured local policy and apply via GPO to all domain servers:

# Export current auditpol settings
auditpol /backup /file:C:AuditPolicy-Production.csv

# To restore on another machine or after GPO refresh:
auditpol /restore /file:C:AuditPolicy-Production.csv

In Group Policy Management Console, import the CSV settings under: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies — configure each subcategory manually or use Security Configuration Wizard to apply the exported policy.

Verification

Query the Security event log for recent critical audit events:

# Find failed logon events (Event ID 4625)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4625} -MaxEvents 20 |
    Select-Object TimeCreated, Message | Format-List

# Find account created events (Event ID 4720)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4720} -MaxEvents 10 |
    Select-Object TimeCreated, Message | Format-List

# Find audit policy changes (Event ID 4719)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4719} -MaxEvents 10 |
    Select-Object TimeCreated, Message | Format-List

Summary

A comprehensive audit policy on Windows Server 2012 R2 requires configuring the advanced audit subcategory system rather than the legacy basic categories. The most critical areas to audit are: logon/logoff events, account management changes, sensitive privilege use, policy changes, and file system access on sensitive directories. Process creation auditing with command line logging provides visibility into execution chains. Ensure the Security event log is sized appropriately and forwarded to a central SIEM or Windows Event Collector for long-term retention and correlation.