 G'day viewers, my name is Oren Thomas. I'm a Principal Hybrid Cloud Advocate at Microsoft. In this video, you'll learn about Advanced Security Auditing for Windows Server. This advice is based on the documentation published on learn.microsoft.com at the link in this video's description. This video is part of a series of short videos on advanced auditing and related events items that will be published on this channel in the coming weeks. Our aim with this series of videos is to provide you with a comprehensive understanding of advanced security auditing in Windows Server and Active Directory environments. Security auditing is a methodical examination and review of activities that may affect the security of a system or a broader Active Directory environment. In the Windows Server and Active Directory environments, security auditing include the features and services that log and review events for specified security related activities. Hundreds of events occur as Active Directory, the Windows operating system and the applications used across the on-premises and hybrid cloud environment perform their tasks. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security related activities. Audit policies are configured through group policy. You can configure computer local policies but in most Windows Server Active Directory environments, auditing is configured through application of policies at the domain, side, or organizational unit level. The basic security audit policy settings, insecurity settings, backslash local policies, backslash audit policy and the advanced security audit policy settings, insecurity settings, backslash advanced audit policy configuration, backslash system audit policies seem to be generally similar and appear to overlap but in reality they are separate and are recorded and applied differently. There are nine basic audit policy settings under security settings, backslash local policies, backslash audit policy and 10 category settings under advanced audit policy configuration. Nine of the 10 categories of settings available in security settings, backslash advanced audit policy configuration address similar issues as the nine basic settings in local policies, backslash audit policy. The main difference is that the collection of advanced policy settings allow administrators to be more selective in the number and types of events to audit. Rather than having a fire hose volume of information about events that are similar but unrelated to what you want to know about, you can have a garden hose stream of the telemetry you are interested in. For example, the basic audit policy provides a single setting for account sign-in and the advanced audit policy provides four. Enabling the single basic setting would be the equivalent of setting all four advanced settings. In comparison, setting a single advanced audit policy setting doesn't generate audit events for activities that you aren't interested in tracking. In addition, if you enable success auditing for the basic audit account logon events setting, only success events will be logged for all account sign-in activities. In comparison, depending on the needs of your organization, you can configure success auditing for one advanced account logon setting, failure auditing for a second advanced account logon setting, success and failure auditing for a third advanced account logon setting, or simply configure no auditing for that final category of event. Basic audit policy settings aren't compatible with advanced audit policy settings that are applied by using group policy. When advanced audit policy settings are applied by using group policy, the current computer's audit policy settings are cleared before the resulting advanced audit policy settings are applied. After you apply advanced audit policy settings by using group policy, you can only reliably set system audit policy for the computer by using the advanced audit policy settings. Editing and applying the advanced audit policy settings in local security policy modifies the local group policy object, GPO. If there are policies from other domain GPOs or logon scripts, changes made here may not be exactly reflected in autopole.exe. Both types of policies can be edited and applied by using domain GPOs. And these settings will override any conflicting local audit policy settings. Because a basic audit policy is recorded in the effective audit policy, that audit policy must be explicitly removed when a change is desired or it will remain in the effective audit policy. Policy changes that are applied by using local or domain group policy settings are reflected as soon as the new policy is applied. If you use advanced audit policy configuration settings or use logon scripts to apply advanced audit policies, be sure to enable the audit or audit policy subcategory settings to override audit policy category, settings policy setting under local policies backslash security options. This setting prevents conflicts between similar settings by forcing basic security auditing to be ignored. Applying advanced audit policy settings replaces any comparable basic security audit policy settings. If you later change the advanced audit policy setting to not configured, you need to complete the following steps to restore the original basic security audit policy settings. One, set all advanced audit policy subcategories to not configured. Two, delete all audit.csv files from the sysful folder on the domain controller. Three, reconfigure and apply the basic audit policy settings. Unless you complete all of these steps, the basic audit policy settings won't be restored. By default, policy options that are set in GPOs and linked to higher levels of active directory sites, domains and OUs are inherited by all OUs at lower levels. However, an inherited policy can be overridden by a GPO that is linked at a level closer to the target computer or user. Essentially, if you know how GPO inheritance works, you know which settings will override other ones. For example, you might use a domain GPO to assign an organization-wide group of audit settings but want a certain OU to get a defined group of extra settings. To accomplish this customization, you can link a second GPO to that specific lower-level OU. Therefore, a logon audit setting that is applied at the OU level will override a conflicting logon audit setting that is applied at the domain level. The only exception is if you take special steps to apply group policy loopback processing. If in doubt, use the resultant set of policy tools in your friendly neighborhood group policy management console. A success audit event is triggered when a defined action, such as accessing a file share or authenticating to the domain, is completed successfully. A failure audit event is triggered when a defined action, such as a user sign in, isn't completed successfully. The appearance of failure audit events in the event log doesn't necessarily mean that something is wrong with your system. For example, if you configure audit logon events, a failure event may mean that a user mistyped the password. Changes to security audit policies are critical security events. An attacker who is trying to gain persistence in your system wants to remove all record of them being there, and that's a lot easier if auditing isn't tracking things. You can use the audit audit policy change setting to determine if the operating system generates audit events when the following types of activities take place. Permissions and audit settings on the audit policy object are changed. The system audit policy is changed. Security event sources are registered or unregistered. The user audit settings are changed. The value of crash on audit fail is modified. Audit settings on a file or registry key are changed. A special groups list is changed. In future, we will create short videos and publish them on this channel on explaining the contents of each of the different audit policy categories and the events that configuring each individual policy generates and what those events indicate. Make sure you're subscribed if you are interested in videos on account log on audit policies, account management audit policies, detail tracking audit policies, DS access audit policies, log on slash log off audit policies, object access audit policies, policy change audit policies, privilege use audit policies, system audit policies, global object access auditing audit policies. This video provided a basic introduction to Windows Server Advanced Security Auditing. You learned about advanced security auditing for Windows Server. The advice in this video based on the documentation published on learn.microsoft.com at the link in this video's description. Increasing the security controls applied to Active Directory will improve your overall ADDS security posture that will not make your systems invulnerable. Security is always a matter of balancing what can be pragmatically accomplished by administrators in day-to-day operations with an assumed breach philosophy. We are interested in hearing about your experiences as an ADDS administrator. Is there any ADDS security or Windows Server related topics you'd like us to cover in a future video? If so, mention it below. I hope you found this video useful and informative. My name is Oren Thomas. You can find me at aka.ms slash oren. And if you've got any questions or feedback, drop a comment below.