What is Generate Security Audits?
The Generate Security Audits security policy setting determines which accounts can be used by a process to generate audit records in the Security log. When certain events occur such as unauthorized access to a computer, file and folder access attempts and security policy changes, the Local Security Authority Subsystem Service (LSASS) writes these events to the log.
This information in the Security log can be used to trace any unauthorized access to the system.
Why Generate Security Auditing
Enabling the granting of generate security setting is crucial for maintaining visibility into the security posture of the system. By capturing and recording security events, administrators can monitor for suspicious behavior, detect unauthorized access attempts, and investigate security incidents effectively. Additionally, security audits help organizations comply with regulatory requirements by providing an audit trail of security-related activities.
Local vs Network service accounts
To maintain security, it's best to assign the Generate security audits user right only to the Local Service and Network Service accounts. Both types of account are built-in Windows accounts used to run system services with different levels of access and privileges.
The below table shows the differences between high level local and network service account:
Feature | Local Service | Network Service |
Scope | Local computer only | Local computer & Network |
Permissions | Minimal local access | Local access + Network access |
Accesses Network Resources | No (default) | Yes |
Use Cases | Local services | Networked services |
This user right is considered a “sensitive privilege” for auditing event purposes. However, there are specific exceptions. Member Servers with the Web Server (IIS) Role and Web Server Role Service require an exception to grant IIS application pool(s) this user right. Similarly, Member Servers with the Active Directory Federation Services Role require an exception to grant this user right to the NT SERVICE\ADFSSrv, NT SERVICE\DRS services, and the associated Active Directory Federation Services service account.
Malicious use of security logs
By monitoring the security log, administrators can detect and investigate security incidents, track user activity, identify system misconfigurations, and ensure compliance with security policies and regulatory requirements.
However, a malicious user could use accounts that can write to the Security log to fill that log with meaningless events. If the computer is configured to overwrite events as needed, malicious users could use this method to remove evidence of their unauthorized activities. If the computer is configured to shut down when it is unable to write to the Security log, and it is not configured to automatically back up the log files, this method could be used to create a DoS condition.
Enable Generate Security Audit
To change the configuration for the generate security audits setting in Windows, use the following path:
Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
Or follow this procedure:
- Press Win + R to open the Run dialog.
- Type secpol.msc and click OK.
- If the User Access Control dialog appears, select Continue.
- In the Local Security Policy tool, navigate to Security Settings > Local Policies > User Rights Assignment.
- In the results panel, open Generate security audits.
Recommended settings
The recommended state for this setting is: LOCAL SERVICE, NETWORK SERVICE.
Possible values
- User-defined list of accounts
- Local Service
- Network Service
Default value
By default, this setting is Local Service and Network Service on domain controllers and stand-alone servers.
The following table lists the actual and effective default policy values for the most recent supported versions of Windows:
Server type or GPO | Default value |
Default Domain Policy | Not defined |
Default Domain Controller Policy | Local Service
Network Service |
Stand-Alone Server Default Settings | Local Service
Network Service |
Domain Controller Effective Default Settings | Local Service
Network Service |
Member Server Effective Default Settings | Local Service
Network Service |
Client Computer Effective Default Settings | Local Service
Network Service |
Generate Security Audits Hardening
By effectively managing the “Generate security audits” setting, you empower your organization’s security posture by enabling comprehensive security monitoring, facilitating forensic investigations, and ensuring compliance with relevant regulations.
However this is just one component of many needed to keep a robust security strategy, server hardening is a comprehensive way to proactively monitor, detect and respond to security threats.