Windows 10 Security: Comprehensive Audit Policy Configuration with Registry Details

0

Configuring audit policies in Windows 10 is a vital step in securing your system and protecting sensitive data. Audit policies allow you to monitor and track various activities and events, providing valuable insights into potential security breaches. In this blog post, we will provide you with 20 examples of audit policy configurations for Windows 10, along with complete registry details, empowering you to implement comprehensive security measures.

Before proceeding, please note that modifying the Windows Registry requires caution and should be done with care. It’s always recommended to back up your registry before making any changes.

Disclaimer: Modifying the Windows Registry can have adverse effects on your system if done incorrectly. Please proceed with caution and follow the instructions carefully.

Source: Microsoft TechNet – Audit Policy Settings Registry Values Link: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-policy-settings-registry-values

  1. Logon/Logoff Events: Enable auditing for successful and failed logon attempts to monitor user access to your system.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
      • Audit Logon Events: Success, Failure
      Value Name: AuditLogonEvents
      Type: REG_DWORD
      Value: 0x3
  2. Account Management: Track changes related to user accounts and security groups for effective management.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
      • Audit User Account Management: Success, Failure
        • Value Name: AuditUserAccountManagement
        • Type: REG_DWORD
        • Value: 0x3
      • Audit Security Group Management: Success, Failure
        • Value Name: AuditSecurityGroupManagement
        • Type: REG_DWORD
        • Value: 0x3
  3. Object Access – Files and Folders: Ensure comprehensive monitoring of file and folder access, including read, write, and delete operations
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem
      • Audit File System: Success, Failure
        • Value Name: NtfsDisable8dot3NameCreation
        • Type: REG_DWORD
        • Value: 0x0
  4. Object Access – Registry: Track changes made to the Windows registry, a critical component for system configuration.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg
      • Audit Registry: Success, Failure
        • Value Name: AuditRegistry
        • Type: REG_DWORD
        • Value: 0x3
  5. Object Access – Removable Storage: Monitor activities related to removable storage devices, such as USB drives.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}
      • Audit Removable Storage: Success, Failure
        • Value Name: UpperFilters
        • Type: REG_MULTI_SZ
        • Value: PartMgr
  6. Policy Change: Track modifications to security policies to ensure critical settings remain intact.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
      • Audit Policy Change: Success, Failure
        • Value Name: AuditPolicyChange
        • Type: REG_DWORD
        • Value: 0x3
  7. Privilege Use: Monitor the usage of elevated privileges to detect potential misuse.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
      • Audit Sensitive Privilege Use: Success, Failure
        • Value Name: AuditSensitivePrivilegeUse
        • Type: REG_DWORD
        • Value: 0x3
  8. System Events: Track critical system events such as startup and shutdown for comprehensive monitoring.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
      • Audit System Integrity: Success, Failure
        • Value Name: AuditSystemIntegrity
        • Type: REG_DWORD
        • Value: 0x3
      • Audit Security State Change: Success, Failure
        • Value Name: AuditSecurityStateChange
        • Type: REG_DWORD
        • Value: 0x3
  9. Account Logon Events: Audit events related to user account logon attempts, both successful and failed.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
      • Audit Kerberos Authentication Service: Success, Failure
        • Value Name: AuditKerberosAuthenticationService
        • Type: REG_DWORD
        • Value: 0x3
  10. Detailed Tracking: Enable additional tracking for detailed security event logging.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
      • Audit Detailed File Share: Success, Failure
        • Value Name: AuditDetailedFileShare
        • Type: REG_DWORD
        • Value: 0x3
      • Audit File Share: Success, Failure
        • Value Name: AuditFileShare
        • Type: REG_DWORD
        • Value: 0x3
  11. Directory Service Access: Monitor access and changes to your directory service, such as Active Directory.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\AccessProviders{0dcc9d72-6959-4e19-9e4c-01b0935f22d1}
      • Audit Directory Service Access: Success, Failure
        • Value Name: Providers
        • Type: REG_MULTI_SZ
        • Value: dsprov
  12. Process Tracking: Track process-related events like process creation and termination.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
      • Audit Process Creation: Success, Failure
        • Value Name: AuditProcessCreation
        • Type: REG_DWORD
        • Value: 0x3
      • Audit Process Termination: Success, Failure
        • Value Name: AuditProcessTermination
        • Type: REG_DWORD
        • Value: 0x3
  13. Account Logon Policy: Audit events related to user account logon policies.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
      • Audit Credential Validation: Success, Failure
        • Value Name: AuditCredentialValidation
        • Type: REG_DWORD
        • Value: 0x3
  14. Firewall Rule Changes: Monitor changes to Windows Firewall rules to ensure the integrity of your network security.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules
      • Audit Firewall Rule Change: Success, Failure
        • No specific registry key. Use Windows Firewall with Advanced Security console to configure.
  15. Account Lockout: Track events related to account lockouts, which can indicate potential unauthorized access attempts.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
      • Audit Account Lockout: Success, Failure
        • Value Name: LockoutAuditEvents
        • Type: REG_DWORD
        • Value: 0x3
  16. Distribution Group Changes: Monitor changes to distribution groups within your organization.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
      • Audit Distribution Group Management: Success, Failure
        • Value Name: AuditDistributionGroupManagement
        • Type: REG_DWORD
        • Value: 0x3
  17. Account Policy Changes: Track modifications to account policies, such as password policy changes.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
      • Audit Account Policy Change: Success, Failure
        • Value Name: AuditAccountPasswordPolicyChange
        • Type: REG_DWORD
        • Value: 0x3
  18. Log Clearing: Audit events related to clearing security logs to maintain data integrity.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
      • Audit Security Log Cleared: Success, Failure
        • No specific registry key. Use Event Viewer to track security log clearing.
  19. Windows Installer: Monitor software installation events initiated by Windows Installer.
    • Registry Key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Installer
      • Audit MSI Install: Success, Failure
        • Value Name: Logging
        • Type: REG_SZ
        • Value: voicewarmup
  20. Credential Theft: Audit events related to potential credential theft.
    • Registry Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
      • Audit Credential Theft: Success, Failure
        • Value Name: AuditCredentialThief
        • Type: REG_DWORD
        • Value: 0x3

Conclusion: Configuring audit policies in Windows 10 is a crucial step in maintaining system security. By enabling the appropriate audit policies, you can monitor and track various events, ensuring the integrity of your system and protecting sensitive data. However, it’s important to exercise caution when modifying the Windows Registry and always create backups before making any changes.

Please refer to the provided Microsoft TechNet source for detailed information on audit policy settings and their corresponding registry values. Remember to consult your organization’s security requirements and compliance regulations to tailor the audit policy configurations to your specific needs.

Stay vigilant, implement robust security measures, and regularly review your audit policies to enhance the overall security posture of your Windows 10 environment.

Sources:

Leave a Reply

Your email address will not be published. Required fields are marked *

Verified by MonsterInsights