Recommended Audit Policy Settings for Everyone

Key Security Events for All Windows Networks

Account Management

User Account Management

5377

Credential Manager credentials were restored from a backup.

Other Account Management Events

4782

The password hash an account was accessed

User Account Management

4781

The name of an account was changed

4780

The ACL was set on accounts which are members of administrators groups

Security Group Management

4756

A member was added to a security-enabled universal group

Computer Account Management

4743

A computer account was deleted

4742

A computer account was changed

4741

A computer account was created

Other Account Management Events

4793

The Password Policy Checking API was called

Security Group Management

4732

A member was added to a security-enabled local group

4728

A member was added to a security-enabled global group

User Account Management

4726

A user account was deleted

4725

A user account was disabled

4722

A user account was enabled

4720

A user account was created

4794

An attempt was made to set the Directory Services Restore Mode administrator password

Detailed Tracking

DPAPI Activity

4694

Protection of auditable protected data was attempted

Process Creation

4688

A new process has been created

Process Termination

4689

A process has exited

DPAPI Activity

4692

Backup of data protection master key was attempted

4695

Unprotection of auditable protected data was attempted

4693

Recovery of data protection master key was attempted

Logon/Logoff

Other Logon/Logoff Events

4779

A session was disconnected from a Window Station

4778

A session was reconnected to a Window Station

Logon, Account Lockout

4625

An account failed to log on

User / Device Claims

4626

User / Device claims information

Group Membership

4627

Group membership information

Logon

4648

A logon was attempted using explicit credentials

Other Logon/Logoff Events

4801

The workstation was unlocked

4800

The workstation was locked

4649

A replay attack was detected

Logon

4675

SIDs were filtered

Object Access

Other Object Access Events

4699

A scheduled task was deleted

File Share

5144

A network share object was deleted

5142

A network share object was added

File System, Kernel Object, Registry, Removable Storage

4663

An attempt was made to access an object

Other Object Access Events

4702

A scheduled task was updated

4701

A scheduled task was disabled

4700

A scheduled task was enabled

4698

A scheduled task was created

Policy Change

MPSSVC Rule-Level Policy Change

4949

Windows Firewall settings were restored to the default values.

4953

Windows Firewall ignored a rule because it could not be parsed

4952

Windows Firewall ignored parts of a rule because its minor version number is not recognized

4951

Windows Firewall ignored a rule because its major version number is not recognized

4950

A Windows Firewall setting was changed

4948

A change was made to the Windows Firewall exception list. A rule was deleted

Other Policy Change Events

6145

One or more errors occurred while processing security policy in the group policy objects.

MPSSVC Rule-Level Policy Change

4947

A change was made to the Windows Firewall exception list. A rule was modified

4956

Windows Firewall changed the active profile

4957

Windows Firewall did not apply the following rule

4958

Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer

Other Policy Change Events

5063

A cryptographic provider operation was attempted.

5064

A cryptographic context operation was attempted.

5065

A cryptographic context modification was attempted.

5066

A cryptographic function operation was attempted.

5067

A cryptographic function modification was attempted.

5068

A cryptographic function provider operation was attempted.

5069

A cryptographic function property operation was attempted.

5070

A cryptographic function property modification was attempted.

MPSSVC Rule-Level Policy Change

4945

A rule was listed when the Windows Firewall started

Authorization Policy Change

4704

A user right was assigned

Authentication Policy Change

4706

A new trust was created to a domain

4707

A trust to a domain was removed

4713

Kerberos policy was changed

4717

System security access was granted to an account

MPSSVC Rule-Level Policy Change

4946

A change was made to the Windows Firewall exception list. A rule was added

Authentication Policy Change

4718

System security access was removed from an account

Audit Policy Change

4719

System audit policy was changed

Other Policy Change Events

4819

Central Access Policies on the machine have been changed

4826

Boot Configuration Data loaded

Authentication Policy Change

4739

Domain Policy was changed

MPSSVC Rule-Level Policy Change

4944

The following policy was active when the Windows Firewall started

Audit Policy Change

4912

Per User Audit Policy was changed

4904

An attempt was made to register a security event source

4902

The Per-user audit policy table was created

System

Other System Events

1100

The event logging service has shut down

Security System Extension

4697

A service was installed in the system

4622

A security package has been loaded by the Local Security Authority

Security State Change

4621

Administrator recovered system from CrashOnAuditFail.

Other System Events

1104

The security event log is now full

1102

The audit log was cleared

1101

Audit Events Have Been Dropped By The Transport

IPsec Driver

5478

The IPsec Policy Agent service was started.

5480

IPsec Policy Agent failed to get the complete list of network interfaces on the computer.

5483

The IPsec Policy Agent service failed to initialize its RPC server.

5484

The IPsec Policy Agent service experienced a critical failure and has shut down.

5485

IPsec Policy Agent failed to process some IPsec filters on a plug-and-play event for network interfaces.

System Integrity

5060

Verification operation failed.

Other System Events

5050

An attempt to programmatically disable Windows Firewall was rejected.

5037

The Windows Firewall Driver detected a critical runtime error.

5035

The Windows Firewall Driver failed to start.

5034

The Windows Firewall Driver was stopped.

5033

The Windows Firewall Driver started successfully.

5032

Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.

5030

The Windows Firewall service failed to start.

5029

The Windows Firewall service failed to initialize the driver.

5028

Windows Firewall was unable to parse the new security policy.

5027

The Windows Firewall service was unable to retrieve the security policy from the local storage.

5024

The Windows Firewall service started successfully.

Are you compliant?

Check your audit settings now

Validator

How to Enable Auditing

System / Group Policy instructions

Group Policy Auditpol.exe

How to enable auditing with Group Policy

Open the “Group Policy Management” application
Navigate to the “Group Policy Objects” container of the applicable domain
Right-click the container and add a new GPO object with a descriptive name (e.g. “Mandatory Auditing”)
Right-click the newly created GPO object and select “Import Settings”
Proceed with the wizard and point the “Backup Folder” path to the folder where the zip file was extracted to
The GPO object will now contain all audit policies for all events listed above
Link the GPO to the domain or select OUs

Download Group Policy Object

How to enable auditing with auditpol.exe

            
    auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
    auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
    auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
    auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
    auditpol /set /subcategory:"DPAPI Activity" /success:enable /failure:enable
    auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
    auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable
    auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
    auditpol /set /subcategory:"Logon" /success:enable /failure:enable
    auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
    auditpol /set /subcategory:"User / Device Claims" /success:enable /failure:enable
    auditpol /set /subcategory:"Group Membership" /success:enable /failure:enable
    auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable
    auditpol /set /subcategory:"File Share" /success:enable /failure:enable
    auditpol /set /subcategory:"File System" /success:enable /failure:enable
    auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
    auditpol /set /subcategory:"Registry" /success:enable /failure:enable
    auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable
    auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable
    auditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enable
    auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
    auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
    auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
    auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable
    auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
    auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
    auditpol /set /subcategory:"IPsec Driver" /success:enable /failure:enable
    auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
            
          

How to enable Windows Auditing via Group Policy