Windows Server Audit Policy Configuration Script

Summary

This PowerShell script configures Windows Advanced Audit Policy settings on servers to enable security-focused logging. The logging generated by this configuration supports security monitoring, forensic investigations, and compliance requirements by capturing authentication activity, privilege usage, system changes, object access, and account management events.

There are two versions of this auditing script:

• Basic Auditing Script
  Enables core security auditing with minimal performance and log volume impact. This version does not enable process creation or command-line logging.
• Advanced Auditing Script
  Includes all settings from the Basic script plus enhanced process visibility, enabling:
  • Process Creation auditing
  • Command-line logging for Event ID 4688

The Advanced version provides deeper forensic detail by capturing executed processes and their command-line arguments, but it also generates higher Security log volume. For this reason, it should be used selectively based on server role, compliance needs, or active investigation requirements.

Both versions must be run with Administrator privileges, and changes take effect immediately.

Script Packaging and Availability

The auditing scripts are packaged with the Messageware software and are also available for download from the Messageware Customer Portal.

The following scripts are provided:

• STG_basic_auditing.ps1

• STG_advanced_auditing.ps1

Both scripts must be executed on the target server using an elevated PowerShell session (Run as Administrator) to successfully apply audit policy changes.

Script Command Reference

The sections below provide detailed explanations of each command contained in the scripts, describing the audit policies configured, their security purpose, and the resulting logging behavior. This information is intended to help administrators understand the impact of each setting and select the appropriate script based on server role and auditing requirements.

Basic vs. Advanced Auditing – Key Differences

Command Breakdown and Explanation

1. Logon / Logoff Auditing

auditpol /set /subcategory:"Logon" /success:enable /failure:enable

What this does:
Enables auditing for interactive and network logons.

What gets logged:

• Successful user logons (Event ID 4624)
• Failed logon attempts (Event ID 4625)
• Remote Desktop (RDP) logons
• Service and scheduled task logons

Why this matters:
Helps detect:

• Brute-force attempts
• Unauthorized access
• Suspicious login patterns

Event IDs monitored by STG for this command:

• 4624 – Successful logon 
• 4625 – Failed logon 
• 4648 – Logon using explicit credentials 
• 4634 – Logoff
• 4672  – Special privileges assigned at logon (disabled out of the box) 
   

2. Account Logon Auditing

Credential Validation

auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable

What this does:
Logs authentication attempts validated by the system.

What gets logged:

• Successful and failed password validations
• NTLM authentication events

Why this matters:
Useful for identifying:

• Failed password attempts
• Credential misuse
• Lateral movement attempts

Event IDs monitored by STG for this command:

• 4776 – The computer attempted to validate the credentials for an account 

Kerberos Authentication Service

auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable

What this does:
Enables logging of Kerberos ticket-granting ticket (TGT) requests.

What gets logged:

• Successful and failed Kerberos authentications
• Domain-based authentication activity

Why this matters:
Critical for:

• Detecting Kerberos abuse
• Identifying domain authentication failures

Event IDs monitored by STG for this command:

• 4768 – A Kerberos authentication ticket (TGT) was requested. 

Kerberos Service Ticket Operations

auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable

What this does:
Logs Kerberos service ticket (TGS) requests.

What gets logged:

• Requests for access to services using Kerberos

Why this matters:
Helps detect:

• Service ticket abuse
• Potential Pass-the-Ticket attacks

Event IDs monitored by STG for this command:

• 4769 – A Kerberos service ticket was requested. 

3. Privilege Use Auditing

auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:enable

What this does:
Tracks the use of high-risk privileges.

What gets logged:

• Use of admin-level privileges (e.g., SeDebugPrivilege, SeTcbPrivilege)

Why this matters:
Important for identifying:

• Privilege escalation
• Abuse of administrative rights

Event IDs monitored by STG for this command:

• 4672 – Special privileges assigned to a new logon
• 4673 – A privileged service was called 
• 4674 – An operation was attempted on a privileged object

4. Process Creation (Advanced Auditing Script Only)

auditpol /set /subcategory:"Process Creation" /success:enable

What this would do (if enabled):
Logs when a new process is created.

What gets logged:

• Executable name
• Process ID
• Parent process

Why it’s commented out:
This setting can generate high log volume. It is often enabled only when deeper forensic visibility is required.

Event IDs monitored by STG for this command:

• 4688 – A new process has been created

5. Command-Line Logging for Processes (Advanced Auditing Script Only)

reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Audit `
/v ProcessCreationIncludeCmdLine_Enabled /t REG_DWORD /d 1 /f

What this would do (if enabled):
Adds command-line arguments to Process Creation (Event ID 4688) logs.

Why this matters:
Provides visibility into:

• Scripts and commands executed
• Malicious or suspicious command usage

Note:
This significantly increases log detail and should be enabled only when required.

6. System Auditing

Security System Extension

auditpol /set /subcategory:"Security System Extension" /success:enable

What this does:
Logs activity related to security-related system components.

What gets logged:

• Loading of authentication packages
• Security subsystem changes

Why this matters:
Helps detect:

• Tampering with security components
• Unauthorized system-level changes

Audit Policy Change

auditpol /set /subcategory:"Audit Policy Change" /success:enable

What this does:
Logs changes made to audit policies.

What gets logged:

• Who changed audit settings
• When audit settings were modified

Why this matters:
Ensures visibility if someone attempts to:

• Disable logging
• Reduce audit coverage

7. Object Access – File Shares

File Share

auditpol /set /subcategory:"File Share" /success:enable

What this does:
Logs access to shared folders.

What gets logged:

• Access to network file shares

Why this matters:
Useful for monitoring:

• Data access
• Unauthorized file share usage

Event IDs monitored by STG for this command:

• 5140 – A network share object was accessed 

Detailed File Share

auditpol /set /subcategory:"Detailed File Share" /success:enable

What this does:
Provides more granular logging for file share access.

What gets logged:

• Specific files accessed within shares

Why this matters:
Supports detailed forensic investigations and data access tracking

Event IDs monitored by STG for this command:

• 5145 – A network share object was checked to see if the client can be granted desired access

Filtering Platform Connection (Advanced Auditing Script Only)

auditpol /set /subcategory:"Filtering Platform Connection" /success:enable

What this does:
Logs network connections that are allowed by the Windows Filtering Platform (WFP), which underpins Windows Firewall and IPsec.

What gets logged:

• Successful inbound and outbound network connections
• Connections permitted by firewall rules
• Applications and processes establishing network connections

Why this matters:
Useful for monitoring:

• Unauthorized or unexpected network communications
• Potential malware or command-and-control activity
• Lateral movement between systems
• Firewall rule effectiveness and misuse

This logging helps correlate network activity with file share access and other object access events during security investigations.

Event IDs monitored by STG for this command:

• 5156 – The Windows Filtering Platform has permitted a connection

8. Account Management Auditing

User Account Management

auditpol /set /subcategory:"User Account Management" /success:enable

What this does:
Logs changes to user accounts.

What gets logged:

• User creation and deletion
• Password resets
• Account enable/disable actions

Why this matters:
Helps detect:

• Unauthorized account creation
• Account manipulation

Event IDs monitored by STG for this command:

• 4720 – A user account was created 
• 4722 – A user account was enabled 
• 4724 – An attempt was made to reset an account’s password 
• 4725 – A user account was disabled 
• 4738 – A user account was changed 

Security Group Management

auditpol /set /subcategory:"Security Group Management" /success:enable

What this does:
Logs changes to security groups.

What gets logged:

• Users added or removed from groups
• Privileged group changes (e.g., Administrators)

Why this matters:
Critical for detecting:

• Privilege escalation
• Unauthorized admin access

Event IDs monitored by STG for this command:

• 4728 – A member was added to a security-enabled global group 
• 4729 – A member was removed from a security-enabled global group 
• 4732 – A member was added to a security-enabled local group 
• 4733 – A member was removed from a security-enabled local group 
• 4735 – A security-enabled local group was changed 
• 4737 – A security-enabled global group was changed 
• 4755 – A security-enabled universal group was changed 
• 4756 – A member was added to a security-enabled universal group 
• 4757 – A member was removed from a security-enabled universal group 

Expected Outcome

After running this script:

• Security-relevant activities will be logged in the Windows Security Event Log
• Logs can be forwarded to centralized monitoring tools
• Improved visibility for audits, investigations, and compliance