Audit policy settings specify categories of security-related events that you want to audit. Advanced audit policy settings help administrators exercise granular control over which activities get recorded in the logs, helping reduce event noise.

Object-level auditing settings (referred to as system access control list [SACL] in this document), log attempts to access a secured object.

Audit policies or advanced audit policies (recommended for computers running Windows 7, Windows Server 2008, and later) must be configured for computers, while object-level auditing must be configured for secured objects to ensure that security-related events get logged whenever any relevant activity occurs.

Note: The required audit policy and object-level auditing settings can be configured automatically via the ADAudit Plus console, by following the steps found under the Automatic configuration section in each of the links found below.

To audit Active Directory:

To audit Windows file servers:

Configure audit policies for the Windows file servers that need to be audited.
Configure object-level auditing for the shares that need to be audited.

To audit Windows member servers:

Configure audit policies for the Windows servers that need to be audited.

To audit Windows workstations:

Configure audit policies for the Windows workstations that need to be audited.

To audit NetApp Filers

Configure audit policies and SACLs for the NetApp Filers that need to be audited.

To audit NetApp clusters:

Configure audit policies and SACLs for the NetApp clusters that need to be audited.

To audit EMC servers:

Configure audit policies and SACLs for the EMC servers that need to be audited.

To audit EMC Isilon:

Configure audit policies and SACLs for the EMC Isilon nodes that need to be audited.

To enable File Integrity Monitoring (FIM):

Configure audit policies for the domain controllers, Windows servers, and Windows workstations on which file integrity needs to be monitored.
Configure object-level auditing for the shares that need to be audited.

To audit Group Policy Objects (GPOs):

To audit removable storage devices:

Configure audit policies for the domain controllers, Windows servers, and Windows workstations on which removable storage activity needs to be audited.

To audit Windows PowerShell:

Configure audit policies for the domain controllers, Windows servers, and Windows workstations on which PowerShell activity needs to be audited.

To audit Active Directory Federation Service (AD FS):

Configure audit policies for the domain controllers and Windows servers on which AD FS activity needs to be audited.

Configuring security log size and retention settings

Security log size and retention settings must be configured to prevent loss of audit data due to overwriting of events.

Follow these recommendations to configure appropriate security log settings.

Ports to be opened

Ports must be opened to allow exchange of data between computers.

Here is the list of default ports used by ADAudit Plus and the ports that should be opened on the destination computers.

Setting-up a service account

After the Domain Admin credentials are entered, ADAudit Plus starts to audit activities.

If you do not want to provide Domain Admin credentials, follow these steps to set up the service account to have only the least privileges required for auditing your environment.

Quick start

Architecture

Active Directory

Active Directory auditing

ADFS auditing

Group policy object auditing

Azure AD configuration

Windows Server

Windows server auditing

Removable storage auditing

File integrity monitoring

PowerShell auditing guide

User session recording

Filer Server

Windows file server auditing

EMC Isilon auditing

Synology auditing

Huawei OceanStor Auditing

NetApp filer auditing

NetApp cluster auditing

Hitachi NAS auditing

Windows workstation auditing

Event collection troubleshooting

Migration

Security

Security specifications

Security hardening

Product configuation

Service account configuration

SSL configuration

Security log settings

Agent configuration

Single sign-on

Ports

2FA configuration

Virtual IP address settings

High availability configuration

Prerequisites

Configuring audit policies and object-level auditing