Generate Security Audits – What you need to know

Generate Security Audits – What you need to know

3 Minutes Read Updated on May 21, 2025

What is Generate Security Audits?

The Generate Security Audits security policy setting determines which accounts can be used by a process to generate audit records in the Security log. When certain events occur such as unauthorized access to a computer, file and folder access attempts and security policy changes, the Local Security Authority Subsystem Service (LSASS) writes these events to the log.

This information in the Security log can be used to trace any unauthorized access to the system.

Why Generate Security Auditing

Enabling the granting of generate security setting is crucial for maintaining visibility into the security posture of the system. By capturing and recording security events, administrators can monitor for suspicious behavior, detect unauthorized access attempts, and investigate security incidents effectively. Additionally, security audits help organizations comply with regulatory requirements by providing an audit trail of security-related activities.

secure network

Local vs Network service accounts

To maintain security, it’s best to assign the Generate security audits user right only to the Local Service and Network Service accounts. Both types of account are built-in Windows accounts used to run system services with different levels of access and privileges.

The below table shows the differences between high level local and network service account:

Feature Local Service Network Service
Scope Local computer only Local computer & Network
Permissions Minimal local access Local access + Network access
Accesses Network Resources No (default) Yes
Use Cases Local services Networked services

This user right is considered a “sensitive privilege” for auditing event purposes. However, there are specific exceptions. Member Servers with the Web Server (IIS) Role and Web Server Role Service require an exception to grant IIS application pool(s) this user right. Similarly, Member Servers with the Active Directory Federation Services Role require an exception to grant this user right to the NT SERVICEADFSSrv, NT SERVICEDRS services, and the associated Active Directory Federation Services service account.

Network Hardening Guide for IT Professionals

Malicious use of security logs

By monitoring the security log, administrators can detect and investigate security incidents, track user activity, identify system misconfigurations, and ensure compliance with security policies and regulatory requirements.

However, a malicious user could use accounts that can write to the Security log to fill that log with meaningless events. If the computer is configured to overwrite events as needed, malicious users could use this method to remove evidence of their unauthorized activities. If the computer is configured to shut down when it is unable to write to the Security log, and it is not configured to automatically back up the log files, this method could be used to create a DoS condition.


Enable Generate Security Audit

To change the configuration for the generate security audits setting in Windows, use the following path:

Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment

Or follow this procedure:

  1. Press Win + R to open the Run dialog.
  2. Type secpol.msc and click OK.
  3. If the User Access Control dialog appears, select Continue.
  4. In the Local Security Policy tool, navigate to Security Settings > Local Policies > User Rights Assignment.
  5. In the results panel, open Generate security audits.

Recommended settings

The recommended state for this setting is: LOCAL SERVICE, NETWORK SERVICE.

Possible values

  • User-defined list of accounts
  • Local Service
  • Network Service

Default value

By default, this setting is Local Service and Network Service on domain controllers and stand-alone servers.

The following table lists the actual and effective default policy values for the most recent supported versions of Windows:

Server type or GPO Default value
Default Domain Policy Not defined
Default Domain Controller Policy Local Service

Network Service

Stand-Alone Server Default Settings Local Service

Network Service

Domain Controller Effective Default Settings Local Service

Network Service

Member Server Effective Default Settings Local Service

Network Service

Client Computer Effective Default Settings Local Service

Network Service

Generate Security Audits Hardening

By effectively managing the “Generate security audits” setting, you empower your organization’s security posture by enabling comprehensive security monitoring, facilitating forensic investigations, and ensuring compliance with relevant regulations.

However this is just one component of many needed to keep a robust security strategy, server hardening is a comprehensive way to proactively monitor, detect and respond to security threats.

Ben Balkin
Ben Balkin is a professional writer and blogger specializing in technology and innovation. As a contributor to the Calcom blog, Ben shares practical insights, useful tips, and engaging articles designed to simplify complex processes and make advanced technological solutions accessible to everyone. His writing style is clear, insightful, and inspiring, reflecting his strong belief in technology's power to enhance quality of life and empower businesses.

Related Articles

OSPF protocol: Configuration, Features & Best Practices

OSPF protocol: Configuration, Features & Best Practices

January 9, 2024

What is Open Shortest Path First (OSPF) The OSPF (Open Shortest Path First) protocol belongs…

CIS Microsoft Windows Server 2019 Benchmark Hardening

CIS Microsoft Windows Server 2019 Benchmark Hardening

September 7, 2023

The Center for Internet Security (CIS) team continuously release updates about cybersecurity best practices for…

CIS Microsoft Windows Server 2022 Benchmark v1.0.0 

CIS Microsoft Windows Server 2022 Benchmark v1.0.0 

June 25, 2024

Windows Server 2022 Benchmark v1.0.0 update In February 2022, the Center for Internet Security (CIS)…

Ready to simplify compliance?

See automated compliance in action—book your demo today!

Share this article