skip.link.title
share

How to Enable Windows Security Logs

By default, some critical security events are not tracked by Windows Servers. To improve security monitoring, you need to manually enable logging for these events. Below is a list of the top 10 security events and steps to enable them.

File Audit

Keeps track of who accessed or changed important files.

How to enable auditing for specific files or folders:

  1. Enable Object Access Auditing: (Allows Windows to start tracking access to any files or folders you specify later.)

  2. Open Group Policy Editor (type gpedit.msc in the Start menu).

  3. Go to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit File System.
  4. Set both Success and Failure to track all actions.

  5. Set Auditing on a Specific File or Folder:

  6. Right-click on the file or folder you want to audit and select Properties.

  7. Go to the Security tab and click Advanced.
  8. In the Advanced Security Settings window, go to the Auditing tab.
  9. Click Add, then select Principal. In the box that appears, type Everyone, and click OK.
  10. Under Type, select Success (to track successful access) and Failure (to track failed access attempts).
  11. Under Basic Permissions, select the activities you want to audit (e.g., Read, Write, Delete).
  12. Click OK to apply the settings, and close the windows.

Process Creation

Helps detect suspicious software by tracking what processes are running.

How to enable:

  1. In Group Policy Editor, go to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Detailed Tracking > Audit Process Creation.
  2. Set Success to log every new process.

Registry Changes

Monitors changes to the Windows Registry. The Registry is often targeted by malware, so monitoring changes is key.

How to enable:

  1. In Group Policy Editor, go to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit Registry.
  2. Enable both Success and Failure.

Logon/Logoff Events

Tracks when users log in and out, helping to identify unauthorized access.

How to enable:

  1. In Group Policy Editor, go to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Logon/Logoff > Audit Logon.
  2. Enable both Success and Failure.

Privilege Use

Monitors the use of sensitive privileges that could affect system security.

How to enable:

  1. In Group Policy Editor, go to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Privilege Use > Audit Sensitive Privilege Use.
  2. Enable Success to track when special permissions are used.

Audit Policy Changes

Tracks any changes to logging settings, which might signal tampering attempts.

How to enable:

  1. In Group Policy Editor, go to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Policy Change > Audit Audit Policy Change.
  2. Enable Success and Failure.

Object Access

Tracks access to sensitive system objects like files or shared resources might lead to detect unauthorized access.

How to enable:

  1. In Group Policy Editor, go to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Object Access > Audit Object Access.
  2. Enable both Success and Failure.

Account Lockouts

Helps detect brute-force attacks and login issues.

How to enable:

  1. In Group Policy Editor, go to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Logon > Audit Account Lockout.
  2. Enable Success and Failure.

User Account Management

Tracks when user accounts are created, deleted, or modified.

How to enable:

  1. In Group Policy Editor, go to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Account Management > Audit User Account Management.
  2. Enable both Success and Failure.

System Integrity

Tracks system integrity violations, such as failed checks of important files or drivers. Helps detect tampering or issues that compromise the system’s integrity.

How to enable:

  1. In Group Policy Editor, go to: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Integrity > Audit System Integrity.
  2. Enable both Success and Failure.