How to Configure Windows Server 2016 Audit Policy
A well-configured audit policy is essential for security monitoring, compliance, and forensic investigation. Windows Server 2016 provides granular audit policies through Advanced Audit Policy Configuration, which offers far more control than the basic audit policy settings. This guide explains how to configure audit policies to capture logon events, object access, privilege use, and policy changes.
Understanding Basic vs. Advanced Audit Policy
Windows offers two audit policy levels:
- Basic Audit Policy: 9 categories, configured under Security Settings > Local Policies > Audit Policy.
- Advanced Audit Policy: 53 subcategories, configured under Security Settings > Advanced Audit Policy Configuration. Provides much more granular control and is recommended for all Server 2016 deployments.
Step 1: View Current Audit Policy
auditpol /get /category:*View a specific category:
auditpol /get /category:"Logon/Logoff"Step 2: Configure Account Logon Events
Audit credential validation (captures logon attempts against the domain):
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enableAudit Kerberos authentication service events:
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enableStep 3: Configure Logon/Logoff Auditing
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enableStep 4: Configure Object Access Auditing
Enable file system and registry access auditing:
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enableThen configure SACL (System Access Control List) on the specific file or folder to trigger auditing. For a directory:
$acl = Get-Acl -Path "D:SensitiveData"
$auditRule = New-Object System.Security.AccessControl.FileSystemAuditRule("Everyone","FullControl","ContainerInherit,ObjectInherit","None","Success,Failure")
$acl.AddAuditRule($auditRule)
Set-Acl -Path "D:SensitiveData" -AclObject $aclStep 5: Configure Account Management Auditing
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enableStep 6: Configure Privilege Use Auditing
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable
auditpol /set /subcategory:"Non Sensitive Privilege Use" /failure:enableStep 7: Configure Policy Change Auditing
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Authentication Policy Change" /success:enable
auditpol /set /subcategory:"Authorization Policy Change" /success:enableStep 8: Configure Process Tracking
Detailed process tracking helps detect malware and suspicious activity:
auditpol /set /subcategory:"Process Creation" /success:enable
auditpol /set /subcategory:"Process Termination" /success:enableEnable command line logging in process creation events:
Set-ItemProperty -Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystemAudit" -Name "ProcessCreationIncludeCmdLine_Enabled" -Value 1 -Type DWordStep 9: Deploy Audit Policy via Group Policy
Advanced audit policy settings in GPO are found at:
Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies
Export current audit policy for backup or deployment:
auditpol /backup /file:C:AuditPolicy.csvRestore audit policy:
auditpol /restore /file:C:AuditPolicy.csvStep 10: Configure Security Event Log Size
Increase Security log size to retain more audit events:
wevtutil sl Security /ms:1073741824
wevtutil sl Security /rt:falseThis sets the Security log to 1 GB and disables log rotation (overwrites only when full). View current log settings:
wevtutil gl SecuritySummary
A robust audit policy on Windows Server 2016 captures the security events needed for threat detection, compliance reporting, and forensic analysis. Advanced Audit Policy Configuration provides subcategory-level control, allowing you to enable exactly the events you need without flooding logs with noise. Pair audit logging with a SIEM solution for centralized analysis and alerting.
