Recommended Audit Policy Settings for Everyone

Key Security Events for All Windows Networks

Account Management

User Account Management

4720

A user account was created

4722

A user account was enabled

4725

A user account was disabled

4726

A user account was deleted

Security Group Management

4728

A member was added to a security-enabled global group

4732

A member was added to a security-enabled local group

Computer Account Management

4741

A computer account was created

4742

A computer account was changed

4743

A computer account was deleted

Security Group Management

4756

A member was added to a security-enabled universal group

Other Logon/Logoff Events

4780

The ACL was set on accounts which are members of administrators groups

Other Account Management Events

4782

The password hash an account was accessed

4793

The Password Policy Checking API was called

Detailed Tracking

Process Creation

4688

A new process has been created

Process Termination

4689

A process has exited

DPAPI Activity

4692

Backup of data protection master key was attempted

4693

Recovery of data protection master key was attempted

4694

Protection of auditable protected data was attempted

4695

Unprotection of auditable protected data was attempted

Logon/Logoff

Logon, Account Lockout

4625

An account failed to log on

User / Device Claims

4626

User / Device claims information

Group Membership

4627

Group membership information

Logon

4648

A logon was attempted using explicit credentials

Other Logon/Logoff Events

4649

A replay attack was detected

Logon

4675

SIDs were filtered

Other Logon/Logoff Events

4778

A session was reconnected to a Window Station

4779

A session was disconnected from a Window Station

4800

The workstation was locked

4801

The workstation was unlocked

Object Access

File Share

5142

A network share object was added

File System, Kernel Object, Registry, Removable Storage

4663

An attempt was made to access an object

Other Object Access Events

4698

A scheduled task was created

4699

A scheduled task was deleted

4700

A scheduled task was enabled

4701

A scheduled task was disabled

4702

A scheduled task was updated

Policy Change

Other Policy Change Events

6145

One or more errors occurred while processing security policy in the group policy objects.

Audit Policy Change

4902

The Per-user audit policy table was created

4904

An attempt was made to register a security event source

4912

Per User Audit Policy was changed

MPSSVC Rule-Level Policy Change

4944

The following policy was active when the Windows Firewall started

4945

A rule was listed when the Windows Firewall started

4946

A change was made to the Windows Firewall exception list. A rule was added

4947

A change was made to the Windows Firewall exception list. A rule was modified

4948

A change was made to the Windows Firewall exception list. A rule was deleted

4949

Windows Firewall settings were restored to the default values.

4950

A Windows Firewall setting was changed

4951

Windows Firewall ignored a rule because its major version number is not recognized

4952

Windows Firewall ignored parts of a rule because its minor version number is not recognized

4953

Windows Firewall ignored a rule because it could not be parsed

4956

Windows Firewall changed the active profile

4957

Windows Firewall did not apply the following rule

4958

Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer

Authentication Policy Change

4713

Kerberos policy was changed

Audit Policy Change

4719

System audit policy was changed

Authentication Policy Change

4739

Domain Policy was changed

Other Policy Change Events

5063

A cryptographic provider operation was attempted.

5064

A cryptographic context operation was attempted.

5065

A cryptographic context modification was attempted.

5066

A cryptographic function operation was attempted.

5067

A cryptographic function modification was attempted.

5068

A cryptographic function provider operation was attempted.

5069

A cryptographic function property operation was attempted.

5070

A cryptographic function property modification was attempted.

4819

Central Access Policies on the machine have been changed

4826

Boot Configuration Data loaded

System

Other System Events

1100

The event logging service has shut down

1102

The audit log was cleared

IPsec Driver

5478

The IPsec Policy Agent service was started.

5480

IPsec Policy Agent failed to get the complete list of network interfaces on the computer.

5483

The IPsec Policy Agent service failed to initialize its RPC server.

5484

The IPsec Policy Agent service experienced a critical failure and has shut down.

5485

IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.

Other System Events

5024

The Windows Firewall service started successfully.

5027

The Windows Firewall service was unable to retrieve the security policy from the local storage.

5028

Windows Firewall was unable to parse the new security policy.

5029

The Windows Firewall service failed to initialize the driver.

5030

The Windows Firewall service failed to start.

5032

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

5033

The Windows Firewall Driver started successfully.

5034

The Windows Firewall Driver was stopped.

5035

The Windows Firewall Driver failed to start.

5037

The Windows Firewall Driver detected a critical runtime error.

5050

An attempt to programmatically disable Windows Firewall was rejected.

System Integrity

5060

Verification operation failed.

Are you compliant?

Check your audit settings now

Validator

How to Enable Auditing

System / Group Policy instructions

Group Policy Auditpol.exe

How to enable auditing with Group Policy

Open the “Group Policy Management” application
Navigate to the “Group Policy Objects” container of the applicable domain
Right-click the container and add a new GPO object with a descriptive name (e.g. “Mandatory Auditing”)
Right-click the newly created GPO object and select “Import Settings”
Proceed with the wizard and point the “Backup Folder” path to the folder where the zip file was extracted to
The GPO object will now contain all audit policies for all events listed above
Link the GPO to the domain or select OUs

Download Group Policy Object

How to enable auditing with auditpol.exe

            
    auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
    auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
    auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
    auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
    auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
    auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
    auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable
    auditpol /set /subcategory:"DPAPI Activity" /success:enable /failure:enable
    auditpol /set /subcategory:"Logon" /success:enable /failure:enable
    auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
    auditpol /set /subcategory:"User / Device Claims" /success:enable /failure:enable
    auditpol /set /subcategory:"Group Membership" /success:enable /failure:enable
    auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
    auditpol /set /subcategory:"File Share" /success:enable /failure:enable
    auditpol /set /subcategory:"File System" /success:enable /failure:enable
    auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
    auditpol /set /subcategory:"Registry" /success:enable /failure:enable
    auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable
    auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable
    auditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enable
    auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
    auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable
    auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
    auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable
    auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
    auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
            
          

How to enable Windows Auditing via Group Policy