How to Configuring Authentication-Related Audit Policies in Windows Server 2016

By | 03/04/2018

What is Audit Authentication?

Auditing is an important security component. Windows Server 2016 domain controllers and other servers log security-related events to the Security log, where you can monitor and identify issues that might warrant further investigation. Auditing can log successful activities to provide documentation of changes. It also can log failed and potentially malicious attempts to access enterprise resources.

Infrastructure Requirement :

  • 1 DC SERVER (DC-CLOUD) 
  • 1 Client PC running Windows 10 (CLIENT-10)

Lets get started.

01 – Configuring Authentication-related Audit Policies

1 – Open Server Manager, click the Tools, and then click Group Policy Management.

19

2 – In the Group Policy Management Console, in the navigation pane, expand Forest:
Windows.ae\Domains\Windows.ae\Group Policy Objects
, and then Right-click the Default Domain Controllers Policy, and then click Edit. 

1

3 – In the Group Policy Management Editor window, in the navigation pane, expand Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies, and then click Audit Policy. 

2.png

4 – In the details pane, double-click Audit account logon events, and then explain the following configuration options:
• If you select the Define these policy settings check box, the policy is applied.
• If you select Success, only success audits are logged.
• If you select Failure, only failure audits are logged.

Click Cancel to close the Audit account logon events Properties dialog box.

3.pngIf multiple policies contain the setting, and it is defined differently, the success and failure options apply based on the last applied policy that defined those settings. If one policy defines success audits and another defines failure audits, they do not merge.

5 – Repeat In the Group Policy Management Editor window, in the navigation pane, navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy configuration\Audit Policies, and then click Audit Policies.

4.png

6 – In the Audit Policies policy, show the ten main categories, and then click Account Logon. 

5.png

7 – Show the four subcategories, and then double-click Audit Kerberos Authentication Service.

6 Show that the subcategory has the same settings as in the Audit Policy Audit Account Logon setting, and then explain that they are now on a more detailed level and allow a more selective auditing.

8 – Select Configure the following audit events, select Success, select Failure, and then click Apply.

7Close the Audit Kerberos Authentication Service Properties dialog box, click OK.

9 – On DC-CLOUD, in the Right-Click Start, then click Command Prompt. 

Screenshot (10)

10 – Type gpupdate /force, and then press Enter.

17Wait until the policy has been updated.

02 – Verify CLIENT Logon

1 – CLIENT-10, attempt to sign in as Windows\Sifad with password [email protected].

8.png

2 – You will get a message that the user name or password is incorrect. Click OK.

9.png

3 – Sign in as Windows\Sifad with password [email protected].

10.pngWait until the logon is finished and CLIENT-10 has started

03 – Viewing logon events

1 – Open Server Manager, click Tools, and then click Event Viewer.

11.png

2 – In Event Viewer, in the navigation pane, expand Windows Logs, and then click Security.

12.png

3 – In the details pane, locate the Event ID 4771, and then show that this event is an Audit Failure event. Show that this event was logged when Windows\Sifad tried to sign in with the wrong password. Click Close.

13.png

4 – Locate the event with the Event ID 4768. Show that this is an Audit Success event. Show that this event was logged when Windows\Sifad signed in successfully. Click Close.

14.pngClose Event Viewer

Leave a Reply

Your email address will not be published. Required fields are marked *