Disclaimer: This information is based on the recommended settings from Microsoft for computers that are not known to be under active, successful attack by determined adversaries or malware. Furthermore, Perch provides no warranty or certification for the following recommendations, you assume all risks and liability arising from or relating to the use of and reliance upon this document guidance. As always, consult with your own legal, regulatory and industry-based guidance for a properly configured log policy.

Perch’s capability to provide actionable information and event notifications through its Security Information & Event Management (SIEM) component does rely on properly configured audit logging. Creating and enforcing a standard audit logging policy can be done through Microsoft’s Active Directory via Group Policy Objects (GPO). See the following Microsoft article for more information about creating GPO’s: https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/create-a-group-policy-object

This article will focus on the specific audit logging configurations for both Windows Servers and Workstations

Server Audit Logging

Below are the recommended audit logging configurations for Windows Servers:

Domain Controller

Audit Account Lockout: Success, Failure

Audit Audit Policy Change: Success, Failure

Audit Authentication Policy Change: Success, Failure

Audit Computer Account Management: Success, Failure

Audit Credential Validation: Success, Failure

Audit Detailed Directory Service Replication: Success, Failure

Audit Detailed File Share: Failure

Audit Directory Service Access: Success, Failure

Audit Directory Service Changes: Success, Failure

Audit Directory Service Replication: Success, Failure

Audit Distribution Group Management: Success, Failure

Audit DPAPI Activity: Success, Failure

Audit File Share: Success, Failure

Audit File System: Success, Failure

Audit Filtering Platform Connection: Failure

Audit Group Membership: Success, Failure

Audit Kerberos Authentication Service: Success, Failure

Audit Kerberos Service Ticket Operations: Success, Failure

Audit Logoff: Success, Failure

Audit Logon: Success, Failure

Audit MPSSVC Rule-Level Policy Change: Success, Failure

Audit Non Sensitive Privilege Use: Failure

Audit Other Account Logon Events: Success, Failure

Audit Other Account Management Events: Success, Failure

Audit Other Logon/Logoff Events: Success, Failure

Audit Other Object Access Events: Success, Failure

Audit Other Policy Change Events: Success, Failure

Audit Other System Events: Success, Failure

Audit PNP Activity: Success, Failure

Audit Process Creation: Success, Failure

Audit Process Termination: Success, Failure

Audit Registry: Success, Failure

Audit Removable Storage: Success, Failure

Audit Security Group Management: Success, Failure

Audit Security State Change: Success, Failure

Audit Security System Extension: Success, Failure

Audit Sensitive Privilege Use: Success, Failure

Audit Special Logon: Success, Failure

Audit System Integrity: Success, Failure

Audit User Account Management: Success, Failure

Audit User/Device Claims: Success, Failure

Member Server

Audit Credential Validation: Success, Failure

Audit Kerberos Authentication Service: Success, Failure

Audit Kerberos Service Ticket Operations: Success, Failure

Audit Other Account Logon Events: Success, Failure

Audit Computer Account Management: Success, Failure

Audit Other Account Management Events: Success, Failure

Audit Security Group Management: Success, Failure

Audit User Account Management: Success, Failure

Audit DPAPI Activity: Success, Failure

Audit Process Creation: Success, Failure

Audit Directory Service Access: Success, Failure

Audit Directory Service Changes: Success, Failure

Audit Account Lockout: Success

Audit Logoff: Success

Audit Logon: Success, Failure

Audit Other Logon/Logoff Events: Success, Failure

Audit Special Logon: Success, Failure

Audit Audit Policy Change: Success, Failure

Audit Authentication Policy Change: Success, Failure

Audit MPSSVC Rule-Level Policy Change: Success

Audit IPsec Driver: Success, Failure

Audit Security State Change: Success, Failure

Audit Security System Extension: Success, Failure

Audit System Integrity: Success, Failure

Windows Workstation Audit Logging

Below are the recommended audit logging configurations for Windows Workstations:

Workstation

Audit Credential Validation: Success, Failure

Audit Kerberos Authentication Service: Success, Failure

Audit Kerberos Service Ticket Operations: Success, Failure

Audit Other Account Logon Events: Success, Failure

Audit Computer Account Management: Success, Failure

Audit Other Account Management Events: Success, Failure

Audit Security Group Management: Success, Failure

Audit User Account Management: Success, Failure

Audit DPAPI Activity: Success, Failure

Audit Process Creation: Success, Failure

Audit Account Lockout: Success

Audit Logoff: Success

Audit Logon: Success, Failure

Audit Special Logon: Success, Failure

Audit Audit Policy Change: Success, Failure

Audit Authentication Policy Change: Success, Failure

Audit MPSSVC Rule-Level Policy Change: Success

Audit IPsec Driver: Success, Failure

Audit Security State Change: Success, Failure

Audit Security System Extension: Success, Failure

Audit System Integrity: Success, Failure

Again, this information is based on Microsoft recommendations for strong audit logging policies. Perch customers are welcome to log any audit items that they feel provide relevant and actionable information for their environment.

If you have any questions regarding the recommended audit logging policies listed above, please feel free to contact the Perch Support Team at help@perchsecurity.com