How to Set Up Windows Server 2022 Hyper-V Containers

Advanced Audit Policy vs Basic Audit Policy

Windows provides two mechanisms for configuring Security event log auditing: the legacy Basic Audit Policy and the more granular Advanced Audit Policy Configuration. Understanding the difference is important before you begin configuring auditing on Windows Server 2022, because the two systems interact in ways that can produce unexpected results if both are configured simultaneously.

The Basic Audit Policy (found at Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy) offers nine categories with simple Success/Failure/Both/None settings. It has been available since Windows 2000 and controls broad event generation across each category. The Advanced Audit Policy Configuration (found at Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies) was introduced in Windows Vista and Server 2008 and breaks each of the nine basic categories into subcategories — 53 in total — each of which can be configured independently. This granularity allows you to audit exactly the events you need without the noise of events you do not care about.

When both systems are configured, Advanced Audit Policy takes precedence on Windows Vista and later systems. To prevent the Basic Audit Policy from accidentally overriding your Advanced settings, enable the following security option:

# Group Policy path:
# Computer Configuration > Windows Settings > Security Settings >
#   Local Policies > Security Options
# Setting: Audit: Force audit policy subcategory settings (Windows Vista or later)
#          to override audit policy category settings
# Value: Enabled

# Verify via registry:
reg query "HKLMSYSTEMCurrentControlSetControlLsa" /v SCENoApplyLegacyAuditPolicy
# Expected: REG_DWORD    0x1  (1 = Advanced takes precedence)

With this setting enabled, the Basic Audit Policy entries in Group Policy are ignored in favour of the Advanced Audit Policy subcategory settings. This is the recommended configuration for Windows Server 2022.

Configuring Advanced Audit Policies via Group Policy

Advanced Audit Policy Configuration is configured through Group Policy under Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies. The 9 top-level categories each contain multiple subcategories. Expand any category to see its subcategories and set each to audit Success, Failure, or both.

The 9 top-level categories are:

1. Account Logon — Kerberos authentication, NTLM authentication, credential validation
2. Account Management — User/group/computer account creation, modification, deletion
3. DS Access — Directory Service access and changes (domain controllers only)
4. Logon/Logoff — Interactive and network logons, session creation/deletion
5. Object Access — File/registry/share/kernel object access (requires SACLs on objects)
6. Policy Change — Audit policy changes, authentication policy changes, authorization policy changes
7. Privilege Use — Sensitive and non-sensitive privilege use
8. Process Tracking — Process creation, termination, DPAPI activity, RPC events
9. System — IPsec driver events, security state changes, security system extension, system integrity

Using auditpol.exe to View and Set Audit Policies

auditpol.exe is the command-line tool for reading and writing Advanced Audit Policy settings directly on a local machine. It is the fastest way to verify the current effective audit configuration and to make immediate changes without waiting for Group Policy to refresh.

View the current audit policy for all subcategories:

auditpol /get /category:*

View the policy for a specific category:

auditpol /get /category:"Logon/Logoff"

Set a specific subcategory. For example, enable auditing of Logon success and failure:

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

Configure Process Creation auditing (essential for detecting malicious process chains):

auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

Enable auditing for all subcategories in a category at once:

auditpol /set /category:"Account Management" /success:enable /failure:enable
auditpol /set /category:"Account Logon" /success:enable /failure:enable
auditpol /set /category:"Policy Change" /success:enable /failure:enable

Export the current policy to a file for backup or documentation:

auditpol /backup /file:C:Auditauditpol_backup_$(Get-Date -f yyyyMMdd).csv

Restore a previously exported policy:

auditpol /restore /file:C:Auditauditpol_backup_20260101.csv

Recommended Audit Subcategory Settings

The following settings represent a strong baseline for a Windows Server 2022 member server, aligned with CISA and NSA guidance. Settings marked (DC only) are primarily relevant on domain controllers.

--- Account Logon ---
Credential Validation:                  Success, Failure
Kerberos Authentication Service:        Success, Failure  (DC only)
Kerberos Service Ticket Operations:     Success, Failure  (DC only)
Other Account Logon Events:             Success, Failure

--- Account Management ---
Computer Account Management:            Success, Failure
Distribution Group Management:          Success, Failure
Other Account Management Events:        Success, Failure
Security Group Management:              Success, Failure
User Account Management:                Success, Failure

--- DS Access (Domain Controllers) ---
Directory Service Access:               Failure
Directory Service Changes:              Success

--- Logon/Logoff ---
Account Lockout:                        Failure
Logoff:                                 Success
Logon:                                  Success, Failure
Other Logon/Logoff Events:              Success, Failure
Special Logon:                          Success

--- Object Access ---
Certification Services:                 Success, Failure  (CA servers)
Detailed File Share:                    Failure
File Share:                             Success, Failure
File System:                            Failure           (requires SACL)
Other Object Access Events:             Success, Failure
Registry:                               Failure           (requires SACL)
Removable Storage:                      Success, Failure
SAM:                                    Failure

--- Policy Change ---
Audit Policy Change:                    Success, Failure
Authentication Policy Change:           Success
Authorization Policy Change:            Success
Filtering Platform Policy Change:       No Auditing
MPSSVC Rule-Level Policy Change:        Success, Failure
Other Policy Change Events:             Failure

--- Privilege Use ---
Non Sensitive Privilege Use:            No Auditing
Other Privilege Use Events:             No Auditing
Sensitive Privilege Use:                Success, Failure

--- Process Tracking ---
DPAPI Activity:                         Success, Failure
PNP Activity:                           Success
Process Creation:                       Success
Process Termination:                    No Auditing
RPC Events:                             No Auditing
Token Right Adjusted:                   Success, Failure

--- System ---
IPsec Driver:                           Success, Failure
Other System Events:                    Success, Failure
Security State Change:                  Success, Failure
Security System Extension:              Success, Failure
System Integrity:                       Success, Failure

Process Creation with Command Line Logging

Enabling Process Creation auditing (event ID 4688) is one of the highest-value configuration changes you can make for threat detection. By default, 4688 events do not include the full command line that was used to launch the process. Enabling command line inclusion in 4688 events exposes exactly what commands were run, enabling detection of PowerShell one-liners, living-off-the-land attacks, and suspicious child processes.

# Enable command line in process creation events
# Group Policy path:
# Computer Configuration > Administrative Templates > System > Audit Process Creation
# Setting: Include command line in process creation events
# Value: Enabled

# Alternatively, via registry:
reg add "HKLMSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemAudit" `
    /v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

With this enabled, each 4688 event will contain both the process name and the full command line, making it far easier to identify malicious activity in event logs and SIEM queries.

Auditable Events and How They Are Generated

Understanding which events are generated by which user actions helps you validate that your audit policy is working as expected. Key examples:

• 4624 (Logon Success) — Generated on the machine being logged into when any account successfully authenticates. Logon Type field distinguishes interactive (2), network (3), batch (4), service (5), and Remote Desktop (10) logons.
• 4625 (Logon Failure) — Generated on the target machine when authentication fails. Contains the Sub Status code that identifies the reason: 0xC000006A = wrong password, 0xC0000064 = username does not exist, 0xC000006F = logon outside allowed hours.
• 4648 (Explicit Credential Use) — Generated when a process uses explicit credentials (e.g., runas, WMI remote execution). This event often indicates credential pivoting.
• 4672 (Special Logon) — Generated when an account with sensitive privileges (SeDebugPrivilege, SeImpersonatePrivilege, etc.) logs in. High-privilege account tracking.
• 4688 (Process Creation) — Generated when any new process starts. With command line logging enabled, the full command is visible.
• 4698 (Scheduled Task Created) — Generated in the Security log when a scheduled task is created. Attackers frequently use scheduled tasks for persistence.
• 4719 (Audit Policy Changed) — Generated when the local audit policy is modified, which may indicate an attacker attempting to disable logging.
• 4720 (User Account Created) — Generated when a new local or domain user account is created.

Mapping Advanced Audit Policy to Basic Audit Policy

If you need to understand how the nine Advanced Audit Policy categories map to the Basic Audit Policy categories (useful when reviewing legacy documentation or migrating from older configurations), here is the mapping:

Basic Category                 -> Advanced Subcategories (partial)
----------------------------------------------------------------------
Audit account logon events     -> Credential Validation, Kerberos Authentication
                                  Kerberos Service Ticket, Other Account Logon
Audit account management       -> All Account Management subcategories
Audit directory service access -> Directory Service Access, Changes, Replication
Audit logon events             -> Logon, Logoff, Account Lockout, Special Logon
                                  IPsec, Network Policy Server
Audit object access            -> File System, Registry, Kernel Object, SAM
                                  Certification Services, Application Generated
                                  Handle Manipulation, File Share, Filtering Platform
                                  Other Object Access
Audit policy change            -> Audit Policy Change, Authentication Policy Change
                                  Authorization Policy Change, MPSSVC, Other Policy
Audit privilege use            -> Sensitive Privilege Use, Non-Sensitive Privilege Use
Audit process tracking         -> Process Creation, Process Termination, DPAPI, RPC
Audit system events            -> Security State Change, Security System Extension
                                  System Integrity, IPsec Driver

Configuring Audit Log Size and Retention

Even the most comprehensive audit policy is useless if the Security event log fills up and begins overwriting important events before they can be reviewed or forwarded. Configure log size and retention through Group Policy or directly on the server.

# Set Security log to 1 GB maximum with overwrite as needed
# Group Policy path:
# Computer Configuration > Administrative Templates > Windows Components >
#   Event Log Service > Security
# Settings:
# - Maximum Log Size (KB): 1048576  (1 GB)
# - Retain old events: Disabled     (overwrite as needed)
# - Log Access: (restrict via ACL if needed)

# Via wevtutil on the local machine:
wevtutil sl Security /ms:1073741824   # 1 GB maximum
wevtutil sl Security /rt:false        # Overwrite when full (circular)

# Set Application and System logs to 256 MB each
wevtutil sl Application /ms:268435456
wevtutil sl System /ms:268435456

# Verify current log configuration
wevtutil gl Security

For domain controllers, the Security log should be set to at least 2–4 GB given the volume of authentication events generated. If you are forwarding events via WEF or a SIEM agent, the local log acts as a buffer — size it to hold at least 24 hours of events in case the forwarding pipeline is interrupted. For environments where log retention compliance is required (e.g., PCI DSS requires 12 months, 3 months immediately available), supplement local buffering with a centralized log management platform that retains events for the required duration.

After deploying your advanced audit policy via Group Policy, verify the effective configuration on each target server using auditpol /get /category:* and confirm that expected events are appearing in the Security log by performing test actions such as a failed login attempt, account creation, or privilege escalation, and then verifying the corresponding event IDs appear in Event Viewer.