Windows security auditing — Event Log FAQ

What is Windows security auditing?

A security audit is a systematic monitoring of the security of a company's information system by measuring how well it conforms to a set of established criteria. Windows security auditing is a Windows feature that helps to maintain the security on the computer and in corporate networks. Windows auditing is intended to monitor user activity, perform forensic analysis and incident investigation, and troubleshooting. Security audit lets you implement security policies in your environment to fulfil corporate, governmental or industrial requirements.

How to setup Windows security auditing?

Windows security auditing can be enabled using either Group Policy (in Active Directory environment) or Local Security Policy (for a single computer). Open Windows Control Panel, select Administrative Tools, and then run Local Security Policy. Open Local Policies branch and select Audit Policy. In the right pane of Local Security Policy window, you will see a list of audit policies. Double click on the required policy and choose what attempts (Success or Failure) to log.
Here we described setting up basic audit policies. Starting from Windows 2008 R2/Windows 7, you can use Advanced Security Audit Policy: Local Security Policy -> Advanced Audit Policy Configuration -> System Audit Policies.
More information about Advanced Security Audit Policy available at https://technet.microsoft.com/en-us/library/dn319056.aspx

How to audit logon events?

Windows security auditing lets you audit user logons and invalid logon attempts to your system. Windows generate these events not only when a user physically logons the system, but even when accessing a shared resource from a remote computer. Auditing logon events help the administrator or investigator to review users’ activity and detect potential attacks.

To log logon events run Local Security Policy. Open Local Policies branch and select Audit Policy. Double click on “Audit logon events” and enable Success and Failure options. After that, all user logons and invalid logon attempts will be logged to security event log.

Here are some important logon events

Event ID	Event message
4624	An account was successfully logged on
4625	An account failed to log on
4648	A logon was attempted using explicit credentials
4675	SIDs were filtered

How to audit file access events?

Windows security auditing lets you audit access to an object, e.g. file, folder, registry key and other system objects that have system access control list (SACL). It is important task for a system administrator to organize file server auditing, but it may be reasonable to audit not only file servers. Auditing logon events help the administrator or investigator to review users’ activity, detect attempts of unauthorized access to files, and prevent software misconfiguration.

To log file access events, run Local Security Policy. Open Local Policies branch and select Audit Policy. Double click on “Audit object access” and enable Success and Failure options. This enables system-wide object access audit. Now we should select file objects, which will trigger this event. Open Windows Explorer and brows for the required file or folder. Click right mouse button on this object and select Properties. Switch to Security tab and click Advanced button. Switch to Auditing tab in Advanced Security Settings window. Click Continue button. Now you can set the names of the users or groups whose access you want to audit (you can choose everyone for all users) and what type of access to the file will be audited. Starting from Windows 2008 R2/Windows 7, you can use more flexible object access/file access audit policy settings.

Here are some important file access events

Event ID	Event message
4656	A handle to an object was requested
4658	The handle to an object was closed
4660	An object was deleted
4663	An attempt was made to access an object
4685	The state of a transaction has changed
4985	The state of a transaction has changed