Restore legacy audit policies on Windows Server 2008 R2

windows-server-2008 audit group-policy

Recently, I was trying to reduce spam of my security audits by disabling auditing of "Filtering Platform Packet Drop". In a week's time, I get enough of these audits the fill a 200Mb logfile. I tried disabling this with an Advanced Audit Policy. Unknown to me, the system is currently using the legacy audit system, and this advanced audit policy killed all my audits. I propagated this out using group policy since all of our policies are set this way, so it killed my Windows 7 machines too.

I have been able to restore auditing on my Windows 7 machines, and I tried applying the same fix to my 2008 server, but all I see is a bunch of "Audit policy has changed" events. The fix that worked for the 7 machines is method 2.

Find HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA
Right-click SCENoApplyLegacyAuditPolicy, and then click Modify.
Type 0 in the Value data box, and then click OK.

auditpol.exe /get /category:* reports that there is no auditing enabled on my system.

How can I get auditing restored on my machine without having to restore the machine to a very outdated hard drive image?


I am going to repeat the answer to my question as I was not satisfied with the answer given here initially. I believe this answers this question as well.

From http://jmfcomputers.co.uk/blog/?p=202

(NOTE: Important to set the subcategory settings to "Disabled". That tripped me up for a bit.)

In order to roll back you will need to do the following:

◦ Reset all of your local advanced audit settings. If you did this via GPO, reset the settings in this GPO.

◦ On the 2008 machine use “auditpol /clear” to clear any locally set policies.

◦ You must set the local policy “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” to DISABLED. When you do this and it is applied you will see the registry key HKLM\SYSTEM\CurrentControlSet\Control\Lsa – SCENoApplyLegacyAuditPolicy = 0 (DWORD)

◦ Then you need to delete the audit.csv files. For domain based policy this will be in SYSVOL

◦ \[Domain]\sysvol[Domain]\Policies{GUID}\Machine\Microsoft\Windows NT\Audit

◦ For local policies delete the Audit.csv from all of these locations. Some may be hidden, but they are there!!

◦ C:\Windows\security\audit

◦ C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit

Now reboot or “gpupdate /force” and you should be back to the start again.

Incidentally, once you have got the 2008 R2 machine applying the old Audit policies again I would advise setting the policy “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” back to the default of not defined. This way when you move forward with the Advanced Audit settings in the future via GPO you will not have cases where 2008 R2 servers that have this setting disabled that were ”fixed” then will not apply the new advanced audit settings. In order to do this just delete the SCENoApplyLegacyAuditPolicy DWORD value. You will see in the local policy that this has set the policy back to “not defined”.

This appears to have restored auditing to the point it was at prior to enabling advanced auditing on our network.

Related

DNS not resolving for *some* people/locations
Explanation of generic <T extends Comparable<? super T>> in collection.sort/ comparable code?
Protect apache2 server-status handler by password
How can you detect SSL offload on server behind a load balancer?
How to calculate combination and permutation in R?
Running two PHP versions on the same server
How to ping a server to discover what OS or other software it is running?
Emails is marked as spam
When is casting between pointer types not undefined behavior in C?
How to setup a static multicast ARP entry with Cisco SG300?
What is the best way to convert a java object to xml with open source apis [closed]
Distribution list with external email sent from outside