Security auditing is a methodical examination and review of activities that may affect the security of a system. In the Windows Server and Active Directory environments, security auditing is the features and services that log and review events for specified security-related activities.
Hundreds of events occur as the Windows operating system and the applications that run on it perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.
Audit policies are configured through Group Policy. You can configure local policies, but in most Windows Server Active Directory environments, auditing is configured through application of policies at the Domain, Site or Organizational Unit Level.
The basic security audit policy settings in Security Settings\Local Policies\Audit Policy and the advanced security audit policy settings in Security Settings\Advanced Audit Policy Configuration\System Audit Policies appear to overlap, but they're recorded and applied differently.
There are nine basic audit policy settings under Security Settings\Local Policies\Audit Policy and settings under Advanced Audit Policy Configuration. The settings available in Security Settings\Advanced Audit Policy Configuration address similar issues as the nine basic settings in Local Policies\Audit Policy, but they allow administrators to be more selective in the number and types of events to audit. Instead of the nine basic audit policy settings, there are 58 different audit policy settings available through advanced audit policies. Advanced audit policies allow you to be far more specific in what you are auditing than the basic audit policies can.
To help you come to terms with all these different policies, we've created a set of short videos, 5-10 minutes in length, that go through each of the advanced auditing policies categories, explain the different policies and the interesting event log entries the policies are likely to generate. The videos are as follows:
Introduction to Windows Server Advanced Security Auditing: https://www.youtube.com/watch?v=OvIraaN2ZnI
Account Logon policies: https://www.youtube.com/watch?v=A-EjL5sz5rk
Account Management policies: https://www.youtube.com/watch?v=jmxloIQp_yg
Detailed Tracking policies: https://www.youtube.com/watch?v=EXHWhGrlH5c
DS Access policies: https://www.youtube.com/watch?v=tZVFuFOppwA
Logon/Logoff policies: https://www.youtube.com/watch?v=9uooYpTBlsA
Object Access policies: https://www.youtube.com/watch?v=b9juS5RT1lg
Policy Change policies: https://www.youtube.com/watch?v=GKc4lo_shUg
Privilege Use policies: https://www.youtube.com/watch?v=L5bJ4z4qlco
System policies: https://www.youtube.com/watch?v=WhoLstyh0pA
Global Object Access Auditing policies: https://www.youtube.com/watch?v=NCNXWQoApIk
Understanding and applying audit policies is critical to making sure that the activity you want tracked on the computers you manage is actually recorded in the event log. Hopefully this set of videos, broken down into snack sized chunks, will allow you to review what these policies can do and will assist you to be more deliberative in how you audit activity in the computers that you manage.
You can also consult detailed information about advanced audit policies at the following link on Microsoft Learn: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-auditing-faq