Teleport Workload Identity with SPIFFE: Achieving Zero Trust in Modern Infrastructure
May 23
Virtual
Register Today
Support
LOG IN
Teleport logoTry For Free
Contact SalesTry for Free
Support
LOG IN
Home > Teleport Academy > Compliance & Audit

OS Default Logging with Windows

Posted 26th Jan 2023 by Kenny DuMez
What is Secretless (Passwordless) Authentication?
What are Access Requests?
What is Authorization?
What are Ephemeral Privileges?
What is Just-In-Time (JIT) access?
Principle of Least Privilege: What It Is & How to Implement It
What is RBAC?
Configure RBAC for Kubernetes EKS
RBAC for Google Cloud Kubernetes Engine (GCP GKE)
What is ABAC?
What is MAC (Mandatory Access Control)?
What is OAuth 2.0 (Open Authorization)?
What is FIDO (Fast IDentity Online)?
What is U2F (Universal 2nd Factor)?
What is WebAuthn?
What is OIDC (Open ID Connect)?
What Is SAML (Security Assertion Markup Language)?
The Failures of Shared Secrets and How We Can Replace Them
How to Configure Single Sign-On (SSO) for Accessing AWS EKS Clusters
Just-in-Time Access for Amazon EKS
Authenticating GCP GKE with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with GitHub SSO
Authenticating Azure AKS Kubernetes Clusters with GitHub SSO
Authenticating Google Kubernetes Engine Clusters with Okta SSO
Authenticating AWS EKS Kubernetes Clusters with Okta SSO
Authenticating Azure AKS Kubernetes Clusters with Okta SSO
Configuring Okta as an Identity Provider for Kubernetes Clusters
Azure AKS RBAC

No matter the size of your company or the size of your engineering team, it is always important to maintain visibility into what’s happening in your infrastructure. As your company grows, however, and you start to need to meet compliance standards like the SOC2 and FedRAMP frameworks, keeping detailed, specific audit logs becomes a must-have. The first step in implementing good audit practices is to start with what the Operating System (OS) gives you. Let’s take a look at some best practices for the OS native audit logging present for the Windows operating system.

Log events

There are many different kinds of logging events that can be recorded on a Windows operating system. Understanding the differences between them and which you need to pay attention to can be a daunting task. Luckily Microsoft provides an in-depth guide to event log configuration in their online documentation.

General best practices

  • Capture audit logging on both workstations AND servers.
    • Attacks often occur on workstations first which malicious actors then use to pivot to server access or domain controllers.
    • Workstations audit logs often offer the earliest sign that something is wrong
  • Balance performance and audit granularity.
    • It is important to know that more granular audit logs will impact performance on both servers and individual workstations so it is important to run performance tests after you change logging settings
    • Don’t compromise on security to enhance performance but also avoid capturing extraneous log data noise.
  • Use Advanced Audit Policy Configuration when possible.
    • Advanced audit policy located under `Security Settings\Advanced Audit Policy Configuration` will give you a lot more options over log level, allowing you to avoid noise.
    • Do not combine basic policy settings with advanced ones. Basic policy settings are found under `Security Settings\Local Policies\Audit Policy`. According to Microsoft this can produce “unexpected results” as the two levels of settings override each other.
  • Centralize your logs.
    • Use an external tool, SIEM, or service to extricate all of your logs to a central location. This helps you better format them, organize them and store them for longer-term record keeping.
    • Typically logs on the Windows machine themselves are only meant for short-term retention and will quickly be overwritten.
    • Configure your event log size and retention settings to match the needs of your individual setup.

Viewing the security event log

Each event will be recorded to the security log according to the audit policies you have in place.

In order to view the security log:

  1. Open the Event Viewer
    1. Press [⊞ Win + R] to open the run dialog box
    2. Type in `eventvwr` and select `OK`
  2. Next in the side panel expand Windows Logs then click Security.
    1. This will list all individual security events
  3. For more details on each event, click the event

This will help you get a sense of what is being recorded currently on your system.

Staying alert

Overall if you follow the above guidelines as well as the specific logging policy implementations Microsoft provides, you will have much deeper insight into your Windows infrastructure.

This is only the first step however in maintaining a secure and compliant network. A good third-party SIEM tool like Splunk or Datadog in conjunction with a Zero-Trust Identity-Native Infrastructure Access platform like Teleport will help you take that extra step to reach your compliance and security goals. Teleport provides audit logs and session playback for Windows RDP sessions. You can try Teleport for free today.

What is Secretless (Passwordless) Authentication?
What are Access Requests?
What is Authorization?
What are Ephemeral Privileges?
What is Just-In-Time (JIT) access?
Principle of Least Privilege: What It Is & How to Implement It
What is RBAC?
Configure RBAC for Kubernetes EKS
RBAC for Google Cloud Kubernetes Engine (GCP GKE)
What is ABAC?
What is MAC (Mandatory Access Control)?
What is OAuth 2.0 (Open Authorization)?
What is FIDO (Fast IDentity Online)?
What is U2F (Universal 2nd Factor)?
What is WebAuthn?
What is OIDC (Open ID Connect)?
What Is SAML (Security Assertion Markup Language)?
The Failures of Shared Secrets and How We Can Replace Them
How to Configure Single Sign-On (SSO) for Accessing AWS EKS Clusters
Just-in-Time Access for Amazon EKS
Authenticating GCP GKE with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with GitHub SSO
Authenticating Azure AKS Kubernetes Clusters with GitHub SSO
Authenticating Google Kubernetes Engine Clusters with Okta SSO
Authenticating AWS EKS Kubernetes Clusters with Okta SSO
Authenticating Azure AKS Kubernetes Clusters with Okta SSO
Configuring Okta as an Identity Provider for Kubernetes Clusters
Azure AKS RBAC
Background image

Teleport Enterprise

Protect your infrastructure with essential security & compliance capabilities