Recommended Audit Policy Settings for Everyone

Key Security Events for All Windows Networks

Account Management

Other Account Management Events

4782

The password hash an account was accessed

Security Group Management

4732

A member was added to a security-enabled local group

4728

A member was added to a security-enabled global group

User Account Management

4726

A user account was deleted

4725

A user account was disabled

4722

A user account was enabled

4720

A user account was created

4794

An attempt was made to set the Directory Services Restore Mode administrator password

Other Account Management Events

4793

The Password Policy Checking API was called

Computer Account Management

4741

A computer account was created

4742

A computer account was changed

4743

A computer account was deleted

Security Group Management

4756

A member was added to a security-enabled universal group

User Account Management

5377

Credential Manager credentials were restored from a backup.

4781

The name of an account was changed

4780

The ACL was set on accounts which are members of administrators groups

Detailed Tracking

DPAPI Activity

4693

Recovery of data protection master key was attempted

4694

Protection of auditable protected data was attempted

4695

Unprotection of auditable protected data was attempted

Process Termination

4689

A process has exited

Process Creation

4688

A new process has been created

DPAPI Activity

4692

Backup of data protection master key was attempted

Logon/Logoff

Other Logon/Logoff Events

4649

A replay attack was detected

Logon, Account Lockout

4625

An account failed to log on

User / Device Claims

4626

User / Device claims information

Group Membership

4627

Group membership information

Logon

4648

A logon was attempted using explicit credentials

Other Logon/Logoff Events

4800

The workstation was locked

4801

The workstation was unlocked

Logon

4675

SIDs were filtered

Other Logon/Logoff Events

4778

A session was reconnected to a Window Station

4779

A session was disconnected from a Window Station

Object Access

Other Object Access Events

4702

A scheduled task was updated

File Share

5142

A network share object was added

Other Object Access Events

4701

A scheduled task was disabled

4700

A scheduled task was enabled

4699

A scheduled task was deleted

4698

A scheduled task was created

File System, Kernel Object, Registry, Removable Storage

4663

An attempt was made to access an object

File Share

5144

A network share object was deleted

Policy Change

MPSSVC Rule-Level Policy Change

4958

Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer

4952

Windows Firewall ignored parts of a rule because its minor version number is not recognized

Other Policy Change Events

5063

A cryptographic provider operation was attempted.

MPSSVC Rule-Level Policy Change

4957

Windows Firewall did not apply the following rule

4956

Windows Firewall changed the active profile

4953

Windows Firewall ignored a rule because it could not be parsed

4950

A Windows Firewall setting was changed

4951

Windows Firewall ignored a rule because its major version number is not recognized

Other Policy Change Events

4819

Central Access Policies on the machine have been changed

5064

A cryptographic context operation was attempted.

5065

A cryptographic context modification was attempted.

5066

A cryptographic function operation was attempted.

5067

A cryptographic function modification was attempted.

5068

A cryptographic function provider operation was attempted.

5069

A cryptographic function property operation was attempted.

5070

A cryptographic function property modification was attempted.

6145

One or more errors occurred while processing security policy in the group policy objects.

MPSSVC Rule-Level Policy Change

4948

A change was made to the Windows Firewall exception list. A rule was deleted

Authentication Policy Change

4739

Domain Policy was changed

Audit Policy Change

4719

System audit policy was changed

Other Policy Change Events

4826

Boot Configuration Data loaded

Audit Policy Change

4902

The Per-user audit policy table was created

Authentication Policy Change

4718

System security access was removed from an account

4717

System security access was granted to an account

4713

Kerberos policy was changed

Authorization Policy Change

4704

A user right was assigned

MPSSVC Rule-Level Policy Change

4949

Windows Firewall settings were restored to the default values.

Audit Policy Change

4904

An attempt was made to register a security event source

4912

Per User Audit Policy was changed

MPSSVC Rule-Level Policy Change

4944

The following policy was active when the Windows Firewall started

4945

A rule was listed when the Windows Firewall started

4946

A change was made to the Windows Firewall exception list. A rule was added

4947

A change was made to the Windows Firewall exception list. A rule was modified

System

IPsec Driver

5485

IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.

5484

The IPsec Policy Agent service experienced a critical failure and has shut down.

5483

The IPsec Policy Agent service failed to initialize its RPC server.

5480

IPsec Policy Agent failed to get the complete list of network interfaces on the computer.

5478

The IPsec Policy Agent service was started.

Other System Events

1102

The audit log was cleared

1104

The security event log is now full

1101

Audit Events Have Been Dropped By The Transport

1100

The event logging service has shut down

System Integrity

5060

Verification operation failed.

Other System Events

5050

An attempt to programmatically disable Windows Firewall was rejected.

5037

The Windows Firewall Driver detected a critical runtime error.

5035

The Windows Firewall Driver failed to start.

5034

The Windows Firewall Driver was stopped.

5033

The Windows Firewall Driver started successfully.

5032

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

5030

The Windows Firewall service failed to start.

5029

The Windows Firewall service failed to initialize the driver.

5028

Windows Firewall was unable to parse the new security policy.

5027

The Windows Firewall service was unable to retrieve the security policy from the local storage.

5024

The Windows Firewall service started successfully.

Are you compliant?

Check your audit settings now

Validator

How to Enable Auditing

System / Group Policy instructions

Group Policy Auditpol.exe

How to enable auditing with Group Policy

Open the “Group Policy Management” application
Navigate to the “Group Policy Objects” container of the applicable domain
Right-click the container and add a new GPO object with a descriptive name (e.g. “Mandatory Auditing”)
Right-click the newly created GPO object and select “Import Settings”
Proceed with the wizard and point the “Backup Folder” path to the folder where the zip file was extracted to
The GPO object will now contain all audit policies for all events listed above
Link the GPO to the domain or select OUs

Download Group Policy Object

How to enable auditing with auditpol.exe

            
    auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
    auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
    auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
    auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
    auditpol /set /subcategory:"DPAPI Activity" /success:enable /failure:enable
    auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable
    auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
    auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
    auditpol /set /subcategory:"Logon" /success:enable /failure:enable
    auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
    auditpol /set /subcategory:"User / Device Claims" /success:enable /failure:enable
    auditpol /set /subcategory:"Group Membership" /success:enable /failure:enable
    auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable
    auditpol /set /subcategory:"File Share" /success:enable /failure:enable
    auditpol /set /subcategory:"File System" /success:enable /failure:enable
    auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
    auditpol /set /subcategory:"Registry" /success:enable /failure:enable
    auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable
    auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable
    auditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enable
    auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
    auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
    auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
    auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
    auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable
    auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
            
          

How to enable Windows Auditing via Group Policy