What is security logging and auditing?
Security logging and auditing in a Windows environment refers to the process of systematically recording events and activities that occur within the operating system. These audit records are stored in the security log, a component of the Windows Event Viewer.
Manage auditing and security log setting grants specific users or groups the authority to configure auditing policies and manage security logs. This includes tasks such as enabling or disabling auditing for various types of events, specifying which events to audit, setting log retention policies, clearing logs and reviewing audit logs for security analysis.
This security setting is a critical aspect of Windows security configuration, especially in environments where maintaining comprehensive audit trails is essential for compliance and security monitoring.
Security logging and auditing with Microsoft Exchange Server
In environments where Microsoft Exchange Server is deployed, the Exchange Servers group requires the specified privilege on Domain Controllers (DC) for proper functionality. Consequently, Domain Controllers that allocate this privilege to the Exchange Servers group are deemed compliant with this standard. Conversely, in environments where Microsoft Exchange Server is not utilized, the privilege should be restricted solely to Administrators on Domain Controllers.
Windows Update Result in Memory Leak and Domain Controllers Crashing
What is audit log management
The Manage auditing and security log setting determines which users can change the auditing options for files and directories and clear the Security log. Resources can vary from files, active directory objects and services registry keys and non active directory objects.
These objects have their system access control lists (SACL). Along with the ability to set if an object is audited or not, it’s possible to set the level of auditing for a specific object
These objects include:
- Enabling/disabling auditing for various security events (e.g., successful logins, failed access attempts).
- Defining what type of events are logged (success, failure, both).
- Viewing and clearing the Security log, which stores recorded security events.
Security logging purpose
Logging events in any system is central to maintaining a strong security posture.
The ability to manage auditing and security logs is crucial for several reasons.
Having the ability to monitor a system’s events in order to identify suspicious activity is crucial and allows important data like unauthorized access and negative patterns to be recognized. If something goes wrong, the log also provides evidence of what happened, helping identify the culprit using forensic analysis.
In many industries, there are regulatory standards and guidelines which require organizations to maintain audit trails of security-related events for compliance purposes.
Auditing and security log vulnerabilities
Inappropriate granting of user rights can provide system, administrative, and other high level capabilities. Accounts with the Manage auditing and security log user right can manage the security log and change auditing configurations.
Within these rights is the ability to erase entries which could be used to clear evidence of tampering. Therefore it is paramount to use the principle of least privilege in order to prevent malicious parties from being able to access and manipulate log data.
Default Values
By default this setting is Administrators on domain controllers and on stand-alone servers. Possible values include:
- User-defined list of accounts
- Administrators
- Not Defined
The following table lists the actual and effective default policy values for the most recent supported versions of Windows.
Server type or GPO | Default value |
Default Domain Policy | Not defined |
Default Domain Controller Policy | Administrators |
Stand-Alone Server Default Settings | Administrators |
Domain Controller Effective Default Settings | Administrators |
Member Server Effective Default Settings | Administrators |
Client Computer Effective Default Settings | Administrators |
Policy management
When making changes to this policy setting, user rights assigned will become effective the next time the account logs on, it is not required for the system to be restarted
Audits for object access aren’t performed unless you enable them by using the Local Group Policy Editor, the Group Policy Management Console (GPMC), or the Auditpol command-line tool.
Before removing this right from a group, it is important to investigate whether applications are dependent on this right to function.
How to change Manage auditing and security log in group policy
NOTE: Perform this procedure only if the account selected for data collection is not a member of the Domain Admins group.
GPO_name\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
- Open the Group Policy Management console on any domain controller in the target domain: navigate to Start ? Windows Administrative Tools (Windows Server 2016 and higher) or Administrative Tools (Windows 2012) ? Group Policy Management.
- In the left pane, navigate to Forest: <forest_name> ? Domains ? <domain_name> ? Domain Controllers. Right-click the effective domain controllers policy (by default, it is the Default Domain Controllers Policy), and select Edit from the pop-up menu.
- In the Group Policy Management Editor dialog, expand the Computer Configuration node on the left and navigate to Policies ? Windows Settings ? Security Settings ? Local Policies.
- On the right, double-click the User Rights Assignment policy.
- Locate the Manage auditing and security log policy and double-click it.
- In the Manage auditing and security log Properties dialog, click Add User or Group, specify the user that you want to define this policy for.
- Navigate to Start ? Run and type “cmd”. Input the gpupdate /force command and press Enter. The group policy will be updated.
- Type repadmin /syncall command and press Enter for replicate GPO changes to other domain controllers.
- Ensure that new GPO settings are applied on any audited domain controller.
How to change manage auditing and security log locally
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Manage auditing and security log |
Manage auditing and security log grayed out
If the manage auditing and security log grayed out, it can indicate that a GPO currently controls that setting.
Recommended state
The recommended state for this setting is: Administrators and (when Exchange is running in the environment) Exchange Servers.
Note: This user right is considered a ‘sensitive privilege’ for the purposes of auditing.
Hardening best practices
Manage auditing and security log security setting empowers IT professionals to enhance the security posture of Windows systems by enabling robust auditing capabilities, ensuring compliance with regulatory requirements, and facilitating effective security monitoring and incident response. Hardening a system gives peace of mind knowing each and every security policy is configured properly.