 G'day viewers, my name is Oren Thomas. I'm a Principal Hybrid Cloud Advocate at Microsoft. In this video, you'll learn about the system category of advanced security auditing for Windows Server. System category audit events allow you to track system level changes to computers. This advice is based on the documentation published on learn.microsoft.com at the link in this video's description. This video is part of a series of videos on advanced auditing and related events that will be published in the coming weeks. Some of these topics are a bit dry, but we attempted to make them so you'd be able to review information about advanced auditing in a more digestible format. As a Windows Server administrator, you should have a comprehensive understanding of advanced security auditing in Windows Server and active directory environments. System security policy settings and audit events allow you to track the following types of system level changes to a computer that have potential security implications. This category includes the following policies. Audit IPsec driver, audit other system events, audit security state change, audit security system extension, audit system integrity. The audit IPsec driver policy allows you to audit events generated by IPsec driver such as the following. Startup and shutdown of the IPsec services, network packets dropped due to integrity check failure, network packets dropped due to replay check failure, network packets dropped due to being in plain text, network packets received with incorrect security parameter index, SPI. This may indicate that either the network card is not working correctly or the driver needs to be updated. Inability to process IPsec filters. A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems. The following events will be enabled if you configure auditing through this policy. 4960, IPsec dropped an inbound packet that failed an integrity check. 4961 and 4962, IPsec dropped an inbound packet that failed a replay check. 4963, IPsec dropped an inbound clear text packet that should have been secured. 4965, IPsec received a packet from a remote computer with an incorrect security parameter index, SPI. 5478, IPsec services has started successfully. 5479, IPsec services has been shut down successfully. 5480, IPsec services failed to get the complete list of network interfaces on the computer. 5483, IPsec services failed to initialize IPsec server. 5484, IPsec services has experienced a critical failure and has been shut down. 5485, IPsec services failed to process some IPsec filters on a plug and play event for network interfaces. The audit other system events policy generates Windows firewall service and Windows firewall driver start and stop events, failure events for these services and Windows firewall service policy processing failures. Audit other system events determines whether the operating system audits various system events. The system events in this category include startup and shutdown of the Windows firewall service and driver, security policy processing by the Windows firewall service, cryptography key file and migration operations, branch cache events. The following events will be enabled if you configure auditing through this policy. 5024, the Windows firewall service has started successfully. 5025, the Windows firewall service has been stopped. 5027, the Windows firewall service was unable to retrieve the security policy from the local storage. 5028, the Windows firewall service was unable to pass the new security policy. 5029, the Windows firewall service failed to initialize the driver. 5030, the Windows firewall service failed to start. 5032, Windows firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network. 5033, the Windows firewall driver has started successfully. 5034, the Windows firewall driver was stopped. 5035, the Windows firewall driver failed to start. 5037, the Windows firewall driver detected critical runtime error and has terminated. 5058, key file operation. 5059, key migration operation. 6400, branch cache received an incorrectly formatted response while discovering availability of content. 6401, branch cache received invalid data from a peer. Data discarded. 6402, branch cache, the message to the hosted cache offering it data is incorrectly formatted. 6403, branch cache, the hosted cache sent an incorrectly formatted response to the client. 6404, branch cache, hosted cache could not be authenticated using the provisioned SSL certificate. The audit security state change policy allows you to audit Windows startup, recovery, and shutdown events and information about changes in system time. The following events will be enabled if you configure auditing through this policy. 4608, Windows is starting up. 4 616, the system time was changed. 4621, administrator recovered system from crash on audit fail. The audit security system extension policy allows you to record information about the loading of an authentication package, notification package, or security package, plus information about trusted log on process registration events. Changes to security system extensions in the operating system include the following activities. Security extension code is loaded, for example, an authentication, notification, or security package. Security extension code registers with the local security authority and will be used and trusted to authenticate log-on attempts, submit log-on requests, and be notified of any account or password changes. Examples of this extension code are security support providers such as Kerberos and NTLM. A service is installed. An audit log is generated when a service is registered with the service control manager. The audit log contains information about the service name, binary, type, start type, and service account. Attempts to install or load security system extensions or services are critical system events that could indicate a security breach. The following events will be enabled if you configure auditing through this policy. 4610, an authentication package has been loaded by the local security authority. 4611, a trusted log-on process has been registered with the local security authority. 4614, a notification package has been loaded by the security account manager. 4622, a security package has been loaded by the local security authority. 4697, a service was installed in the system. The audit system integrity policy allows you to audit events that violate the integrity of the security subsystem. Activities that violate the integrity of the security subsystem include the following. Audited events are lost due to a failure of the auditing system. A process uses an invalid local procedure call, LPC, port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space. A remote procedure call, RPC, integrity violation is detected. A code integrity violation with an invalid hash value of an executable file is detected. Cryptographic tasks are performed. Violations of security subsystem integrity are critical and could indicate a potential security attack. The following events will be enabled if you configure auditing through this policy. 4612, internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. 4615, invalid use of LPC port. 4618, a monitored security event pattern has occurred. 4816, RPC detected an integrity violation while decrypting an incoming message. 5038, code integrity determined that the image hash of a file is not valid. 5056, a cryptographic self-test was performed. 5062, a kernel mode cryptographic self-test was performed. 5057, a cryptographic primitive operation failed. 5060, verification operation failed. 5061, cryptographic operation. 6281, code integrity determined that the page hashes of an image file are not valid. 6410, code integrity determined that a file does not meet the security requirements to load into a process. This video provided an introduction to the system audit policies category of Windows Server advanced security audit policies. The advice in this video is based on the documentation published on learn.microsoft.com at the link in this video's description. Increasing the security controls applied to Active Directory will improve your overall ADDS security posture that will not make your systems invulnerable. Security is always a matter of balancing what can be pragmatically accomplished by administrators in day-to-day operations with an assumed breach philosophy. I hope you found this video useful and informative. My name is Oren Thomas. You can find me at aka.ms slash oren. And if you've got any questions or feedback, drop a comment below.