Most of you are probably familiar with the 9 policies under Security Settings\Audit Policy in Windows. But how many of you know about the 53 additional policies Microsoft added in Windows Vista and Windows Server 2008? The great thing about these new policies is that they provide a lot more granularity over what the previous 9 afforded. The downside? They can also create a lot of noise if you're keeping a close eye on your logs.
What do I see if I'm monitoring newer Windows operating systems?
The 53 additional security policies start generating events in the Windows Event Log as soon as you deploy a Windows Vista or higher OS. This causes an immediate influx of audit data, which persists unless you tune the auditing appropriately. And this is all in addition to any existing policies in Security Settings\Audit Policy that may be enabled by Group Policy.
To see exactly what policies are available and enabled by default, run auditpol.exe /get /category:* from a Command Prompt on a Windows Vista or higher system. You'll notice several policies are enabled by default as opposed to the previous 2/9 pre-configured on older systems.
How do I change what gets logged?
If you are running Windows Vista or Windows Server 2008, you have to use the auditpol.exe CLI tool to configure these settings. However, in Windows 7 and Windows Server 2008 R2, Microsoft added these settings to Security Settings\Advanced Audit Policy Configuration. From here, you can set the policies in each of the 10 new categories to No Auditing or any combination of Success and/or Failure.
But wait! There's a catch.
Microsoft discourages users from using the policies in both Security Settings\Audit Policy and Security Settings\Advanced Audit Policy Configuration simultaneously. For this reason, whenever you configure one of the advanced audit policies, Windows forces advanced auditing to override basic auditing for that computer. That means, if you had basic auditing configured through Group Policy and you changed a single setting in Security Settings\Advanced Audit Policy Configuration, basic policy is effectively disabled for that computer.
What we recommend.
Given the potential volume generated by the advanced audit policies, we recommend you tune those settings, especially if you're using a log management tool like Log & Event Manager. The important takeaway: If you change anything in Security Settings\Advanced Audit Policy Configuration, tune it fully so it matches your basic auditing settings for your pre-Windows Vista clients. Otherwise, your pre-Windows Vista clients will continue auditing events as before, but your clients running Windows Vista or later will only audit what you tell them to in Security Settings\Advanced Audit Policy Configuration.
For information about how to tune advanced auditing in your environment, see Microsoft's Advanced Security Auditing FAQ.