How to Configure Windows Server Audit Policy

Windows Server audit policy controls which security events are recorded in the Security event log — login attempts, account changes, file access, privilege use, and more. Configuring audit policy correctly is the foundation of security monitoring and incident response. Without it, you have no record of who logged in, what was changed, or what was accessed. This guide explains how to configure Windows Server audit policy effectively.

Why Audit Policy Matters

The Security event log is your audit trail. When a security incident occurs — an account compromise, unauthorised access, a suspicious login at 3am — the Security log is where you look first. If auditing was not configured, that evidence does not exist. Audit policy is also required for compliance frameworks including Cyber Essentials, ISO 27001, and PCI-DSS.

Basic vs Advanced Audit Policy

Windows Server offers two levels of audit policy:

• Basic audit policy: nine broad categories, configured in Local Security Policy or Group Policy under Security Settings → Local Policies → Audit Policy
• Advanced audit policy: 53 granular subcategories that give precise control over exactly what is logged. Microsoft recommends using advanced audit policy — it reduces log noise while ensuring nothing important is missed.

Use advanced audit policy. Basic audit policy on a busy server generates thousands of irrelevant events per hour.

Configure Advanced Audit Policy via Group Policy

1. Open Group Policy Management and create or edit a GPO linked to your servers OU
2. Navigate to: Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies
3. Configure the subcategories relevant to your environment (see recommended settings below)

Configure Audit Policy via auditpol (Command Line)

# View current audit policy
auditpol /get /category:*

# Enable logon auditing (success and failure)
auditpol /set /subcategory:"Logon" /success:enable /failure:enable

# Enable account management auditing
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

# Enable object access (required for file auditing)
auditpol /set /subcategory:"File System" /success:enable /failure:enable

# View a specific category
auditpol /get /subcategory:"Logon"

Recommended Audit Settings for Windows Server

Account Logon:

• Credential Validation — Success and Failure (catches failed password attempts at the DC level)

Account Management:

• User Account Management — Success and Failure (records account creation, deletion, password resets)
• Security Group Management — Success (records group membership changes)

Logon/Logoff:

• Logon — Success and Failure (Event IDs 4624 and 4625 — who logged in and failed attempts)
• Account Lockout — Success (Event ID 4740 — records when accounts are locked)

Object Access (if monitoring file access):

• File System — Success and/or Failure (requires additional SACL configuration on specific folders)

Policy Change:

• Audit Policy Change — Success (records when the audit policy itself is changed)
• Authentication Policy Change — Success

Privilege Use:

• Sensitive Privilege Use — Failure (logs when admin privileges are used inappropriately)

System:

• Security System Extension — Success
• System Integrity — Success and Failure

Configure File and Folder Auditing

To audit access to specific files or folders, two things are needed: the File System audit policy category must be enabled (above), and a System Access Control List (SACL) must be added to the folder:

1. Right-click the folder → Properties → Security tab → Advanced
2. Click the Auditing tab
3. Click Add → select the principal (user or group) to audit (use “Everyone” to audit all access)
4. Select the type (Success, Fail, or both) and the specific permissions to audit (e.g. Read, Write, Delete)
5. Click OK

Folder access events then appear in the Security log as Event ID 4663 (file access) and 4656 (handle requested).

Increase Security Log Size

The default Security log size (20MB) fills up quickly on an active server — events are overwritten before you can investigate them. Increase the maximum log size:

1. Open Event Viewer → Windows Logs → right-click Security → Properties
2. Increase Maximum log size to at least 512MB for domain controllers, 256MB for member servers
3. Set the action to Archive the log when full, do not overwrite events on critical servers

# Via PowerShell
Limit-EventLog -LogName Security -MaximumSize 512MB

Key Security Event IDs to Monitor

• 4624 — Successful logon (who logged in, when, from where)
• 4625 — Failed logon (brute-force indicator if repeated)
• 4648 — Logon using explicit credentials (pass-the-hash indicator)
• 4720 — User account created
• 4726 — User account deleted
• 4732/4733 — Member added to / removed from a security group
• 4740 — Account locked out
• 4756 — Member added to a universal security group
• 4798/4799 — User’s local group membership enumerated (reconnaissance indicator)

Related Guides

• How to View Event Viewer Logs on Windows Server
• How to Configure Group Policy on Windows Server
• How to Reset a Domain User Password in Active Directory