What's New in Security Auditing

Updated: April 27, 2012

Applies To: Windows 8, Windows Server 2012

This document describes security auditing enhancements for Windows 8 and Windows Server 2012. These enhancements assist IT professionals who work with Windows 8 and Windows Server 2012 to monitor, troubleshoot, and enforce security compliance in a network.

Feature description

Security auditing is one of the most powerful tools to help maintain the security of an enterprise. One of the key goals of security audits is to verify regulatory compliance. For example, industry standards such as Sarbanes Oxley, HIPAA, and Payment Card Industry (PCI) require enterprises to follow a strict set of rules related to data security and privacy. Security audits help establish the presence or absence of such policies, and they prove compliance or noncompliance with these standards.

Additionally, security audits help detect anomalous behavior, identify and mitigate gaps in security policy, and deter irresponsible behavior by creating a record of user activity that can be used for forensic analysis.

To fully benefit from security auditing, administrators must address the following technical challenges:

Control audit volume   One of the biggest considerations of security audits is the cost of collecting, storing, and analyzing audit events. If the audit policies are too broad, the volume of audit events that are collected rises, and this increases costs. If the audit policies are too narrow, you risk missing important events.

Analyze audit events    Sifting through the audit volume and getting to the most relevant data has always been challenging. In the presence of broad audit policies, not all audit events are relevant. In this scenario, answering a question like, “Who is accessing my sensitive data?” is often difficult.

Centrally manage audit policies   Global Object Access Auditing was introduced in Windows 7 and Windows Server 2008 R2 as a means to centrally create and manage audit policies for the file system and the registry. However customers face two major challenges:

  • Policies from multiple GPOs are not merged—so on the client computer, the effective Global Object Access Audit policy comes from the winning GPO.

  • Global Object Access Auditing generates a lot of audit volume.

Audit removable storage devices   Many organizations are concerned about sensitive data being copied onto removable storage devices that are not controlled by their IT departments. Windows 7 and Windows Server 2008 R2 do not support auditing removable storage devices. As a result, enterprises lose the visibility of who accessed sensitive data after it has been copied to a removable storage device.

New and changed functionality

In Windows Server 2012, you can author audit policies by using expression-based audit policies and resource properties. This enables scenarios that were impossible or too difficult to perform.

After administrators have created and applied the audit policies, the next consideration for them is gleaning meaningful information from the audit events that are logged. Expression-based audit policies can help reduce the volume of audits. However, users also need a way to query these events for meaningful information and to ask questions such as, “Who is accessing my high value data?” or “Was there an unauthorized attempt to access sensitive data?” Windows Server 2012 enhances existing data access events by logging additional information regarding user, computer, and resource claims. These events are generated on a per-server basis.

Note

To provide a full view of events across the organization, Microsoft is working with partners to provide event collection and analysis tools, such as System Center Operation Manager Audit Collection Service.

The following table summarizes changes to security auditing in Windows Server 2012.

Feature/functionality Earlier versions of Windows Windows Server 2012

Expression-based audit policies

X

File access auditing

X

X (additional information)

Enhanced user logon auditing

X

X (additional information)

Auditing new types of securable objects

X

Auditing removable storage devices

X

The following sections describe these security auditing features in greater detail.

Expression-based security audit policies

Windows Server 2012 introduces expression-based security audit policies. Dynamic Access Control in Windows Server 2012 enables you to create targeted audit policies by using expressions that are based on user, computer, and resource claims.

The following are examples of expression-based audit policies that administrators can apply in Windows Server 2012 :

  • Audit everyone who does not have a high security clearance and yet tries to access documents with high business value.

  • Audit all vendors when they try to access documents that are related to projects that they are not working on.

Narrowly defined policies such as these can help regulate the volume of audit events and limit them to only the most relevant data or users.

Expression-based audit policies can be authored directly on a file or folder or applied centrally through Group Policy by using Global Object Access Auditing.

Changes to Global Object Access Auditing

Windows Server 2012 enables you to create expression-based audit policies by using Global Object Access Auditing. In addition, it merges the Global Object Access Auditing policies from multiple GPOs located on the client computers. This enables the following scenario:

The enterprise IT policy requires auditing Read and Write access to all documents marked as high business impact (HBI). In addition to this, the finance department requires auditing Read and Write access to all documents that belong to the finance department. The enterprise IT administrator can implement an enterprise-wide policy by authoring a Global Object Access Audit Policy (to monitor access to HBI data) in a Group Policy Object (GPO), and then target that GPO to all the file servers in the enterprise. Similarly, the file server administrator for the finance department can create another GPO and author the Global Object Access Audit Policy to monitor access to all the finance data.

Get more information from file access events

File access auditing is included in Windows Server 2012 and Windows 8. With the right audit policy in place, the Windows operating system will generate an audit event each time a user accesses a file.

In Windows Server 2012 and Windows 8, existing File Access events (4656, 4663) contain information about the attributes of the file that was accessed. This additional information can be used by event log filtering tools to help you identify the most relevant audit events for closer examination. For more information, see Audit Handle Manipulation and Audit SAM.

Get more information from user logon events

Windows Server 2012 and Windows 8 include user logon auditing. With the right audit policy in place, the Windows operating systems will generate an audit event (4624) each time a user logs on to a computer locally or remotely. (For more information, see Audit Logon). In Windows Server 2012 and Windows 8, a new event (4626) contains information about the attributes of the file that was accessed. This additional information can be leveraged by audit log management tools to enable event filtering that is based on file attributes and user attributes.

Audit removable storage devices

Enterprises can limit or deny users the ability to use removable storage devices by using Removable Storage Access Policy. However, in earlier versions of the Windows and Windows Server operating systems, administrators could not track the use of removable storage devices. If you configure this policy setting in Windows Server 2012 and Windows 8, an audit event is generated each time a user attempts to access a removable storage device. Success audits (Event 4663) record successful attempts to write to or read from a removable storage device. Failure audits (Event 4656) record unsuccessful attempts to access removable storage device objects.

Note

To log removable storage device failure events, the setting Audit Handle Manipulation must also be configured.

This audit policy appears under Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies\Object Access.

See also

The following table provides additional resources for evaluating security auditing in Windows 8 and Windows Server 2012.

Content type References

Product evaluation

The following document contains additional information about applying new security auditing features with Dynamic Access Control: Dynamic Access Control Scenario: File Access Auditing .