I have spoken about things like Attack Surface Reduction (ASR) for Windows 10 and how easy they are to implement to improve the security of Windows 10:
Attack surface reduction for Windows 10
Another very important aspect of securing Windows 10 environments is to ensure that the audit policy settings are appropriate to capture the right information to help with any investigation. To that end, I have a free scripts available at:
https://github.com/directorcia/Office365/blob/master/win10-audit-get.ps1
which will show you the current audit policy settings in your environment like so:
As you can see from the above screen gab, many audit settings are not enabled out of the box. Please note, you’ll need to run the script as an administrator for it be able to report the audit policy settings.
You’ll find the best practice recommendations for audit policy settings from Microsoft:
and government departments like the Australian Cyber Security Center:
Hardening Microsoft Windows 10 version 1909 Workstations
Look for the section heading – Audit Event management in the above page.
As always, there are number of different ways to enable these best practice audit policy settings on your Windows 10 devices. To my mind using Microsoft Endpoint Manager that comes with offerings like Microsoft 365 Business Premium is the easiest.
And the quickest way to do this inside Microsoft Endpoint Manager is simply to apply the Windows 10 Security Baseline policies as shown above. To read more about this capability visit:
Use security baselines to configure Windows 10 devices in Intune
In fact, the results from my script are based on the settings found in the Windows 10 Security Baseline policy.
To read more about these security audit policies for Windows 10 I encourage you to take a look at:
Advanced security audit policy settings
and remember, you can configure these settings at the command line if you need to using the:
command, which is exactly what I used in my script to extract the current settings. However, deploying them using Microsoft Manager for Endpoint and baseline policies is going to be far easier across a fleet of devices.
CIAOPS 