SecurityNguyen
Posts Tags About Categories
SecurityNguyen

Contents

Create OU, GPO, Enable Logging within Windows Server

Nguyen Nguyen included in Homelabs
   366 words   2 minutes 

Goal

The goal of this post is to create an OU (Group) for our users and apply GPO (Rules) to the Organizational Units. These GPO will allows us to enable logging without having to manually configure each device one by one. Let’s get started.

Create an OU (Organizational Unit)

First, let’s create an organizational units (OU). To do this, we will go to Tools -> Right click on your domain and click on “New Organizational Unit”, Now type a name you want your organizational unit to be label as. I will name mine: “Finance”.
/images/modern_cyber_range39.png \

Create GPO

I’m going right click on Finance (Organizational Unit). Then choose the option: “Create an GPO in this domain, and Link it here…” It will then ask you to name your GPO (Group Policy Object). I will name mine: “SecurityLog”.

Edit GPO

Right click on the GPO -> Click Edit -> Click Administrative Template. We are going enable “PowerShell Transcription”, “Powershell Script Block Logging”, “Module Logging”.

Let’s first edit “Turn on PowerShell Script Block Logging”. I’m going to right click -> Edit. Then the GUI should pop up. I’m going to click “Enabled”. Then moving on toward Module Logging. I’m going to do the same step. However, this time, I’m going click on Show and enter. Then click OK. Then we are going to “Turn on Powershell Transcription” and enable it.

Now, I am going to enable firewall logging on Windows Server 2019. Go to Tools -> Windows Defender With Advanced Security. Then look for “Windows Defender Firewall Properties”. Now you should see Domain Profile, Private Profile, Public Profile. I am going to configure each profile.

Domain profile:
/images/modern_cyber_range40.png
Let’s click on Logging.
Your name should be: %systemroot%\system32\LogFiles\Firewall\pfirewall.log
Log dropped packets: Yes
Log successful connections: Yes
We are going repeat the same step for each profile.

Then I’m going make sure Audit Policy -> Audit object access. Let’s first go to Tools -> GPO -> Then right click on the GPO you want edit. Go to Policies -> Windows Settings -> Local Policies -> Audit Policy -> Then click on Audit object access -> Click on Define these policy settings and check “Success” and “Failure”.

That is all I have planned.

Updated on 2023-05-22
 Modern Cyber Range
Back | Home