Advanced Audit Policy Configuration Precedence

The group policy object (GPO) that Tenable Identity Exposure creates to enable required events logging is linked to the organization unit (OU) domain controllers with Enforced mode enabled.

This gives the GPO a high priority, but an enforced GPO configured at a higher level (such as domain or site) takes precedence over it.

If the higher priority GPO that defines the Advanced Audit Policy Configuration settings conflicts with Tenable Identity Exposure’s needs, it takes precedence and Tenable Identity Exposure misses required events for attack detection.

Since Windows merges Advanced Audit Policy Configuration settings defined by GPOs, different GPOs can define different settings.

However, at each setting level, it only uses the GPO-defined value with the higher precedence. For example, Tenable Identity Exposure needs the Success and Failure value for the Audit Credential Validation setting. However, if a GPO with higher precedence only defines Success for Audit Credential Validation, then Windows only collects Success events and Tenable Identity Exposure misses the required Failure events.

To check for GPO precedence:

  1. In the command-line interface, run the following command on a domain controller.

    It outputs the effective Advanced Audit Policy Configuration after considering all GPOs and precedence.

    Copy
    auditpol.exe /get /category:*
  2. Compare the output with the Tenable Identity Exposure advanced audit policy requirements. For each setting that Tenable Identity Exposure requires, check that the effective policy also covers it.

    • It is not an issue if the effective policy is more exhaustive, such as when Tenable Identity Exposure needs "Success" or "Failure" and the setting is "Success and Failure".

    • If the effective policy is insufficient, it means that a GPO with a higher precedence defines conflicting settings.

To fix the GPO precedence:

  1. Look for GPOs linked to higher levels (domain or site) in "enforced" mode that define the Advanced Audit Policy Configuration.

  2. In the command-line interface, run the following command on a domain controller to pinpoint the winning GPO:

    Copy
    gpresult /scope:computer /h gpo.html
  1. Modify the corresponding Advanced Audit Policy Configuration setting in the GPO to meet Tenable Identity Exposure's minimum requirements. For example:

    • If Tenable Identity Exposure requires "Success" and the higher priority GPO defines "Failure," then modify the setting to "Success and Failure."

    • If Tenable Identity Exposure requires "Success and Failure" and the higher priority GPO defines "Success," then modify the setting to "Success and Failure."

  1. After you modify the setting, you can either wait for the updated GPO to apply or force it with the gpupdate command.

  2. Repeat the procedure To check for GPO precedence: to check the new effective policy.