Configure advanced audit policies
Implement auditing using Group Policy and AuditPol.exe
- Auditpol.exe with the /get subcommand can be used to query audit policies, for example: Auditpol.exe /get /category:\"Object Access\"
- Auditpol.exe with the /set subcommand can be used to query audit policies, for example: Auditpol.exe /set /Category:\"Object Access\" /Subcategory:\"File System\" /success:Enable
- Auditpol.exe /backup can be used to backup audit settings and restore them to another server
- Auditing can be enabled in the default domain policy if you wish to target domain and local accounts. Auditing is enabled under computer configuration. To audit both logons and logon attempts you need to enable both success and failure for 'Audit account logon attempts'
- Auditing 'Object access' needs to be enabled in both Group Policy and on the security tab of the object you wish to audit
- Audited events are recorded in the Security Event log
- Auditing privilege use allows you to audit events when a user uses their special permissions, configure the setting on the server where the special permission is applied
- You can ensure that simple auditing will not conflict with advanced audit policies by settings the "Audit: Force audit policy subcategory settings" group policy setting under "Security Settings\Local Policies\Security Options". Setting this value will cause the simple audit policies to be ignored
Create expression-based audit policies
- Expression-based audit policies allow for the same conditions that are used for Dynamic Access Control, which includes user and device claims to be applied to auditing
- You can configure Global auditing here: Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Global Object Access Auditing. This setting is preferred over the old enable auditing and then turn it on per folder process that used to be required
Create removable device audit policies
- You should edit the Advanced Audit Policy Configuration setting as it contains the new Audit Removable Storage setting. Only success should be enabled, as failure events will include audit events where the file was not successfully copied. You may also want to configure the Audit Handle Manipulation setting