Basically the audit policies is the information or actitivies that are logged in the security logs of the Windows OS. [Vista/7/8/10-Srv2008, 2012, 2016 & R2 versions] It is distributed on several categories and it is considered a very important data for IT.
With the “auditpol” Windows command you can clear tracks, display the current policies, backup on a file, restore from a file, etc.
Usage: AuditPol command [<sub-command><options>]
Commands (only one command permitted per execution)
/? Help (context-sensitive)
/get Displays the current audit policy.
/set Sets the audit policy.
/list Displays selectable policy elements.
/backup Saves the audit policy to a file.
/restore Restores the audit policy from a file.
/clear Clears the audit policy.
/remove Removes the per-user audit policy for a user account.
/resourceSACL Configure global resource SACLs
How to enable it ?
Go to start, type “Local Security Policy” > “Local Policies” > “Security Options“. On the right panel select the following policy and enable it.
-Audit: Force audit policy subcategory settings….
How to use it ?
Open the windows terminal ‘cmd‘ preferably as [administrator], type [auditpol] and hit on enter. You will see the previous menu. Select the next command you want to execute and anytime you are not sure what is next or want to see the available options, use the following symbols to display that information, [/?], for example:
C:\Users\Administrator>auditpol /get /?
So, with that command you can see the available options for the command [/get]
- how to display the current audit policies ?
C:\Users\Administrator>auditpol /get /category:*
“you will get all the current audit policies categories, the specific type and settings [success /failure] of the compromised device”
- how to backup on a file the current audit policies ?
C:\Users\Administrator>auditpol /backup /file:c:\auditpolicy.txt
“you can take a backup of the current audit policies and save that file on any path on the Windows host. That example save the file on C:\ and create the file as a plane text file [.txt], also can create [.csv] files.”
- how to clear tracks ?
“you can clear the audit policies, but what is to clear policies ? basically, you will reset the current configuration from “auditing [success /failure]” to “no auditing”, so any activitie on the host will not be tracked on the security logs.”