Exactly which settings need to be enabled for the audit (logging) policy on Windows systems in order to meet the intent of PCI DSS requirements 10.2.x?  Trying to understand all the individual events IDs associated with each Windows audit policy is your first step in trying to determine the answer to this question! But after a bit of digging (thank goodness for Google) I found the answer. Both articles provide great information on the details of each event ID and how you can align this with PCI requirements for auditing:

Windows 2003 – http://technet.microsoft.com/en-us/library/cc163121.aspx#EKH

Windows 2008 – http://support.microsoft.com/default.aspx?scid=kb;EN-US;947226

If reading these articles doesn’t quite excite you…Well, here is the quick answer to what audit policies to enable:

  • Account Logon – Success and Failure
  • Account Management – Success and Failure
  • Logon Events – Success and Failure
  • Object Access – No Auditing
  • Policy Change – Success and Failure
  • Privilege Use – No Auditing
  • Process Tracking – No Auditing
  • System Events – Success and Failure

Account Management provides a wealth of information – including password changes, creation of a new user account and changes to group membership (i.e. Additions to the Domain Admin group).

Object Access auditing is just that – logging when a user accesses an object such as a file, directory or registry key.  However, enabling this policy alone will not generate events.  A SACL (System Access Control List) has to be specified on the object in addition to enabling this audit policy to generate alerts.  In my opinion, a File Integrity Monitoring (FIM) solution is better suited to log and track “object access”.

Don’t be deceived by “Privilege Use” auditing, as it provides minimal value add and enabling this policy quickly fills up the audit logs.

Process Tracking is typically used for debugging purposes and logging of this type of activity is not required for day to day business purposes.

But don’t forget requirement 10.5.3 – sending audit logs to a centralized log server.

Shelina Samji, PCI QSA
Senior Consultant, PCI Compliance Services

HALOCK is headquartered in Schaumburg, IL, in the Chicago area and advises clients on information security and conducts PCI preparedness assessment, scoping, remediation, validation, and compliance maintenance services throughout the US.


PCI WEBINAR SERIES

Preparing for Your Transition to PCI DSS v4.0 Webinar

PCI DSS v3.2.1 expires on March 31, 2024. With 64 new requirements in PCI DSS v4.0, companies have a lot to consider in preparation for the coming deadline. In our 5-part PCI Webinar Series, from April 27-June 1, 2023, learn about the general changes to 4.0, new requirements, best practices, and how an increased focus on risk evaluations in this new version will be a driving force for security and compliance.

Join Viviana Wesley, CISM, PCI QSA, ISO 27001 Auditor and HALOCK Principal Consultant to review key updates and next steps to support your transition to PCI DSS v4.0.