Windows Server Audit Policy Reset

I run across a very strange issue a few days ago and I feel that I should share it with you since it took me some time to figure it out!

Some Exchange servers had stopped recording events in the Security log. The first thing that crossed my mind was to check the latest event in the Security log that would probably be the event regarding the audit policy change. I was correct, there were many events with id 4719 that showed that the policy had been changed. The next step would be to update the policy in order to enable auditing.

There were servers that had auditing configured according the security baseline so I backed up the auditing configuration from one of them using the command:

auditpol /backup /file:C:\Temp\Audit.txt

Next I copied the file to the server with the issue and used the command:

auditpol /restore /file:C:\Temp\Audit.txt

to restore the settings. The command completed successfully and it was time to check the new auditing settings. For this I used the command: 

auditpol /get /category:*

Events had started to appear on the security log and everything seemed to be fine. After a few minutes the events had stopped on the security log and after I checked the auditing configuration all settings were set to disabled.

This led me to believe that there's a GPO configured that disables auditing. This was a longshot however since not all exchange servers were affected by this issue. I checked all the GPOs that had been applied to the affected servers but none of them had anything close to auditing settings.

A few bing searches later, I've come across an article that explained that when Advanced Audit Policy Configurations have been configured on a system, they overwrite the standard Audit Policies!

This didn't seem to be that case since there were no Advanced Audit Policies configured. This does not mean though that Advanced Audit Policies have never been set...

The server had been stuck in a state where it though that it had to apply Advanced Audit Policies event though it didn't this led to standard policies being disabled.

In order to resolve the issue, I renamed the following files on the server:
    In case of local advanced audit policy configurations
  • C:\Windows\Security\Audit\Audit.csv
  • C:\Windows\System32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\Audit.csv
   In case of advanced audit policy configuration applies using GPO
  • SYSVOL\Domain\Policies\{GPO GUID}\Machine\Microsoft\Windows NT\Audit\Audit.csv
If those files contain only the headers of the columns, it pretty sure renaming them will solve the issue!


Popular posts from this blog

Domain Controller Machine Password Reset

Image
On my lab environment, I've configured two Active Directory sites since most enterprises have offices in more that one places. My lab however is not running 24/7 and the domain controllers in the second site are rarely turned on in order to save resources. This leads to issues with the Active Directory replication such as the "The target principal name is incorrect" error when I execute:  repadmin /syncall /AdeP. To remedy the issue, we have to reset the machine password of the domain controller that has been offline. First off, we are going to stop and disable the Kerberos Key Distribution Center (kdc) service on the problematic domain controller, in our case DC4. There may be some tickets in the cache so we should also clear them using klist purge Now it's time to change the machine password of the domain controller using the command netdom resetpwd /s:dc3 /ud:lab\administrator /pd:* Replace the "lab\administrator" with an account on your
Keep reading

Configuring a Certificate on Exchange Receive Connector

Today's article is about configuring Exchange receive connectors with specific certificates. Out of the box, Exchange uses self signed certificates to provide TLS secured mail flow. This will definitely be an issue if you expose the SMTP protocol to client computers since they won't trust the certificate. In this article we are going to configure a certificate that was issued by a third part authority to the Client Frontend receive connector. We'll start with getting the thumbprint of the certificate using the Get-ExchangeCertificate cmdlet: [PS] C:\> Get-ExchangeCertificate Thumbprint                               Subject ----------                               ------- 241B864DC82C664FECBA18B8D54987AAFB65B4C2 CN=*.lab.com, ... D4D210886B34E690191A1F008C78FDD0E7325DD4 CN=Exchange2013A 960171662EB261162F9C8CBE12E0B75D6F06ABB0 CN=Microsoft Exchange Server Auth Certificate 2690324B827A9F2B75D59104F81CAAA57CDD627B CN=WMSvc-Exchange2013A [PS]
Keep reading

Running Multiple NGINX Ingress Controllers in AKS

Image
In some of the previous articles of this blog, we went through the process of installing NGINX as the Ingress Controller in AKS clusters. Either for applications that should be available directly from the public internet, or for applications that should only be accessed from networks considered internal. In the majority of the cases, however, and given that an AKS cluster is an environment that is designed to host multiple applications and provide economy at scale, additional ingress controllers may be required. In this post, we're going to go through the process of deploying an additional NGINX ingress controller that is going to be used for internal applications. The below diagram depicts the desired outcome: The Angular application is published via the public NGINX through the Azure Load Balancer that has been assigned a public IP. The .NET app is published by a different set of NGINX pods that are deployed in a different namespace and their ingress controller service is connect
Keep reading