3

I'll preface this with: I am a Linux admin. Windows to me is like me driving a UK car -- mostly operates the same but the steering wheel, buttons, and levers are in the wrong place and labels are spelled funny.

I have a server that is a domain member. There are GPO applied from the domain. Normal enough.

When I run auditpol on this server, I see policies that are set that are not set in secpol.msc and not set in the domain GPO. I also compared the list of applied GPO from running gpresult and found that there are only three GPO being applied. (This list of 3 GPO was the list I expected to see, so that was good).

Example:

Run on the member server:

PS C:\Windows\system32> .\auditpol.exe /get /category:\*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        Success and Failure
  IPsec Driver                            No Auditing
  Other System Events                     Success and Failure
  Security State Change                   Success
Logon/Logoff
  Logon                                   Success and Failure
...(truncated)...

And

PS C:\Windows\system32> .\gpresult.exe /v /r /scope computer
...(truncated)...
RSOP data for CORP\fflintstone on MGMTWIN01A : Logging Mode
-----------------------------------------------------------

OS Configuration:            Member Server
OS Version:                  10.0.14393
Site Name:                   XYZ
Roaming Profile:             N/A
Local Profile:               C:\Users\fflintstone
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=MGMTWIN01A,OU=Windows,OU=Servers,DC=corp,DC=example,DC=com
    Last time Group Policy was applied: 11/2/2018 at 2:13:01 PM
    Group Policy was applied from:      corpdc01a.corp.example.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        CORP
    Domain Type:                        Windows 2008 or later
...(truncated)...
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy (CORP)
        Windows Allow RDP Access
        Windows Startup Script

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)
...(truncated)...

The three GPO listed by gpreseult as "applied" all do not contain any of the settings listed as "Success" or "Success and Failure" in my example auditpol snippet.

Where are they being set? How can I track this down?

JDS
  • 2,598
  • 4
  • 30
  • 49
  • https://blogs.technet.microsoft.com/askds/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2/ – joeqwerty Nov 02 '18 at 16:12
  • thanks! I read that blog article before you posted it; it was good, but unfortunately it doesn't *quite* answer my question, which is: where are the advanced audit pols being *set*? – JDS Nov 02 '18 at 16:48
  • That article states: "*as soon as you start applying Advanced Audit Configuration Policy, legacy policies will be completely ignored*". Does this mean **all** legacy policies or only the ones overridden by the advanced policies?\ – JDS Nov 02 '18 at 16:51
  • If it was set with a one-off use of auditpol, it may not be possible. If it is set with a computer startup script, it may produce an event id 4719 event (Audit Policy Change) in the security event log, but only if the policy changes. So you could try changing the value for a policy and restart the computer. – Greg Askew Nov 02 '18 at 20:02

3 Answers3

1

A clean install of Windows 2016 includes a built-in audit policy with the following default settings:

System
  Security System Extension               No Auditing   
  System Integrity                        Success and Failure    
  IPsec Driver                            No Auditing    
  Other System Events                     Success and Failure    
  Security State Change                   Success

Logon/Logoff
  Logon                                   Success and Failure    
  Logoff                                  Success    
  Account Lockout                         Success    
  IPsec Main Mode                         No Auditing    
  IPsec Quick Mode                        No Auditing    
  IPsec Extended Mode                     No Auditing    
  Special Logon                           Success    
  Other Logon/Logoff Events               No Auditing    
  Network Policy Server                   Success and Failure    
  User / Device Claims                    No Auditing    
  Group Membership                        No Auditing

Object Access
  File System                             No Auditing    
  Registry                                No Auditing    
  Kernel Object                           No Auditing    
  SAM                                     No Auditing    
  Certification Services                  No Auditing    
  Application Generated                   No Auditing    
  Handle Manipulation                     No Auditing    
  File Share                              No Auditing    
  Filtering Platform Packet Drop          No Auditing    
  Filtering Platform Connection           No Auditing    
  Other Object Access Events              No Auditing    
  Detailed File Share                     No Auditing
  Removable Storage                       No Auditing    
  Central Policy Staging                  No Auditing

Privilege Use
  Non Sensitive Privilege Use             No Auditing    
  Other Privilege Use Events              No Auditing    
  Sensitive Privilege Use                 No Auditing    

Detailed Tracking
  Process Creation                        No Auditing    
  Process Termination                     No Auditing    
  DPAPI Activity                          No Auditing    
  RPC Events                              No Auditing    
  Plug and Play Events                    No Auditing    
  Token Right Adjusted Events             No Auditing    

Policy Change
  Audit Policy Change                     Success    
  Authentication Policy Change            Success          
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing    
  Filtering Platform Policy Change        No Auditing    
  Other Policy Change Events              No Auditing

Account Management
  Computer Account Management             Success    
  Security Group Management               Success    
  Distribution Group Management           No Auditing    
  Application Group Management            No Auditing    
  Other Account Management Events         No Auditing    
  User Account Management                 Success

DS Access
  Directory Service Access                Success    
  Directory Service Changes               No Auditing    
  Directory Service Replication           No Auditing    
  Detailed Directory Service Replication  No Auditing    

Account Logon
  Kerberos Service Ticket Operations      Success    
  Other Account Logon Events              No Auditing    
  Kerberos Authentication Service         Success    
  Credential Validation                   Success

In the absence of any advanced audit group policy (either local or domain) you can modify the built-in policy by using the auditpol /set command. As far as I can see, auditpol is also the only way to view the built-in policy.

When and if any advanced audit group policy is applied to the server, the built-in audit policy is discarded and all audit settings are turned off except those that have been explicitly enabled via group policy. [It isn't clear to me under what circumstances, if any, this process is reversible; I'm still investigating.] You can still temporarily modify the audit settings using auditpol /set and/or the local legacy audit policy, but any such changes will be discarded the next time group policy is processed.

From the looks of it, your server is still using the default audit policy. So the policies you are seeing are those that are built into a clean Windows install.

Harry Johnston
  • 6,005
  • 4
  • 35
  • 52
  • this is very interesting. and likely is the cause. do you know if there is microsoft documentation somewhere describing this behavior? i'll upvote and check-mark this answer once i get to my office and confirm the behavior – JDS Nov 05 '18 at 13:05
  • I haven't found any documentation so far, I'll update my answer if I do. – Harry Johnston Nov 05 '18 at 18:24
0

There is this Microsoft article saying Local Policy overwriting auditpol

At the next group policy refresh cycle, the CSE applies the modifications that are present in the .csv file
%SYSTEMROOT%\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\Audit.csv

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/auditpol-local-security-policy-results-differ

gamelton
  • 41
  • 6
0

Those settings could also be set in the local policy. Open gpedit.msc on an affected PC and look for the settings in there.

longneck
  • 23,082
  • 4
  • 52
  • 86