Advanced audit policy in windows using auditpol.exe

Its preferred to set the advanced audit policy through command prompt/powershell other than GUI. It has to be noted that even after you apply the settings through command, in the gui it might not reflect. But that is not an issue. Thats as far as i know.

Open gpedit.msc/secpol.msc 

  • Computer configuration-security settings-security options
  • Set the policy “Audit:Force audit policy subcategory settings (windows vista or later) to override audit policy category settings” to “Enabled”.

To get full information of advanced audit policy on a server, use the command

  • Auditpol.exe /get /category:*

In that you can see categories and sub categories listed with the status success/failure/not configured.

Few examples below :

  • Auditpol.exe /set /subcategory:”credential validation” /success:enable /failure:enable

The below command will enable only success

  • Auditpol.exe /set /subcategory:”credential validation” /success:enable 

The below commmand will set credential validation to “no auditing”

  • Auditpol.exe /set /subcategory:”credential validation” /success:disable /failure:disable

You can group all of them and save it as a power shell script or a bat h file and run it on required machines.
Please refer to the microsoft link for detailed info : https://technet.microsoft.com/en-us/library//dd408940(v=ws.10).aspx

Advertisements

How to create a security database/security template to apply on local computers or non-domain joined computers

1.       Start – run – mmc. File – Add/Remove Snap-in

2.       Select “Security Configuration and Analysis” and “Security Templates” and click Add. Select OK

3.       Right click “Security Templates” and select “ New Template”. Provide a template name(Template1) and description and click ok.

4.       To create a new database – Under console root – Right click Security Configuration and Analysis and click “ Open Database”  – “ Provide a name for database (Database1) “ – Select “Template1” (The template which we  created in the previous step) and click open.

5.       Go to security templates, Expand “Template1” and configure the required policies.

6.       Right click “Template1” and save the changes.

Now the database and the template is created and it can be moved to standalone computers/servers .

To apply it on a computer/server

1.       Open mmc – File – Add/Remove Snap-in – Add “Security Configuration and Analysis”.

2.       Right click “Security Configuration and Analysis” – Select “ Open Database” – Select “ Database1” and click ok .

3.       Right click “Security Configuration and Analysis” – and select “Analyze Computer Now” .

4.       Once the process is complete, it will list you the default policies and policies configured in database. The ones with red mark indicate the difference between the policies.

5.       Right click “Security Configuration and Analysis” – and select “Configure Computer Now” to apply the policies from Database1.

Enable MSS in local security policy(secpol.msc) on Windows Server 2012 R2

1.       Download Microsoft Security Compliance Manager (133mb).

2.       Install it on a Windows Server 2008R2 server.(Other OS could also be used. I am sharing my experience J)

3.       Install Microsoft Security Compliance Manager on the windows 2008R2 server.

4.       Browse to the folder c:\programfiles(x86)\microsoft Security Compliance Manager\LGPO

5.       Copy the LocalGPO.msi to Windows Server 2012 R2 and install it (Ignore the warnings).

a)      Browse to the folder c:\programfiles(x86)\LGPO\

b)      Open the file LocalGPO.wsf and search for 6.2 .

c)       There should be 2 entries. Replace 6.2 with 6.3 in both entries and save the file.

d)      Open command-linehere.cmd.

e)      Insert the command cscript LocalGPO.wsf /configSCE .

6.       Open secpol.msc .

7.       Browse to Security Settings – Local Policies – Security Options – Scroll down to see MSS .