 G'day viewers, my name is Oren Thomas. I'm a principal hybrid cloud advocate at Microsoft. In this video, you'll learn about the object access category of advanced security auditing for Windows Server. This advice is based on the documentation published on learn.microsoft.com at the link in this video's description. This video is part of a series of videos on advanced auditing and related events that will be published in the coming weeks. Our aim is to provide you with a comprehensive understanding of advanced security auditing in Windows Server and active directory environments. The object access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. To audit attempts to access a file, directory, registry key, or any other object, enable the appropriate object access auditing subcategory for success and or failure events. For example, the file system subcategory needs to be enabled to audit file operations. The registry subcategory needs to be enabled to audit registry accesses, proving that these audit policies are in effect to an external auditor is more difficult. There is no easy way to verify that the proper system access control list also termed SACLs are set on all inherited objects. To address this issue, there is the additional advanced audit category of global object access auditing, a topic we will cover in a future video. The object access category includes the following policies, audit application generated, audit certification services, audit detailed file share, audit file share, audit file system, audit filtering platform connection, audit filtering platform packet drop, audit handle manipulation, audit kernel object, audit other object access events, audit registry, audit removable storage, audit SAM, audit central access policy staging. The audit application generated auditing policy generates events for actions related to authorization manager applications. Authorization manager is very rarely in use and it is deprecated starting from Windows Server 2012. Items written to the security event log when this policy is enabled are listed in the documentation and on the screen. The audit certification services auditing policy determined whether the operating system generates events when active directory certificate services, ADCS operations are performed. Examples of ADCS operations include, ADCS starts, shuts down, is backed up, or is restored. Certificate revocation list, CRL related tasks are performed. Certificates are requested, issued, or revoked. Certificate manager settings for ADCS are changed. The configuration and properties of the certification authority CA are changed. ADCS templates are modified. Certificates are imported. A CA certificate is published to active directory domain services. Security permissions for ADCS role services are modified. Keys are archived, imported, or retrieved. The OCSP responder service is started or stopped. Monitoring these operational events is important to ensure that ADCS role services are functioning properly. Enabling this policy enables a large amount of audit event types, but you'd only ever enable this policy on a computer hosting the ADCS role service. Items written to the security event log when this policy is enabled are listed in the documentation and on the screen. As you can no doubt see, there is quite a few of them. The audit detailed file share auditing policy allows you to audit attempts to access files and folders on a shared folder. The detailed file share policy logs an event every time a file or folder is accessed, whereas a file share auditing policy only records one event for any connection established between a client and file share. Detailed file share audit events include detailed information about the permissions or other criteria used to grant or deny access. There are no system access control lists, sackles, or shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited. Items written to the security event log when this policy is enabled are listed in the documentation and on the screen. The audit file share auditing policy allows you to audit events related to file shares, creation, deletion, modification, and access attempts. Also, it shows failed SMB service principal name checks. There are no system access control lists for shares. Therefore, after this setting is enabled, access to all shares on the system will be audited. Combined with file system auditing, file share auditing enables you to track what content was accessed, the source, IP address, and port of the request, and the user account that was used for the access. Items written to the security event log when this policy is enabled are listed in the documentation and on the screen. The audit file system auditing policy determines whether the operating system generates audit events when users attempt to access file system objects. Audited events are generated only for objects that have configured system access control lists, SACLs, and only if the type of access requested, such as write, read, or modify, and the account making the request match the settings in the SACL. If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL. These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring. This subcategory allows you to audit user attempts to access file system objects, file system object deletion, and permissions change operations, and hide link creation actions. Items written to the security event load when this policy is enabled are listed in the documentation and on the screen. The audit filtering platform connection auditing policy determines whether the operating system generates audit events when connections are allowed or blocked by the Windows filtering platform. Windows filtering platform, WFP, enables independent software vendors, ISVs, to filter and modify TCP IP packets, monitor authorized connections, filter internet protocol security, IPsec, protected traffic, and filter remote procedure calls, RPCs. This subcategory contains Windows filtering platform events about blocked and allowed connections, blocked and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming connections applications. Items written to the security event load when this policy is enabled are listed in the documentation and on the screen. The audit filtering platform packet drop auditing policy determines whether the operating system generates audit events when packets are dropped by the Windows filtering platform. Windows filtering platform, WFP, enables independent software vendors to filter and modify TCP IP packets, monitor authorized connections, filter internet protocol security, IPsec, protected traffic, and filter remote procedure calls, RPCs. A high rate of drop packets may indicate that there have been attempts to gain unauthorized access to computers on your network. Items written to the security event load when this policy is enabled are listed in the documentation and on the screen. The audit handle manipulation auditing policy enables generation of 4658. The handle to an object was closed in audit file system, audit kernel object, audit registry, audit removable storage and audit SAM subcategories and shows objects handle duplication and close actions. Items written to the security event load when this policy is enabled are listed in the documentation and on the screen. The audit kernel object auditing policy determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores. Only kernel objects with a matching system access control list cycle generate security audit events. The audits generated are usually useful only to developers. Typically, kernel objects are given cycles only if the audit base objects or audit base directories auditing options are enabled. The audit audit the access of global system objects policy setting controls the default cycle of kernel objects. Items written to the security event load when this policy is enabled are listed in the documentation and on the screen. The audit other object access events auditing policy allows you to monitor operations with scheduled tasks, complex objects and indirect object access requests. Items written to the security event load when this policy is enabled are listed in the documentation and on the screen. The audit registry auditing policy allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists, SACLs specified, and only if the type of access requested such as read, write or modify and the account making the request match the settings in the cycle. If success auditing is enabled an audit entry is generated each time any account successfully accesses a registry object that has a matching cycle. If failure auditing is enabled an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching cycle. Items written to the security event log when this policy is enabled are listed in the documentation and on the screen. The audit removable storage auditing policy allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested with no dependency on object cycle. Items written to the security event log when this policy is enabled are listed in the documentation and on the screen. The audit SAM auditing policy which enables you to audit events that are generated by attempts to access security account manager SAM objects. The SAM is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer. SAM objects include the following. SAM underscore alias a local group. SAM underscore group a group that is not a local group. SAM underscore user a user account. SAM underscore domain a domain. SAM underscore server a computer account. If you configure this policy setting an audit event is generated when a SAM object is accessed. Success audits record successful attempts and failure audits record unsuccessful attempts. Only a cycle for SAM underscore server can be modified. Changes to user and group objects are tracked by the account management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system bypassing any account management events. Items written to the security event log when this policy is enabled are listed in the documentation and on the screen. The audit central access policy staging auditing policy allows you to audit access requests where a permission granted or denied by a proposed policy differs from the current central access policy on an object. If you configure this policy setting an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event is generated as follows. Success audits when configured record access attempts when the current central access policy grants access that the proposed policy denies access. Failure audits when configured record access attempts when? The current central access policy does not grant access that the proposed policy grants access. Failure audits are also generated when a principal requests the maximum access rights, they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy. Items written to the security event log when this policy is enabled are listed in the documentation and on the screen. This video provided an introduction to Windows Server Advanced Security Object Access audit policies. The advice in this video is based on the documentation published on learn.microsoft.com at the link in this video's description. Increasing the security controls applied to Active Directory will improve your overall ADDS security posture that will not make your systems invulnerable. Security is always a matter of balancing what can be pragmatically accomplished by administrators in day-to-day operations with an assumed breach philosophy. Is there any ADDS security or Windows Server related topics you'd like us to cover in a future video? If so, mention it below. I hope you found this video useful and informative. My name is Oren Thomas. You can find me at aka.ms slash oren. And if you've got any questions or feedback, drop a comment below.