Share via


One-Stop Shop for Auditing in Windows Server 2008 and Windows Vista

Hi, Ned here again. I am frequently asked by customers (and Microsoft employees!) where they can get to all the useful Windows Server 2008 and Windows Vista audit information. Unlike some of our other components, there’s no clear portal site on TechNet or MSDN that gives you everything in one fell swoop. Today I’ll attempt to aggregate everything so that you don’t have to sift. If you’re a regular reader of this blog, you may recognize some of these from previous posts; others may be new to you.

KB947226 - Description of security events in Windows Vista and in Windows Server 2008 -

To begin, the above KB article lists out all of the audit events, by category, by subcategory, by ID number, and finally by message. This is a good method to see the general organization of the new entries, and can be especially useful for an administrator who is looking to determine what audit events will be useful to track. It also has the honor of being perhaps the longest KB article ever written – no 14.4 modems allowed! :-)

Security audit events for Microsoft Windows Server 2008 and Microsoft Windows Vista -

For even more details on the audit events, you can download an Excel spreadsheet that contains all of the information of the KB article and allows for easier sorting and filtering. It also has (on the tab ‘Complete Event Messages’) the detailed message data so you know more about what will be returned when the event is triggered.

clip_image002

Figure 1 clip_image004

Figure 2 clip_image006

Figure 3 clip_image008

Figure 4

Note: If you don't have Excel, you can also use the free Excel Viewer.

KB921469 - How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain -

The above KB explains how to deploy subcategory-based auditing to all your up-level machines. While the article specifically states Vista, it is totally applicable to Win2008 machines as well.

KB947223 - Description of the Special Groups feature in Windows Vista and in Windows Server 2008 -

I recently blogged about Special Groups auditing and how it can be useful for specialty servers; the official KB is included here for the sake of completeness.

Windows Server 2008 Security Guide (Online) & Windows Server 2008 Security Guide (Downloadable) -
Windows Vista Security Guide (Online) & Windows Vista Security Guide (Downloadable) -

The four links above are to the Solution Accelerator series covering security within Vista and 2008. These are about far more than just auditing – they go into an overall process of making sure your attack surface is reduced across the board. They include information, recommendations, and scripts for a variety of security topics, including auditing.

Windows Server 2008 Auditing AD DS Changes Step-by-Step Guide -

Because it is so heavily changed from previous operating systems, the Directory Services auditing category was called out for special attention in a TechNet article. It covers the four new subcategories in detail:

  • Directory Service Access
  • Directory Service Changes
  • Directory Service Replication
  • Detailed Directory Service Replication

It goes through examples, setup, as well as the Attribute Syntax limitations where you can control the lengths of strings being audited for performance versus completeness.

AUDITPOL.EXE Reference

Auditpol.exe is a command-line tool included in Vista and 2008 for controlling auditing, especially around the new subcategories. Understanding of this tool is pretty much a requirement for making auditing work in an efficient manner. This article covers all the syntax as well as provides plenty of useful examples.

Windows Audit Team Blog (search pulling back Vista references)

I’ve said it before and I’ll say it again – if you want an authoritative answer to a Windows auditing question, this is the place to go. The link above is actually a search URL that returns everything Vista-related, but the overall site deserves immediate bookmarking in your blog viewer of choice.

Windows Server 2008 Security Resource Kit

Finally, if you’re not opposed to dropping a little cash, the Security Resource Kit is now available for Windows Server 2008 through all major booksellers. Chapter eight is 30 pages of audit goodness written by the guy that ran the whole show, Eric Fitzgerald.

As we add more public information I’ll come back and update this post, so feel free to bookmark in your favorite browser and feed reader. If you look through all this and find that there’s something missing, please let me know and I’ll track it down.

- Ned Pyle

Comments

  • Anonymous
    March 27, 2008
    The comment has been removed

  • Anonymous
    March 27, 2008
    Hi! Thanks very much for the kind words. Yes, that article applies to 2008 domains as well. I know because I wrote it. :) The title has been recently updated to include this (it's now "How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers in a Windows Server 2008 domain, in a Windows Server 2003 domain, or in a Windows 2000 domain.") but some of the internal wording still seems to just refer to 2000/2003. I'll get that fixed and end the confusion. Thanks!

  • Anonymous
    March 28, 2008
    Mon collègue Ned Pyle a publié en anglais un billet de référence sur les événements

  • Anonymous
    April 04, 2008
    [ Présentation de la news ] Voici un petit fichier Excel qui pourra certainement vous rendre quelques

  • Anonymous
    April 12, 2008
    [ Présentation de la news ] Voici un petit fichier Excel qui pourra certainement vous rendre quelques

  • Anonymous
    April 21, 2008
    Quando vi ho parlato della nuova proposizione strategica di Microsoft, " End to End Trust ",