{
	"id": "bde73802-f59e-4836-b654-d4af0b07f2c1",
	"created_at": "2026-04-06T15:53:47.844866Z",
	"updated_at": "2026-04-10T03:20:34.323652Z",
	"deleted_at": null,
	"sha1_hash": "81e109b35a8ae0ce3e03f005b820b82bf35fb950",
	"title": "System Audit Policy recommendations",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 108595,
	"plain_text": "System Audit Policy recommendations\r\nBy robinharwood\r\nArchived: 2026-04-06 15:16:14 UTC\r\nThis article covers the Windows audit policy settings and Microsoft's baseline and advanced recommendations for\r\nboth workstations and servers. It provides guidance to help administrators choose appropriate audit policies based\r\non their organization's needs.\r\nThe Security Compliance Manager (SCM) baseline recommendations shown here, along with the recommended\r\nsettings to help detect system compromise, are intended only to be a starting baseline guide to administrators.\r\nEach organization must make its own decisions regarding the threats they face, their acceptable risk tolerances,\r\nand what audit policy categories or subcategories they should enable. Administrators without a thoughtful audit\r\npolicy in place are encouraged to start with the settings recommended here, and then to modify and test before\r\nimplementing in their production environment.\r\nThe recommendations are for enterprise-class computers, which Microsoft defines as computers that have average\r\nsecurity requirements and require a high level of operational functionality. Entities needing higher security\r\nrequirements should consider more aggressive audit policies.\r\nThe following baseline audit policy settings are recommended for normal security computers that aren't known to\r\nbe under active, successful attack by determined adversaries or malware.\r\nThis section contains tables that list the audit setting recommendations that apply to the Windows operating\r\nsystem (OS) for both client and server.\r\nSystem Audit Policy table legend\r\nNotation Recommendation\r\nYes Enable in general scenarios\r\nNo Don't enable in general scenarios\r\nIf\r\nEnable if needed for a specific scenario, or if a role or feature for which auditing is desired is\r\ninstalled on the machine\r\nDC Enable on domain controllers\r\n[Blank] No recommendation\r\nThese tables contain the Windows default setting, the baseline recommendations, and stronger recommendations\r\nfor which OS platform you're running.\r\nWindows Client\r\nhttps://technet.microsoft.com/en-us/library/dn487457.aspx\r\nPage 1 of 9\n\nWindows Server\r\nAudit Policy Category or\r\nSubcategory\r\nWindows\r\nDefault\r\nSuccess |\r\nFailure\r\nBaseline\r\nRecommendation\r\nSuccess | Failure\r\nStronger\r\nRecommendation\r\nSuccess | Failure\r\nAccount Logon\r\nAudit Credential Validation No | No Yes | No Yes | Yes\r\nAudit Kerberos Authentication\r\nService\r\nYes | Yes\r\nAudit Kerberos Service Ticket\r\nOperations\r\nYes | Yes\r\nAudit Other Account Logon\r\nEvents\r\nYes | Yes\r\nAudit Policy Category or\r\nSubcategory\r\nWindows\r\nDefault\r\nSuccess |\r\nFailure\r\nBaseline\r\nRecommendation\r\nSuccess | Failure\r\nStronger\r\nRecommendation\r\nSuccess | Failure\r\nAccount Management\r\nAudit Application Group\r\nManagement\r\nAudit Computer Account\r\nManagement\r\nYes | No Yes | Yes\r\nAudit Distribution Group\r\nManagement\r\nAudit Other Account\r\nManagement Events\r\nYes | No Yes | Yes\r\nAudit Security Group\r\nManagement\r\nYes | No Yes | Yes\r\nAudit User Account\r\nManagement\r\nYes | No Yes | No Yes | Yes\r\nhttps://technet.microsoft.com/en-us/library/dn487457.aspx\r\nPage 2 of 9\n\nAudit Policy Category or\r\nSubcategory\r\nWindows\r\nDefault\r\nSuccess |\r\nFailure\r\nBaseline\r\nRecommendation\r\nSuccess | Failure\r\nStronger\r\nRecommendation\r\nSuccess | Failure\r\nDetailed Tracking\r\nAudit DPAPI Activity Yes | Yes\r\nAudit Process Creation Yes | No Yes | Yes\r\nAudit Process Termination\r\nAudit RPC Events\r\nAudit Policy Category or\r\nSubcategory\r\nWindows\r\nDefault\r\nSuccess |\r\nFailure\r\nBaseline\r\nRecommendation\r\nSuccess | Failure\r\nStronger\r\nRecommendation\r\nSuccess | Failure\r\nDS Access\r\nAudit Detailed Directory Service\r\nReplication\r\nAudit Directory Service Access\r\nAudit Directory Service\r\nChanges\r\nAudit Directory Service\r\nReplication\r\nAudit Policy Category or\r\nSubcategory\r\nWindows\r\nDefault\r\nSuccess |\r\nFailure\r\nBaseline\r\nRecommendation\r\nSuccess | Failure\r\nStronger\r\nRecommendation\r\nSuccess | Failure\r\nLogon and Logoff\r\nAudit Account Lockout Yes | No Yes | No\r\nAudit User/Device Claims\r\nAudit IPsec Extended Mode\r\nAudit IPsec Main Mode IF | IF\r\nAudit IPsec Quick Mode\r\nhttps://technet.microsoft.com/en-us/library/dn487457.aspx\r\nPage 3 of 9\n\nAudit Policy Category or\r\nSubcategory\r\nWindows\r\nDefault\r\nSuccess |\r\nFailure\r\nBaseline\r\nRecommendation\r\nSuccess | Failure\r\nStronger\r\nRecommendation\r\nSuccess | Failure\r\nAudit Logoff Yes | No Yes | No Yes | No\r\nAudit Logon 1 Yes | Yes Yes | Yes Yes | Yes\r\nAudit Network Policy Server Yes | Yes\r\nAudit Other Logon/Logoff\r\nEvents\r\nAudit Special Logon Yes | No Yes | No Yes | Yes\r\n1\r\n Beginning with Windows 10 version 1809, Audit Logon is enabled by default for both Success and Failure. In\r\nprevious versions of Windows, only Success is enabled by default.\r\nAudit Policy Category or\r\nSubcategory\r\nWindows\r\nDefault\r\nSuccess |\r\nFailure\r\nBaseline\r\nRecommendation\r\nSuccess | Failure\r\nStronger\r\nRecommendation\r\nSuccess | Failure\r\nObject Access\r\nAudit Application Generated\r\nAudit Certification Services\r\nAudit Detailed File Share\r\nAudit File Share\r\nAudit File System\r\nAudit Filtering Platform\r\nConnection\r\nAudit Filtering Platform Packet\r\nDrop\r\nAudit Handle Manipulation\r\nAudit Kernel Object\r\nAudit Other Object Access\r\nEvents\r\nhttps://technet.microsoft.com/en-us/library/dn487457.aspx\r\nPage 4 of 9\n\nAudit Policy Category or\r\nSubcategory\r\nWindows\r\nDefault\r\nSuccess |\r\nFailure\r\nBaseline\r\nRecommendation\r\nSuccess | Failure\r\nStronger\r\nRecommendation\r\nSuccess | Failure\r\nAudit Registry\r\nAudit Removable Storage\r\nAudit SAM\r\nAudit Central Access Policy\r\nStaging\r\nAudit Policy Category or\r\nSubcategory\r\nWindows\r\nDefault\r\nSuccess |\r\nFailure\r\nBaseline\r\nRecommendation\r\nSuccess | Failure\r\nStronger\r\nRecommendation\r\nSuccess | Failure\r\nPolicy Change\r\nAudit Audit Policy Change Yes | No Yes | Yes Yes | Yes\r\nAudit Authentication Policy\r\nChange\r\nYes | No Yes | No Yes | Yes\r\nAudit Authorization Policy\r\nChange\r\nAudit Filtering Platform Policy\r\nChange\r\nAudit MPSSVC Rule-Level\r\nPolicy Change\r\nYes\r\nAudit Other Policy Change\r\nEvents\r\nAudit Policy Category or\r\nSubcategory\r\nWindows\r\nDefault\r\nSuccess |\r\nFailure\r\nBaseline\r\nRecommendation\r\nSuccess | Failure\r\nStronger\r\nRecommendation\r\nSuccess | Failure\r\nPrivilege Use\r\nAudit Non Sensitive Privilege\r\nUse\r\nhttps://technet.microsoft.com/en-us/library/dn487457.aspx\r\nPage 5 of 9\n\nAudit Policy Category or\r\nSubcategory\r\nWindows\r\nDefault\r\nSuccess |\r\nFailure\r\nBaseline\r\nRecommendation\r\nSuccess | Failure\r\nStronger\r\nRecommendation\r\nSuccess | Failure\r\nAudit Other Privilege Use\r\nEvents\r\nAudit Sensitive Privilege Use\r\nAudit Policy Category or\r\nSubcategory\r\nWindows\r\nDefault\r\nSuccess |\r\nFailure\r\nBaseline\r\nRecommendation\r\nSuccess | Failure\r\nStronger\r\nRecommendation\r\nSuccess | Failure\r\nSystem\r\nAudit IPsec Driver Yes | Yes Yes | Yes\r\nAudit Other System Events Yes | Yes\r\nAudit Security State Change Yes | No Yes | Yes Yes | Yes\r\nAudit Security System\r\nExtension\r\nYes | Yes Yes | Yes\r\nAudit System Integrity Yes | Yes Yes | Yes Yes | Yes\r\nAudit Policy Category or\r\nSubcategory\r\nWindows\r\nDefault\r\nSuccess |\r\nFailure\r\nBaseline\r\nRecommendation\r\nSuccess | Failure\r\nStronger\r\nRecommendation\r\nSuccess | Failure\r\nGlobal Object Access\r\nAuditing\r\nAudit IPsec Driver\r\nAudit Other System Events\r\nAudit Security State Change\r\nAudit Security System\r\nExtension\r\nAudit System Integrity\r\nEffective event log management requires monitoring both workstations and servers. Focusing solely on servers or\r\ndomain controllers (DC) is a common oversight, as initial signs of malicious activity often appear on\r\nhttps://technet.microsoft.com/en-us/library/dn487457.aspx\r\nPage 6 of 9\n\nworkstations. By including workstations in your monitoring strategy, you gain access to critical early indicators of\r\ncompromise.\r\nBefore you deploy any audit policy in a production environment, administrators should carefully review, test, and\r\nvalidate the policy to ensure it meets organizational security and operational requirements.\r\nA perfect event ID to generate a security alert should contain the following attributes:\r\nHigh likelihood that occurrence indicates unauthorized activity\r\nLow number of false positives\r\nOccurrence should result in an investigative/forensics response\r\nTwo types of events should be monitored and alerted:\r\nEvents where an occurrence is a strong indicator of unauthorized or suspicious activity.\r\nAn accumulation of events above an expected and accepted baseline.\r\nAn example of the first event is:\r\nIf Domain Admins are forbidden from signing into the computers that aren't DCs, a single occurrence of a Domain\r\nAdmin member logging on to an end-user workstation should generate an alert and be investigated. This type of\r\nalert is easy to generate by using the Audit Special Logon event 4964 (Special groups were assigned to a new\r\nlogon). Other examples of single instance alerts include:\r\nIf Server A should never connect to Server B, alert when they connect to each other.\r\nAlert if a standard user account is unexpectedly added to a privileged or sensitive security group.\r\nIf employees in factory location A never work at night, alert when a user logs on at night.\r\nAlert if an unauthorized service is installed on a DC.\r\nInvestigate if a regular end-user attempts to directly sign into a SQL Server for which they have no clear\r\nreason for doing so.\r\nIf you have no members in your Domain Admin group, and someone adds themselves there, check it\r\nimmediately.\r\nAn example of the second event is:\r\nA high number of failed logon attempts might signal a password guessing attack. To detect this, organizations\r\nshould first determine what is a normal rate of failed logons in their environment. Then alerts can be triggered\r\nwhen that baseline is exceeded.\r\nFor a comprehensive list of events that you should include when you monitor for signs of compromise, see\r\nAppendix L: Events to Monitor.\r\nhttps://technet.microsoft.com/en-us/library/dn487457.aspx\r\nPage 7 of 9\n\nThe following are the accounts, groups, and attributes that you should monitor to help you detect attempts to\r\ncompromise your Active Directory Domain Services installation.\r\nSystems for disabling or removal of antivirus and anti-malware software (automatically restart protection\r\nwhen it's manually disabled)\r\nAdministrator accounts for unauthorized changes\r\nActivities that are performed by using privileged accounts (automatically remove account when suspicious\r\nactivities are completed or the allotted time expired)\r\nPrivileged and VIP accounts in AD DS. Monitor for changes to attributes on the Account tab, such as:\r\ncn\r\nname\r\nsAMAccountName\r\nuserPrincipalName\r\nuserAccountControl\r\nIn addition to monitoring the accounts, restrict who can modify the accounts to as small a set of\r\nadministrative users as possible. Refer to Appendix L: Events to Monitor for a list of recommended events\r\nto monitor, their criticality ratings, and an event message summary.\r\nGroup servers by the classification of their workloads, which allows you to quickly identify the servers that\r\nshould be the most closely monitored and most stringently configured\r\nChanges to the properties and membership of following AD DS groups:\r\nAdministrators\r\nDomain Admins\r\nEnterprise Admins\r\nSchema Admins\r\nDisabled privileged accounts (such as built-in Administrator accounts in Active Directory and on member\r\nsystems) for enabling the accounts\r\nManagement accounts to log all writes to the account\r\nBuilt-in Security Configuration Wizard to configure service, registry, audit, and firewall settings to reduce\r\nthe server's attack surface. Use this wizard if you implement jump servers as part of your administrative\r\nhost strategy.\r\nReview the following links for additional information about monitoring AD DS:\r\nhttps://technet.microsoft.com/en-us/library/dn487457.aspx\r\nPage 8 of 9\n\nGlobal Object Access Auditing is Magic\r\nIntroducing Auditing Changes in Windows 2008\r\nCool Auditing Tricks in Vista and 2008\r\nOne-Stop Shop for Auditing in Windows Server 2008 and Windows Vista\r\nAD DS Auditing Step-by-Step Guide\r\nAll Event ID recommendations are accompanied by a criticality rating as follows:\r\nRating Description\r\nHigh\r\nEvent IDs with a high criticality rating should always and immediately be alerted and\r\ninvestigated.\r\nMedium\r\nAn Event ID with a medium criticality rating could indicate malicious activity, but it must be\r\naccompanied by some other abnormality. An example can include an unusual number occurring\r\nin a particular time period, unexpected occurrences, or occurrences on a computer that normally\r\nwouldn't be expected to log the event. A medium-criticality event might also be collected as a\r\nmetric and then compared over time.\r\nLow\r\nAnd Event ID with a low criticality events shouldn't garner attention or cause alerts, unless\r\ncorrelated with medium or high criticality events.\r\nThese recommendations are meant to provide a baseline guide for an administrator. All recommendations should\r\nbe thoroughly reviewed before implementing in a production environment.\r\nAdvanced Audit Policy Configuration settings\r\nSource: https://technet.microsoft.com/en-us/library/dn487457.aspx\r\nhttps://technet.microsoft.com/en-us/library/dn487457.aspx\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://technet.microsoft.com/en-us/library/dn487457.aspx"
	],
	"report_names": [
		"dn487457.aspx"
	],
	"threat_actors": [],
	"ts_created_at": 1775490827,
	"ts_updated_at": 1775791234,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/81e109b35a8ae0ce3e03f005b820b82bf35fb950.pdf",
		"text": "https://archive.orkl.eu/81e109b35a8ae0ce3e03f005b820b82bf35fb950.txt",
		"img": "https://archive.orkl.eu/81e109b35a8ae0ce3e03f005b820b82bf35fb950.jpg"
	}
}