Automated Audit Policy batch script
Yes, I’m still blogging.. 
Shifted to new company with rather different job scope but still in the same filed. Currently doing some projects on SIEM, which is actually a very tedious one. To make things short, turning on local security policy (local policies -> audit policy) on Windows for one Windows server is easy. Just navigate to the audit policy and choose either ‘Success’ or ‘Failure’ for each audit.
Automated things:
To do this on a few hundreds of Windows server machine (within AD and not) can turn you crazy. I know there is method to push settings/configuration/bla2 using sccm, but as far as i know, it requires to join AD.
One method that may possible to execute the batch scripts to hundreds of the machines is to use PSExec from Sysinternals. Example to use one is like this:
psexec @Host-List.txt -u domain\administrator -p-d -i “\\server\share\batch.cmd”
We can add hostname/iP in the Host-List.txt file, provided with username and password and execute the batch script from the share server. Doing this method, at least for me, is much easier. Any other method/suggestion/comments are welcome! BTW, below is the simple batch script:
====================================================
@ECHO OFF :: poorman Local Security Policy (Audit Policy) batch script :: will enable success/failure for all audits except DS access :: require auditpol.exe if not exist :: win ver part shamelessly from Denis St-Pierre :: tdr[dot]local[at]gmail.com VER | FINDSTR /L "5.0." > NUL: IF %ErrorLevel% EQU 0 ( ECHO System is running Win 2000 C:\Windows\System32\auditpol.exe /enable /system:all /logon:all /object:all /privilege:all /process:all /policy:all /sam:all ) VER | FINDSTR /L "5.1." > NUL: IF %ErrorLevel% EQU 0 ( ECHO System is running Win XP GOTO Win_XP_2003 ) VER | FINDSTR /L "5.2." > NUL: IF %ErrorLevel% EQU 0 ( ECHO System is running Win 2003 GOTO Win_XP_2003 ) VER | FINDSTR /L "6.0." > NUL: IF %ErrorLevel% EQU 0 ( If EXIST %SystemRoot%\System32\ServerManagerLauncher.exe ( ECHO Running Windows 2008R1 GOTO Win_Vista_7_2008 ) ELSE ( ECHO System is running Win Vista GOTO Win_Vista_7_2008 ) ) VER | FINDSTR /L "6.1." > NUL: IF %ErrorLevel% EQU 0 ( If EXIST %SystemRoot%\System32\ServerManagerLauncher.exe ( ECHO Running Windows 2008R2 GOTO Win_Vista_7_2008 ) ELSE ( ECHO System is running Windows 7 GOTO Win_Vista_7_2008 ) ) :Win_XP_2003 Auditpol.exe /enable /system:all /logon:all /object:all /privilege:all /process:all /policy:all /sam:all GOTO EXEC_CMD :Win_Vista_7_2008 C:\Windows\System32\auditpol.exe /set /category:"Account Logon" /success:enable /failure:enable C:\Windows\System32\auditpol.exe /set /category:"Object Access" /success:enable /failure:enable C:\Windows\System32\auditpol.exe /set /category:"Account Management" /success:enable /failure:enable C:\Windows\System32\auditpol.exe /set /category:"Detailed Tracking" /success:enable /failure:enable C:\Windows\System32\auditpol.exe /set /category:"DS Access" /success:disable /failure:disable C:\Windows\System32\auditpol.exe /set /category:"Logon/Logoff" /success:enable /failure:enable C:\Windows\System32\auditpol.exe /set /category:"Policy Change" /success:enable /failure:enable C:\Windows\System32\auditpol.exe /set /category:"Privilege Use" /success:enable /failure:enable C:\Windows\System32\auditpol.exe /set /category:"System" /success:enable /failure:enable GOTO EXEC_CMD :EXEC_CMD ECHO Continue with Audit Policy.. PAUSE START c:\windows\system32\secpol.msc
*Note: the script may triggered an IDS signature such as PsExec_Service_Accessed, etc when performed to multiple Destination IP. Use with caution.
Yes, I’m still blogging..