KFSensor

 

Windows Audit configuration

The Windows auditing required by KFSensor is not enabled by default and enabling it is a complex procedure and varies between different versions of Windows and on how domain security is implemented.

In order to enable auditing the KFSensor machine's audit policy needs to be updated. This can be done on the machine itself, or by a group policy in Active Directory. If the KFSensor machine is part of a domain and there is already a defined group audit policy in place then it will be necessary to do this at the Active Directory level. The advantage of this is that one group policy can be designed to enable auditing on all sensors in an organization at the same time.

Setting the audit policy on a standalone Windows XP, 7, 8, 10 machine

  1. Run the Local Group Policy Editor (LGPE). From the command line or Run box, enter 'gpedit.msc'
  2. In the LGPE, select Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policy > Audit Policy
  3. Enable the Success and Failure security settings for auditing of the following policy settings as follows:
    • Audit account logon events -> Success, Failure
    • Audit account management -> Success, Failure
    • Audit directory service access -> Success, Failure
    • Audit logon events -> Success, Failure
    • Audit object access -> Success, Failure
    • Audit policy change -> Failure
    • Audit privilege use -> Failure
    • Audit process tracking -> Failure
    • Audit system events -> Success, Failure
  4. Close the LGPE to save your changes.

Setting the audit policy via Active Directory on Windows 2003 and 2003 R2

  1. Create a new Active Directory GPO:
    1. Click Start > Administrative Tools > Active Directory Sites and Services.
    2. In the left pane, under "Sites", locate the forest for which you want to set group policy.
    3. Right-click the site, then select Properties.
    4. In the window that appears, click the Group Policy tab.
    5. Click New and enter a unique name.
  2. Open the GPO for editing by clicking the Edit... button in the Group Policy properties window.
  3. In the GPO Editor, select Computer Configuration > Windows Settings > Security Settings > Local Policy > Audit Policy.
  4. Enable the Success and Failure security settings for auditing of the following policy settings as follows:
    • Audit account logon events -> Success, Failure
    • Audit account management -> Success, Failure
    • Audit directory service access -> Success, Failure
    • Audit logon events -> Success, Failure
    • Audit object access -> Success, Failure
    • Audit policy change -> Failure
    • Audit privilege use -> Failure
    • Audit process tracking -> Failure
    • Audit system events -> Success, Failure
  5. Close the Group Policy Object Editor window to save your changes.
  6. Deploy the GPO:
    1. Open Active Directory Users and Computers. Click Start > Administrative Tools > Active Directory Users and Computers.
    2. In the left pane of the window that appears, right-click Domain controllers then click Properties.
    3. Click the Group Policy tab.
    4. Click the Add... button.
    5. In the dialog that appears select the All tab.
    6. Select the GPO you created in Step 1, then click OK.
    7. Close the window to save changes.

Setting the audit policy via Active Directory on Windows 2008 and 2008 R2

  1. Create a new GPO:
    1. Click Start > Administrative Tools > Group Policy Management.
    2. In the left pane, under "Group Policy Management," expand the forest and domain for which you want to set group policy.
    3. Right-click on Group Policy objects and select New.
    4. Enter a unique name for your new GPO and select None for the Source Starter GPO field.
  2. Open the GPO for editing by right-clicking the newly created GPO in the Group Policy Objects window and selecting Edit.
  3. In the GPO editor, select Computer Configuration > Policies > Windows Settings > Security Settings > Local Policy > Audit Policy.
  4. Enable the Success and Failure security settings for auditing of the following policy settings as follows:
    • Audit account logon events -> Success, Failure
    • Audit account management -> Success, Failure
    • Audit directory service access -> Success, Failure
    • Audit logon events -> Success, Failure
    • Audit object access -> Success, Failure
    • Audit policy change -> Failure
    • Audit privilege use -> Failure
    • Audit process tracking -> Failure
    • Audit system events -> Success, Failure
  5. Close the Group Policy Object Editor window to save your changes.
  6. Deploy the GPO:
    1. In Group Policy Management, in the left pane of the window, right-click on the Domain Controllers item and click Link an existing GPO..."
    2. In the window that appears, select the GPO you created in Step 1.
    3. Click OK. The GPMC will refresh to show that your GPO is now linked to the Domain Controllers organizational unit.

Advanced Audit Policy (AAP)

If Advanced Audit Policy (AAP) is enabled the Windows will disable the configuration of standard audit policy. AAP is only supported in the newest versions of Windows and provides many more configuration options. The principal is the same as that described above and it is possible to enable AAP to generate the same events. The step by step guide to enabling this is not included in this document.


KFSensor On-Line Manual Contents