Skip to content 
Introduction
Infrastructure security is impossible without transparent control. One of the key features that enables such control in a Windows environment is Audit Policy. Activating Windows Audit Policy helps track login attempts, file access, permission changes, process launches, and other important events.
In a corporate environment, especially when complying with ISO/IEC 27001, PCI DSS, or SOC requirements, Windows security auditing is not just an additional feature, but a mandatory element. In this article, we will discuss how to configure and use Windows audit policy effectively, with examples, lists, and recommendations.
What is Windows Audit Policy
Audit Policy is a mechanism built into Windows that allows you to log key user and process actions in the system log (Event Log). These logs can be used to:
- investigate security incidents,
- monitor access to confidential data,
- detecting hacking attempts,
- and complying with internal control and audit requirements.
Examples of events that can be logged:
- Successful and unsuccessful login attempts;
- Access to files and folders;
- Changes to user groups;
Why enable Windows Audit Policy
Script | Benefits of auditing |
Data leak investigation | Shows who accessed which file and when |
Control of administrators’ actions | Records changes in permissions, script execution |
Compliance with audit requirements (SOC, ISO) | Complete event log with time and user references |
Protection against internal threats | Detects abnormal activity and unauthorized access |
How to enable and configure Windows Audit Policy: Complete guide
Audit policy in Windows allows you to log important events, including logins, file access, permission changes, process launches, and more. You can configure it locally (on a single server or workstation) or via Group Policy (GPO) in a domain.
Option 1: Local configuration on a server or workstation
Suitable for:
- VPS / standalone servers
- Computers outside the domain
- Test machines
Step 1: Open the Local Security Policy snap-in
Press Win + R, type: secpol.msc and press Enter.
Go to the section: Local Security Policy → Local Policies → Audit Policy
Step 2: Enable the necessary audit categories
You will have access to 9 main categories:
Category | What it records |
Audit of access to objects | Access to files, folders, registry |
System login audit | Attempts to log in to the workstation (RDP, interactive) |
Network entry audit | Access via network resources (e.g., shared drive) |
Audit of account events | Creating, deleting, and modifying users |
Audit of privilege usage | Use of administrative measures |
System event audit | Restart, shutdown, service errors |
Audit of policy changes | Attempts to change security policies |
Process audit | Starting/closing applications |
Audit of directory services | Only in Active Directory domains |
Example of inclusion:
Open the “Logon Audit” policy, select the following checkboxes:
- Successful attempts
- Failed attempts
Repeat for other necessary policies.
Step 3: Apply and restart
Changes take effect:
- After restarting
Or after execution:
gpupdate /force Option 2: Configuration via Group Policy (GPO) in the domain
Suitable for:
- Active Directory environments
- Mass management of servers and PCs
Step 1: Open the Group Policy Management Console
On the domain controller, press Win + R, enter:
gpmc.msc Step 2: Create or modify the policy
Create a new GPO (for example: Audit Policy Servers)
Go to: Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy
Step 3: Enable the necessary settings
As in the local settings, enable:
- Audit object access
- Audit logon events
- Audit policy change, etc.
Specify which events to log: Success, Failure, or both.
Step 4: Link the policy to the OU
Apply the GPO to the desired container (OU) with servers or workstations.
Step 5: Apply the policy
On client machines, perform the following:
gpupdate /force or wait for the GPO to update automatically.
Advanced settings: Advanced Audit Policy Configuration
Starting with Windows Server 2008 R2 and Windows 7, a more flexible system has been introduced:
- 53 audit subcategories instead of 9
- Configuration of finely controlled events (e.g., RDP logon, process startup, ACL changes)
How to enable:
- Open gpedit.msc (or gpmc.msc for domains)
- Go to:
- pgsql
- Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Audit Policies
Enable the desired subcategories. Some of the most useful ones:
Subcategory | Description |
Logon | Successful and unsuccessful entries |
Object Access | Attempts to access protected objects |
Account Logon | User authentication via the network |
Policy Change | Attempts to change security policies |
Privilege Use | Use of administrative rights |
Process Creation | Launching new processes |
To prevent advanced policies from conflicting with standard policies, it is recommended to disable the standard section:
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings = Enabled
View and change using PowerShell:
Check:
auditpol /get /category:* Enable, for example, login audit:
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
Where to view audit results
All events are recorded in the Windows Security Log:
- Open eventvwr.msc.
- Go to:
- Windows Logs → Security
Use the event ID:
ID | Event |
4624 | Successful login |
4625 | Login error |
4663 | Attempt to access object |
4719 | Changing audit settings |
4688 | Starting the process |
4670 | Changing permissions (ACL) |
Filtering by these IDs will allow you to quickly find the events you need.
Configuration tips
- Enable only the necessary categories, otherwise the system will be overloaded with unnecessary logs.
- Regularly export and archive logs.
- Configure notifications via PowerShell or SIEM.
- Restrict access to logs — only administrators should have read permissions.
Tips for effective auditing
- Keep logs for at least 90 days, especially if there are compliance requirements.
- Use a SIEM system (e.g., Wazuh, Splunk, ELK) to centrally analyze logs.
- Don’t enable everything — this will create redundancy and overload the system.
- Assign someone to be responsible for auditing and reviewing logs.
Conclusion
Enabling Windows Audit Policy is a fundamental step toward ensuring security in any corporate IT infrastructure. Properly configured auditing allows you to identify threats, track data access, and comply with information security standards. Whether you use a dedicated server or Windows VPS, enabling and controlling audit policies is a wise investment in the stability and security of your environment.
