 G'day viewers, my name is Aaron Thomas. I'm a principal hybrid cloud advocate at Microsoft. In this video, you'll learn about the policy changes category of advanced security auditing for Windows Server. Policy change audit events allow you to track changes to important security policies on a local system or network. This advice is based on the documentation published on learn.microsoft.com at the link in this video's description. This video is part of a series of videos on advanced auditing and related events that will be published in the coming weeks. Some of these topics are a bit dry, but we attempted to make them so you'd be able to review information about advanced auditing in a more digestible format. As a Windows Server administrator, you should have a comprehensive understanding of advanced security auditing in Windows Server and active directory environments. Policy change audit events allow you to track changes to important security policies on a local system or network because policies are typically established by administrators to help secure network resources. Tracking policy changes and attempts made to change policies is an important aspect of security management for a network. This category includes the following policies. Audit audit policy change. Audit authentication policy change. Audit authorization policy change. Audit filtering platform policy change. Audit NPSSVC rule level policy change. Audit other policy change events. Audit audit policy change policy determines whether the operating system generates audit events when changes are made to audit policy. Almost all events in this subcategory have security relevance and should be monitored. Changes to audit policy that are audited include changing permissions and audit settings on the audit policy object, changing the system audit policy, registering and unregistering security event sources, changing per user audit settings, changing the value of the crash on audit fail flag, changing audit settings on an object. For example, modifying the system access control list for a file or registry key. The following events will be enabled if you configure auditing through this policy. Audit 902, the per user audit policy table was created. Audit 907, auditing settings on object were changed. Audit 9904, an attempt was made to register a security event source. Audit 9905, an attempt was made to unregister a security event source. The following events related to audit policy changes are written to the security log regardless of the audit policy change policy configuration. Events list, Audit 715, the audit policy SACL on an object was changed. Audit 719, system audit policy was changed. Audit 817, auditing settings on object were changed. Audit 902, the per user audit policy table was created. Audit 906, the crash on audit fail value has changed. Audit 907, auditing settings on object were changed. Audit 908, special groups log on table modified. Audit 912, per user audit policy was changed. Audit 9904, an attempt was made to register a security event source. Audit 9905, an attempt was made to unregister a security event source. The audit authentication policy change policy determines whether the operating system generates audit events when changes are made to authentication policy. Changes made to authentication policy include creation, modification and removal of forest and domain trusts. Changes to Kerberos policy under computer configuration, backslash windows settings, backslash security settings, backslash account policies, backslash Kerberos policy in an applied GPO. When any of the following user log on rights is granted to a user or group, access this computer from the network, allow log on locally, allow log on through remote desktop, log on as a batch job, log on as a service. This setting is useful for tracking changes in domain level and forest level trust and privileges that are granted to user accounts or groups. On domain controllers, it is important to enable success audit for this subcategory to be able to get information related to operations with domain and forest trusts, changes in Kerberos policy and some other events included in this subcategory. The following events will be enabled if you configure auditing through this policy. Audit 670, permissions on an object were changed. Audit 706, a new trust was created to a domain. Audit 707, a trust to a domain was removed. Audit 716, trusted domain information was modified. Audit 713, Kerberos policy was changed. Audit 717, system security access was granted to an account. Audit 718, system security access was removed from an account. Audit 739, domain policy was changed. Audit 864, a namespace collision was detected. Audit 865, a trusted forest information entry was added. Audit 866, a trusted forest information entry was removed. Audit 867, a trusted forest information entry was modified. The audit authorization policy change policy allows you to audit assignment and removal of user rights in user right policies, changes in security, token, object permission, resource attributes changes, and central access policy changes for file system objects. With success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes, or central access policy applied to file system objects. The following events will be enabled if you configure auditing through this policy. Audit 703, a user right was adjusted. Audit 704, a user right was assigned. Audit 705, a user right was removed. Audit 670, permissions on an object were changed. Audit 911, resource attributes of the object were changed. Audit 913, central access policy on the object was changed. The audit filtering platform policy change policy allows you to audit events generated by changes to the Windows filtering platform, WFP, such as the following IPsec services status, changes to IPsec policy settings, changes to Windows filtering platform base filtering engine policy settings, changes to WFP providers and engine. This policy when enabled creates event telemetry with 40 different event IDs. These event IDs are also displayed on the screen. I won't read them out here and you can either pause the video to read through them or review all of them in the documentation link below. The audit MPSSVC rule level policy change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service in PSSVC.exe. The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computer's threat protection against malware. The tracked activities include active policies when the Windows Firewall service starts, changes to Windows Firewall rules, changes to the Windows Firewall exception list, changes to Windows Firewall settings, rules ignored or not applied by the Windows Firewall service, changes to Windows Firewall group policy settings, changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks. Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall service startup and default configuration restore actions. Failure events may help to identify configuration problems with Windows Firewall rules or settings. This policy when enabled creates event telemetry with a large number of different event IDs. These event IDs are also displayed on the screen. I won't read them out here and you can either pause the video to read through them or review all of them in the documentation link below. The audit other policy change events policy contains events about encrypted file system, EFS, data recovery agent policy changes, changes in Windows filtering platform filter, status on security policy settings updates for local group policy settings, central access policy changes and detailed troubleshooting events for cryptographic next generation CNG operations. This policy when enabled creates event telemetry with a large number of different event IDs. These event IDs are also displayed on the screen. I won't read them out here and you can either pause the video to read through them or review all of them in the documentation link below. This video provided an introduction to the Windows Server Advanced Security Policy Changes category of audit policies. The advice in this video is based on the documentation published on learn.microsoft.com at the link in this video's description. Increasing the security controls applied to active directory will improve your overall ADDS security posture that will not make your systems invulnerable. Security is always a matter of balancing what can be pragmatically accomplished by administrators in day-to-day operations with an assumed breach philosophy. I hope you found this video useful and informative. My name is Oren Thomas. You can find me at aka.ms slash oren and if you've got any questions or feedback drop a comment below.