Windows 10 Auditing Features
Introduction
"At 7:04am on July 22nd, our bad actor successfully obtained access to the user's workstation. At 7:06am, they attempted to install malicious programs but were unsuccessful."
This is a dramatization of the Lessons Learned documents organizations release after a breach or attempted breach. It always says how much or how little information they have about what happened. The amount of information they have usually isn’t because the investigator is Sherlock Holmes, but rather because of Auditing and Logging options that were enabled long before the event happened. It's difficult to page through endless lines of events, but through the use of aggregators and filters, we can narrow down the list to what we actually need.
Learn Windows 10 Host Security
Microsoft has really ramped up the level to which various elements of Windows can be logged over the past few generations. As a result, Windows 10 has an enormous selection of values that can be monitored and recorded. We're briefly going to go over these options here, with more detail available via the links below.
If you're checking logs on a large scale, remember that tuning your aggregation is just as important as pulling information in the first place. The idea is to get the best possible signal/noise ratio you can so that you aren't storing data needlessly or missing logs that you actually require.
Auditing Windows 10 system logs
System logs are your bread and butter when it comes to figuring out what happened with applications and the OS as a whole. Accessing system logs in their basic form is extremely straightforward on nearly all generations of Windows systems.
To start with, right-click on your Start Menu and select Computer Management.
As a rule, Computer Management really does what it says on the box — it’s almost a one-stop shop for managing your local computer. Once you're in here, you're going to want to drill down through the Event Viewer option, continue on through Windows Logs and select System.
The exact number of records shown will depend on how large you allow the log to become. To check your values, right-click on System and select Properties.
If this is a system that you want to keep the records for as long as possible, you're going to want to adjust these settings as needed.
Auditing Windows 10 security logs
While the system log is normally reserved for information related to the health and well-being of your local system, the security log references logon/logoff events along with the use of privileges. If you want to find out if somebody is trying hard to get into your system — this is going to be the place you'll find it.
By default, security logs only record a limited selection of events, just because of the sheer number that happen on a daily basis. If we want to add on to these events, we’re going to need to go through the Local Security Policy.
To access this, you’re going to want to left-click on Start and type in "Local Security Policy".
Drill down through Local Policies and select Audit Policy.
On the right side of the screen, you’ll see a number of options available related to logon and privilege use. Double-clicking on any of these will bring up options to log success and/or failure events.
Once we have this set up, we can go check out the Security Log. While we can still access it through Computer Management, we can also get there a number of other ways. This time, click on Windows Key + R and enter "eventvwr.msc."
This will take you directly to the Event Viewer, which is still in a very similar interface to the one in Computer Management. Be ready for a very extensive log, as security events happen constantly.
Using disk quotas in Windows 10
Storage space is cheaper now than it has ever been, but that doesn't mean that we want the space that should be used for critical documents to be filled up with 14 copies of “The Matrix Revolutions” from the same user instead.
Disk quotas essentially carve out a section of disk for each user and say that they can use X number of megabytes and no more. This can be extremely useful when a system is shared by a number of users and they all save to local disk.
To activate disk quotas on Windows 10, we'll first want to click on File Explorer. Once at the This PC screen, right-click on the drive that you wish to Enable or Manage Quotas on and select Properties. You'll then want to select the Quota tab and click on Show Quota Settings.
You can then set a particular value that will limit all users on that system, on that drive (this is important) to a specified threshold. We can also enable a warning threshold so that users are not immediately surprised to learn that they can't add anything else until they get rid of something. Most important, however, we can log this information; if there is someone that is continually running up against the limit, we can find out what they need the space for and adjust as necessary.
Learn Windows 10 Host Security
Conclusion
Out of the box, Windows 10 has a wide variety of tools to help manage and oversee the health and safety of your computer system. However, they can be adjusted to be much more powerful depending on your needs.
Sources
- Top 11 Windows Audit Policy Best Practices, Active Directory Pro
- Best new Windows 10 security features: Longer support, easier deployment, CSO
- Security auditing, Microsoft
- Audit Policies and Event Viewer, Ultimate Windows Security
- Enable Quota Management for Hard Disk in Windows 10, iSunshare
- Enabling the System Event Audit Log, TechNet