Generate Security Audits

By default, Windows systems generate an entry in the security event log by processes using the local and network service accounts. These accounts are used by services that need fewer privileges and logon rights on a local system, and access to network resources in case of the network service.

The Windows security event log can help you trace malicious activity such as, unauthorised system access. The Generate security audits Group Policy allows you to determine which accounts can be used by a process to add entries to the security log. However, take notice that the misuse of this user right can result in the generation of many auditing events, potentially hiding evidence of an attack or causing a denial of service.

  1. To configure this policy setting for Windows 7 computers, open the Local Group Policy Editor snap-in by typing gpedit.msc in the Start search text box and press enter.
  2. Go to Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment node.
  3. Double click Generate security audits under Policy in the right hand side pane.
  4. Add the specific user or group account that you want to monitor through the Add User or Group… button and respective snap-in.
  5. Click OK twice.

Note, that adding many accounts can be counter-productive as it could lead to the generation of many auditing events. Make sure to contain a manageable security log!