Hi
I’m wrestling with auditing the windows security event logs for a local domain joined windows 10 system
I’m looking to get the best configuration where I can tell if a system has been compromised and see any intrusion’s.
I see the security logs are being spammed with event 4703 but despite trimming the audit settings in gpedit.msc & Advanced audit policy config and secpol.msc I cant see to be rid of this event with generates 4703 thousands of logs a minute.
When I toggle all the auditing to not configured(off) , the settings auto revert back when I check the Local group policy editor.
How do I force the audit settings to become permanent ?
What is the best in your opinion audit settings for a secure workstation e.g. record usb device activity, screen lock etc.
what is the recommended max size for the logs e.g. 20 MB ?
Am I tweaking these in the correct place ?
Thanks