With Windows 2008 Microsoft introduced the ability to have granular access to auditing options, in the first release granular audit options could only be set locally using auditpol, with the advent of Windows 2008 R2 the same options can be set via GPO, too. This granularity is key to be able to audit exactly what you need without taxing too much your server and ACS if you implemented it.
During one of my periodic audits on a customer with a small ACS implementation (about 100 servers) I noticed Windows 2008 R2 file servers were returning only a subset of the events they were expected to collect. They have been configured to receive a company wide GPO for generic auditing and file access auditing via a local setting through auditpol. The GPO was using old style (Windows 2003) auditing settings.
If I run RSOP (gpresult) everything seemed ok, but nevertheless not all the auditing events were logged. I then turned to auditpol and the result were completely different and consistent with what I could see in the event log. It turned out you don’t have to mix old style and new style auditing policies and you better not use auditpol to set local policies. To get rid of the issue I just WMI filtered the old audit GPO to be applied to pre windows 2008 R2 systems (select * from win32_operatingsystem where version < ‘6.1’) and added a new GPO for Windows 2008 R2 systems (select * from win32_operatingsystem where version > ‘6.1’). In this specific environment we have a bunch of Windows 2008 servers that are managed as Windows 2003 ones in respect to auditing policies.
What I learned is:
- if you intend to use advanced audit settings then the only reliable tool to know the exact audit policy is auditpol (auditpol /get /category:"*")
- auditpol /set is not reliable, at least if GPO are applied with old style audit settings
- don’t mix old style and advanced auditing
- rsop is not reliable if you use advanced auditing
On the same tune I would advice to turn off Filtering Platform auditing (on by default on Windows 2008 R2) it generates tons of events and if you’re not sure you need them, you better leave them off.
Resources that helped me:
This posting is provided "AS IS" with no warranties, and confers no rights.