The Bureau Windows Technical Support Team (BWTST) recently discovered that some Advanced Audit Policy Configuration settings defined in the DI – DOI Windows Server 2016 Computer Policy v2.0 STIG are not applying correctly to some Windows Server 2016 servers. The issue appears to be occurring mainly on 2016 servers that were joined to the domain prior to August 29, 2018.
System Administrators should follow the steps below to verify, and if necessary correct, the Advanced Audit Policy Configuration on each 2016 server they manage.
1) From an administrative command prompt, run auditpol /get /category:*
2) If the audit subcategory settings match those listed in the table below, no further action is required. If any do not, then continue on to step 3. Note: All other subcategories are set to “No Auditing.”
| Audit Subcategory | Setting |
| Security System Extension | Success and Failure |
| System Integrity | Success and Failure |
| IPsec Driver | Success and Failure |
| Other System Events | Success and Failure |
| Security State Change | Success |
| Logon | Success and Failure |
| Logoff | Success |
| Account Lockout | Success and Failure |
| Special Logon | Success |
| Group Membership | Success |
| Removable Storage | Success and Failure |
| Sensitive Privilege Use | Success and Failure |
| Process Creation | Success |
| Plug and Play Events | Success |
| Audit Policy Change | Success and Failure |
| Authentication Policy Change | Success |
| Authorization Policy Change | Success |
| Security Group Management | Success and Failure |
| Other Account Management Events | Success and Failure |
| User Account Management | Success and Failure |
| Credential Validation | Success and Failure |
3) If the settings do not match those in the table above, go to C:\Windows security\audit and delete the “audit.csv” file, if it exists.
4) From an administrative command prompt, run auditpol/restore /file:”\\gs.doi.net\SYSVOL\gs.doi.net\Policies\{073635DB-4AAE-48D4-966A-C32786F928B0}\Machine\microsoft\windows nt\Audit\audit.csv”
5) Run auditpol /get /category:* once again to confirm the audit settings match those in the table above.
