Generate Security Audits – What you need to know

What is Generate Security Audits?

The Generate Security Audits security policy setting determines which accounts can be used by a process to generate audit records in the Security log. When certain events occur such as unauthorized access to a computer, file and folder access attempts and security policy changes, the Local Security Authority Subsystem Service (LSASS) writes these events to the log.

This information in the Security log can be used to trace any unauthorized access to the system.

Why Generate Security Auditing

Enabling the granting of generate security setting is crucial for maintaining visibility into the security posture of the system. By capturing and recording security events, administrators can monitor for suspicious behavior, detect unauthorized access attempts, and investigate security incidents effectively. Additionally, security audits help organizations comply with regulatory requirements by providing an audit trail of security-related activities.

Local vs Network service accounts

To maintain security, it’s best to assign the Generate security audits user right only to the Local Service and Network Service accounts. Both types of account are built-in Windows accounts used to run system services with different levels of access and privileges.

The below table shows the differences between high level local and network service account:

This user right is considered a “sensitive privilege” for auditing event purposes. However, there are specific exceptions. Member Servers with the Web Server (IIS) Role and Web Server Role Service require an exception to grant IIS application pool(s) this user right. Similarly, Member Servers with the Active Directory Federation Services Role require an exception to grant this user right to the NT SERVICEADFSSrv, NT SERVICEDRS services, and the associated Active Directory Federation Services service account.

Network Hardening Guide for IT Professionals

Malicious use of security logs

By monitoring the security log, administrators can detect and investigate security incidents, track user activity, identify system misconfigurations, and ensure compliance with security policies and regulatory requirements.

However, a malicious user could use accounts that can write to the Security log to fill that log with meaningless events. If the computer is configured to overwrite events as needed, malicious users could use this method to remove evidence of their unauthorized activities. If the computer is configured to shut down when it is unable to write to the Security log, and it is not configured to automatically back up the log files, this method could be used to create a DoS condition.

Enable Generate Security Audit

To change the configuration for the generate security audits setting in Windows, use the following path:

Or follow this procedure:

1. Press Win + R to open the Run dialog.
2. Type secpol.msc and click OK.
3. If the User Access Control dialog appears, select Continue.
4. In the Local Security Policy tool, navigate to Security Settings > Local Policies > User Rights Assignment.
5. In the results panel, open Generate security audits.

Recommended settings

The recommended state for this setting is: LOCAL SERVICE, NETWORK SERVICE.

Possible values

• User-defined list of accounts
• Local Service
• Network Service

Default value

By default, this setting is Local Service and Network Service on domain controllers and stand-alone servers.

The following table lists the actual and effective default policy values for the most recent supported versions of Windows:

Generate Security Audits Hardening

By effectively managing the “Generate security audits” setting, you empower your organization’s security posture by enabling comprehensive security monitoring, facilitating forensic investigations, and ensuring compliance with relevant regulations.

However this is just one component of many needed to keep a robust security strategy, server hardening is a comprehensive way to proactively monitor, detect and respond to security threats.