Quick Reference Guide

Windows Server Auditing

How to enable logging of important Windows Server events in Windows event logs

Local Policy Audit Settings Event ID Reference

 Run gpedit.msc > Local Computer Policy > Computer Configuration > (2003/2008 - 12)
Windows Settings > Security Settings > Local Policies > Audit Policy:
Security Log
 Audit account management > Define > Success
 Audit object access > Define > Success  636/4732 – Local group member added
 637/4733 – Local group member
Registry-level Auditing Settings removed
 635/4731 – Local group created
 Run regedit.exe > HKEY_LOCAL_MACHINE > Right-click “SOFTWARE” >  638/4734 – Local group deleted
Permissions > Advanced > Auditing (Tab) > Click “Add” > Principal
 624/4720 – User account created
“Everyone” > Type “Success” > Applies to “This key and subkeys” >
Advanced Permissions > Check “Set Value”, “Create Subkey”, “Delete”,  630/4726 – User account deleted
“Write DAC”, “Write Owner” > Click “OK”  639/4735 – Local group changed
 642/4738 – User account changed
 Repeat steps above for the “HKEY_LOCAL_MACHINE\SYSTEM” and
“HKEY_USERS\.DEFAULT” nodes  627/4723 – Change password attempt
 628/4724 – User account password set
Event Log Settings  685/4781 – User name changed
 567/4657,4663 – Object access attempt
 Run eventvwr.msc > Windows Logs > Right-click “Application” log >  560/4656 – Object open
Properties:
 562/4658 – Handle closed
 Make sure the “Enable logging” check box is selected
 Set retention method to “Overwrite events as needed” or “Archive  602/4698, 4699, 4700, 4701, 4702 –
the log when full” Scheduled task created, deleted,
enabled, disabled, updated
 Repeat this operation for the “Security” and “System” event logs
Application Log
 Open Event viewer and search the corresponding log for the id’s listed Event Source: MsiInstaller
in the Event ID Reference box  11707 – Software was installed
 11724 – Software was uninstalled
For Detailed Windows Server Auditing,
System Log
Try Netwrix Auditor - netwrix.com/go/trial-ws
Event Source: Service Control Manager

 Change auditing: detection, reporting and alerting on all  7036 – Service state changed
configuration changes across your entire IT infrastructure with Who,  7040—Service start type changed
What, When, Where details and Before/After values.
 Predefined reports and dashboards with filtering, grouping,
sorting, export (PDF, XLS etc.), email subscriptions, drill-down, access
via web, granular permissions and ability to create custom reports.
 AuditArchive™: scalable two-tiered storage (file-based + SQL database)
holding consolidated audit data for 10 years or more. Try Windows Server
 Unified platform to audit the entire IT infrastructure, unlik e other Auditing For Free:
vendors with a set of hard-to-integrate standalone tools.
netwrix.com/go/trial-ws

Corporate Headquarters: Phone: 1-949-407-5125 Int'l: 1-949-407-5125

20 Pacifica, Suite 625, Irvine, CA 92618 Toll-free: 888-638-9749 EMEA: 44 (0) 203-318-0261 netwrix.com/social