Set-logging.ps1

<#

.SYNOPSIS

This script turns up logging on a Windows computer.

.DESCRIPTION

This script turns up logging on a Windows computer.
There is a companion script get-loggingReport.ps1 that reads these settings and offers recommendations.
To turn off or change a setting either edit the settings below or comment them out.

.EXAMPLE

PS>.\set-logging.ps1

.NOTES

Author: Tom Willett
Date: 8/17/2016
Ver 1.0

#>

#This script Turns up logging on a windows computer -- comment out what you don't want changed.
#increase log sizes
set-itemproperty hklm:\system\currentcontrolset\services\eventlog\Application -name maxsize -value 41943040
set-itemproperty hklm:\system\currentcontrolset\services\eventlog\System -name maxsize -value 41943040
set-itemproperty hklm:\system\currentcontrolset\services\eventlog\Security -name maxsize -value 41943040

#set audit policy on registry keys
auditpol.exe /set /subcategory:'Registry' /success:enable /failure:enable
#$rule = $acl.getauditrules($true,$true, [System.Security.Principal.NTAccount] )

#HKLM Run key
$acl = get-acl hklm:\software\microsoft\windows\currentversion\run -audit
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","success")
$acl.addauditrule($rule)
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","failure")
$acl.addauditrule($rule)
$acl | set-acl hklm:\software\microsoft\windows\currentversion\run

#HKLM RunOnce Key
$acl = get-acl hklm:\software\microsoft\windows\currentversion\runonce -audit
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","success")
$acl.addauditrule($rule)
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","failure")
$acl.addauditrule($rule)
$acl | set-acl hklm:\software\microsoft\windows\currentversion\runonce

#HKCU Run Key
$acl = get-acl hkcu:\software\microsoft\windows\currentversion\run -audit
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","success")
$acl.addauditrule($rule)
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","failure")
$acl.addauditrule($rule)
$acl | set-acl hkcu:\software\microsoft\windows\currentversion\run

#HKCU RunOnce
$acl = get-acl hklm:\software\microsoft\windows\currentversion\runonce -audit
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","success")
$acl.addauditrule($rule)
$rule = New-Object System.Security.AccessControl.RegistryAuditRule ("everyone","ReadPermissions","none","none","failure")
$acl.addauditrule($rule)
$acl | set-acl hkcu:\software\microsoft\windows\currentversion\runonce

#Logon/Logoff Logging
auditpol.exe /set /subcategory:'Logon' /success:enable /failure:enable

#Computer Account Changes Logging
auditpol.exe /set /subcategory:'computer account management' /success:enable /failure:enable

#Security Group changes Logging
auditpol.exe /set /subcategory:'security group management' /success:enable /failure:enable

#User Account Changes Logging
auditpol.exe /set /subcategory:'user account management' /success:enable /failure:enable

#Firewall Events Logging
auditpol.exe /set /subcategory:'Filtering Platform Connection' /success:enable /failure:enable

#Process Creation Logging
auditpol.exe /set /subcategory:'Process Creation' /success:enable /failure:enable

#Process Termination Logging
auditpol.exe /set /subcategory:'Process Termination' /success:enable

#Powershell Script Block Logging
$basePath = 'HKLM:\Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging'
if(-not (Test-Path $basePath))
{
$null = New-Item $basePath -Force
}
Set-ItemProperty $basePath -Name EnableScriptBlockLogging -Value '1'
Set-ItemProperty $basePath -Name EnableScriptBlockInvocationLogging -Value '1'

#Audit policy logging
auditpol.exe /set /subcategory:'Audit Policy Change' /success:enable /failure:enable