Manage Auditing and Security Log Configuration

By Ben Balkin

May 2nd, 2024

What is security logging and auditing?

Security logging and auditing in a Windows environment refers to the process of systematically recording events and activities that occur within the operating system. These audit records are stored in the security log, a component of the Windows Event Viewer.

Manage auditing and security log setting grants specific users or groups the authority to configure auditing policies and manage security logs. This includes tasks such as enabling or disabling auditing for various types of events, specifying which events to audit, setting log retention policies, clearing logs and reviewing audit logs for security analysis.

This security setting is a critical aspect of Windows security configuration, especially in environments where maintaining comprehensive audit trails is essential for compliance and security monitoring.

Security logging and auditing with Microsoft Exchange Server

In environments where Microsoft Exchange Server is deployed, the Exchange Servers group requires the specified privilege on Domain Controllers (DC) for proper functionality. Consequently, Domain Controllers that allocate this privilege to the Exchange Servers group are deemed compliant with this standard. Conversely, in environments where Microsoft Exchange Server is not utilized, the privilege should be restricted solely to Administrators on Domain Controllers.

Windows Update Result in Memory Leak and Domain Controllers Crashing

What is audit log management

The Manage auditing and security log setting determines which users can change the auditing options for files and directories and clear the Security log. Resources can vary from files, active directory objects and services registry keys and non active directory objects.

These objects have their system access control lists (SACL). Along with the ability to set if an object is audited or not, it’s possible to set the level of auditing for a specific object

These objects include:

Enabling/disabling auditing for various security events (e.g., successful logins, failed access attempts).
Defining what type of events are logged (success, failure, both).
Viewing and clearing the Security log, which stores recorded security events.

Security logging purpose

Logging events in any system is central to maintaining a strong security posture.
The ability to manage auditing and security logs is crucial for several reasons.

Having the ability to monitor a system’s events in order to identify suspicious activity is crucial and allows important data like unauthorized access and negative patterns to be recognized. If something goes wrong, the log also provides evidence of what happened, helping identify the culprit using forensic analysis.

In many industries, there are regulatory standards and guidelines which require organizations to maintain audit trails of security-related events for compliance purposes.

Auditing and security log vulnerabilities

Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the Manage auditing and security log user right can manage the security log and change auditing configurations.

Within these rights is the ability to erase entries which could be used to clear evidence of tampering. Therefore it is paramount to use the principle of least privilege in order to prevent malicious parties from being able to access and manipulate log data.

Default Values

By default this setting is Administrators on domain controllers and on stand-alone servers. Possible values include:

User-defined list of accounts
Administrators
Not Defined

The following table lists the actual and effective default policy values for the most recent supported versions of Windows.

Server type or GPO	Default value
Default Domain Policy	Not defined
Default Domain Controller Policy	Administrators
Stand-Alone Server Default Settings	Administrators
Domain Controller Effective Default Settings	Administrators
Member Server Effective Default Settings	Administrators
Client Computer Effective Default Settings	Administrators

Policy management

When making changes to this policy setting, user rights assigned will become effective the next time the account logs on, it is not required for the system to be restarted

Audits for object access aren’t performed unless you enable them by using the Local Group Policy Editor, the Group Policy Management Console (GPMC), or the Auditpol command-line tool.

Before removing this right from a group, it is important to investigate whether applications are dependent on this right to function.

How to change Manage auditing and security log in group policy

NOTE: Perform this procedure only if the account selected for data collection is not a member of the Domain Admins group.

GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment

Open the Group Policy Management console on any domain controller in the target domain: navigate to Start ? Windows Administrative Tools (Windows Server 2016 and higher) or Administrative Tools (Windows 2012) ? Group Policy Management.
In the left pane, navigate to Forest: <forest_name> ? Domains ? <domain_name> ? Domain Controllers. Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy), and select Edit from the pop-up menu.
In the Group Policy Management Editor dialog, expand the Computer Configuration node on the left and navigate to Policies ? Windows Settings ? Security Settings ? Local Policies.
On the right, double-click the User Rights Assignment policy.
Locate the Manage auditing and security log policy and double-click it.
In the Manage auditing and security log Properties dialog, click Add User or Group, specify the user that you want to define this policy for.
Navigate to Start ? Run and type “cmd”. Input the gpupdate /force command and press Enter. The group policy will be updated.
Type repadmin /syncall command and press Enter for replicate GPO changes to other domain controllers.
Ensure that new GPO settings are applied on any audited domain controller.

How to change manage auditing and security log locally

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing and security log

Manage auditing and security log grayed out

If the manage auditing and security log grayed out, it can indicate that a GPO currently controls that setting.

Recommended state

The recommended state for this setting is: Administrators and (when Exchange is running in the environment) Exchange Servers.

Note: This user right is considered a ‘sensitive privilege’ for the purposes of auditing.

Hardening best practices

Manage auditing and security log security setting empowers IT professionals to enhance the security posture of Windows systems by enabling robust auditing capabilities, ensuring compliance with regulatory requirements, and facilitating effective security monitoring and incident response. Hardening a system gives peace of mind knowing each and every security policy is configured properly.

Experience a personalized demo

See how automated policy enforcement enables continuous compliance

Free Demo

Watch Video

Cookie	Duration	Description
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.
__cfduid	1 month	The cookie is used by cdn services like CloudFare to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It does not correspond to any user ID in the web application and does not store any personally identifiable information.

Cookie	Duration	Description
bcookie	2 years	This cookie is set by linkedIn. The purpose of the cookie is to enable LinkedIn functionalities on the page.
lang	session	This cookie is used to store the language preferences of a user to serve up content in that stored language the next time user visit the website.
lidc	1 day	This cookie is set by LinkedIn and used for routing.
__stidv	1 year	This cookie is used by ShareThis. This cookie is used for sharing the content from the website to social networks.

Cookie	Duration	Description
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
__stid	1 year	The cookie is set by ShareThis. The cookie is used for site analytics to determine the pages visited, the amount of time spent, etc.

Cookie	Duration	Description
bscookie	2 years	This cookie is a browser ID cookie set by Linked share Buttons and ad tags.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.