稽核原則建議Audit Policy Recommendations

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

本章節位址的 Windows 預設稽核原則設定,基準建議稽核原則設定,以及更多積極建議從 Microsoft、 工作站和 server 你。This section addresses the Windows default audit policy settings, baseline recommended audit policy settings, and the more aggressive recommendations from Microsoft, for workstation and server products.

此處顯示的設定,我們建議以協助偵測入侵,以及 SCM 基準建議是只從基準協助您的系統管理員。The SCM baseline recommendations shown here, along with the settings we recommend to help detect compromise, are intended only to be a starting baseline guide to administrators. 每個組織必須做出自己相關的威脅所面臨、 他們接受風險容錯,以及哪些稽核原則分類或子應該可以。Each organization must make its own decisions regarding the threats they face, their acceptable risk tolerances, and what audit policy categories or subcategories they should enable. 如威脅的相關詳細資訊,請參考威脅和措施指南For further information about threats, refer to the Threats and Countermeasures Guide. 系統管理員而不需要的重視稽核原則的建議與建議,設定 [開始],然後修改,測試之前實作 production 環境中。Administrators without a thoughtful audit policy in place are encouraged to start with the settings recommended here, and then to modify and test, prior to implementing in their production environment.

建議的企業級的電腦,Microsoft 平均安全性需求,需要高階功能運作的電腦所定義。The recommendations are for enterprise-class computers, which Microsoft defines as computers that have average security requirements and require a high level of operational functionality. 實體需要需求考慮積極更高安全性稽核原則。Entities needing higher security requirements should consider more aggressive audit policies.

注意

Microsoft Windows 的預設值,基準建議已來自Microsoft Security Compliance Manager 工具Microsoft Windows defaults and baseline recommendations were taken from the Microsoft Security Compliance Manager tool.

不確定的對手或惡意程式碼已知為作用中的成功遭受的一般的安全性電腦建議使用下列基準稽核原則設定。The following baseline audit policy settings are recommended for normal security computers that are not known to be under active, successful attack by determined adversaries or malware.

本章節包含表格列出適用於下列作業系統的稽核設定建議:This section contains tables that list the audit setting recommendations that apply to the following operating systems:

  • Windows Server 2012Windows Server 2012

  • Windows Server 2012 R2Windows Server 2012 R2

  • Windows Server 2008Windows Server 2008

  • Windows 8Windows 8

  • Windows 7Windows 7

這些表格包含 Windows 預設設定、 基準建議,以及較建議為這些作業系統。These tables contain the Windows default setting, the baseline recommendations, and the stronger recommendations for these operating systems.

稽核原則的資料表圖例Audit Policy Tables Legend

標記Notation 建議Recommendation
[是]YES 一般讓案例Enable in general scenarios
否]NO 執行讓一般案例Do not enable in general scenarios
如果IF 如果需要特定案例中,或角色或的稽核想要在電腦上已安裝的功能讓Enable if needed for a specific scenario, or if a role or feature for which auditing is desired is installed on the machine
DCDC 讓網域控制站在Enable on domain controllers
[空白][Blank] 不建議No recommendation

Windows 8 和 Windows 7 的稽核設定建議Windows 8 and Windows 7 Audit Settings Recommendations

稽核原則Audit Policy

稽核原則分類或子分類Audit Policy Category or Subcategory Windows 預設Windows Default

成功失敗Success Failure
基準建議Baseline Recommendation

成功失敗Success Failure
較建議Stronger Recommendation

成功失敗Success Failure
Account 登入Account Logon
稽核 Credential 驗證Audit Credential Validation 無任何No No [否是]Yes No [是] 的 [是]Yes Yes
稽核 Kerberos 驗證服務Audit Kerberos Authentication Service [是] 的 [是]Yes Yes
稽核 Kerberos 服務票證作業Audit Kerberos Service Ticket Operations [是] 的 [是]Yes Yes
稽核其他登入 Account 的事件Audit Other Account Logon Events [是] 的 [是]Yes Yes
Account 管理Account Management
稽核應用程式群組管理Audit Application Group Management
稽核電腦 Account 管理Audit Computer Account Management [否是]Yes No [是] 的 [是]Yes Yes
稽核 Distribution 群組管理Audit Distribution Group Management
稽核其他 Account 管理事件Audit Other Account Management Events [否是]Yes No [是] 的 [是]Yes Yes
稽核安全性群組管理Audit Security Group Management [否是]Yes No [是] 的 [是]Yes Yes
稽核使用者 Account 管理Audit User Account Management [否是]Yes No [否是]Yes No [是] 的 [是]Yes Yes
詳細的追蹤Detailed Tracking
稽核 DPAPI 活動Audit DPAPI Activity [是] 的 [是]Yes Yes
稽核建立程序Audit Process Creation [否是]Yes No [是] 的 [是]Yes Yes
稽核處理程序終止Audit Process Termination
稽核 RPC 事件Audit RPC Events
DS 存取DS Access
稽核詳細的 Directory 服務複寫Audit Detailed Directory Service Replication
稽核 Directory 服務的存取Audit Directory Service Access
稽核 Directory 服務的變更Audit Directory Service Changes
稽核 Directory 服務複寫Audit Directory Service Replication
登入和登出Logon and Logoff
稽核鎖定Audit Account Lockout [否是]Yes No [否是]Yes No
稽核使用者/裝置宣告Audit User/Device Claims
稽核 IPsec 延伸模式Audit IPsec Extended Mode
稽核 IPsec 主要模式Audit IPsec Main Mode 如果如果IF IF
稽核 IPsec 快速模式Audit IPsec Quick Mode
稽核登出Audit Logoff [否是]Yes No [否是]Yes No [否是]Yes No
稽核登入Audit Logon [否是]Yes No [否是]Yes No [是] 的 [是]Yes Yes
稽核網路原則伺服器Audit Network Policy Server [是] 的 [是]Yes Yes
稽核其他登入/登出事件Audit Other Logon/Logoff Events
稽核特殊登入Audit Special Logon [否是]Yes No [否是]Yes No [是] 的 [是]Yes Yes
存取物件Object Access
稽核產生應用程式Audit Application Generated
稽核認證服務Audit Certification Services
稽核詳細的檔案共用Audit Detailed File Share
稽核檔案共用Audit File Share
稽核檔案系統Audit File System
稽核篩選平台連接Audit Filtering Platform Connection
稽核篩選平台封包拖放Audit Filtering Platform Packet Drop
稽核控點操作Audit Handle Manipulation
稽核核心物件Audit Kernel Object
稽核其他物件存取事件Audit Other Object Access Events
稽核登錄Audit Registry
稽核抽取式存放裝置Audit Removable Storage
稽核薩姆Audit SAM
稽核中央存取原則階段Audit Central Access Policy Staging
變更原則Policy Change
稽核稽核原則變更]Audit Audit Policy Change [否是]Yes No [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
稽核驗證原則變更]Audit Authentication Policy Change [否是]Yes No [否是]Yes No [是] 的 [是]Yes Yes
稽核授權原則變更]Audit Authorization Policy Change
稽核篩選平台變更中原則Audit Filtering Platform Policy Change
稽核 mpssvc 規則層級原則變更Audit MPSSVC Rule-Level Policy Change [是]Yes
稽核其他原則變更事件Audit Other Policy Change Events
使用權限Privilege Use
稽核權限非機密使用Audit Non Sensitive Privilege Use
稽核其他雲端使用事件Audit Other Privilege Use Events
稽核權限機密使用Audit Sensitive Privilege Use
系統System
稽核 IPsec 驅動程式Audit IPsec Driver [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
稽核其他系統事件Audit Other System Events [是] 的 [是]Yes Yes
變更安全性稽核的狀態Audit Security State Change [否是]Yes No [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
稽核安全性系統的擴充功能Audit Security System Extension [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
稽核系統整合Audit System Integrity [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
存取全球物件的稽核Global Object Access Auditing
稽核 IPsec 驅動程式Audit IPsec Driver
稽核其他系統事件Audit Other System Events
變更安全性稽核的狀態Audit Security State Change
稽核安全性系統的擴充功能Audit Security System Extension
稽核系統整合Audit System Integrity

Windows Server 2012、 Windows Server 2008 R2 和 Windows Server 2008 的稽核設定建議Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Audit Settings Recommendations

稽核原則分類或子分類Audit Policy Category or Subcategory Windows 預設Windows Default

成功失敗Success Failure
基準建議Baseline Recommendation

成功失敗Success Failure
較建議Stronger Recommendation

成功失敗Success Failure
Account 登入Account Logon
稽核 Credential 驗證Audit Credential Validation 無任何No No [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
稽核 Kerberos 驗證服務Audit Kerberos Authentication Service [是] 的 [是]Yes Yes
稽核 Kerberos 服務票證作業Audit Kerberos Service Ticket Operations [是] 的 [是]Yes Yes
稽核其他登入 Account 的事件Audit Other Account Logon Events [是] 的 [是]Yes Yes
Account 管理Account Management
稽核應用程式群組管理Audit Application Group Management
稽核電腦 Account 管理Audit Computer Account Management DC [是]Yes DC [是] 的 [是]Yes Yes
稽核 Distribution 群組管理Audit Distribution Group Management
稽核其他 Account 管理事件Audit Other Account Management Events [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
稽核安全性群組管理Audit Security Group Management [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
稽核使用者 Account 管理Audit User Account Management [否是]Yes No [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
詳細的追蹤Detailed Tracking
稽核 DPAPI 活動Audit DPAPI Activity [是] 的 [是]Yes Yes
稽核建立程序Audit Process Creation [否是]Yes No [是] 的 [是]Yes Yes
稽核處理程序終止Audit Process Termination
稽核 RPC 事件Audit RPC Events
DS 存取DS Access
稽核詳細的 Directory 服務複寫Audit Detailed Directory Service Replication
稽核 Directory 服務的存取Audit Directory Service Access 俠 DCDC DC 俠 DCDC DC
稽核 Directory 服務的變更Audit Directory Service Changes 俠 DCDC DC 俠 DCDC DC
稽核 Directory 服務複寫Audit Directory Service Replication
登入和登出Logon and Logoff
稽核鎖定Audit Account Lockout [否是]Yes No [否是]Yes No
稽核使用者/裝置宣告Audit User/Device Claims
稽核 IPsec 延伸模式Audit IPsec Extended Mode
稽核 IPsec 主要模式Audit IPsec Main Mode 如果如果IF IF
稽核 IPsec 快速模式Audit IPsec Quick Mode
稽核登出Audit Logoff [否是]Yes No [否是]Yes No [否是]Yes No
稽核登入Audit Logon [否是]Yes No [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
稽核網路原則伺服器Audit Network Policy Server [是] 的 [是]Yes Yes
稽核其他登入/登出事件Audit Other Logon/Logoff Events [是] 的 [是]Yes Yes
稽核特殊登入Audit Special Logon [否是]Yes No [否是]Yes No [是] 的 [是]Yes Yes
存取物件Object Access
稽核產生應用程式Audit Application Generated
稽核認證服務Audit Certification Services
稽核詳細的檔案共用Audit Detailed File Share
稽核檔案共用Audit File Share
稽核檔案系統Audit File System
稽核篩選平台連接Audit Filtering Platform Connection
稽核篩選平台封包拖放Audit Filtering Platform Packet Drop
稽核控點操作Audit Handle Manipulation
稽核核心物件Audit Kernel Object
稽核其他物件存取事件Audit Other Object Access Events
稽核登錄Audit Registry
稽核抽取式存放裝置Audit Removable Storage
稽核薩姆Audit SAM
稽核中央存取原則階段Audit Central Access Policy Staging
變更原則Policy Change
稽核稽核原則變更]Audit Audit Policy Change [否是]Yes No [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
稽核驗證原則變更]Audit Authentication Policy Change [否是]Yes No [否是]Yes No [是] 的 [是]Yes Yes
稽核授權原則變更]Audit Authorization Policy Change
稽核篩選平台變更中原則Audit Filtering Platform Policy Change
稽核 mpssvc 規則層級原則變更Audit MPSSVC Rule-Level Policy Change [是]Yes
稽核其他原則變更事件Audit Other Policy Change Events
使用權限Privilege Use
稽核權限非機密使用Audit Non Sensitive Privilege Use
稽核其他雲端使用事件Audit Other Privilege Use Events
稽核權限機密使用Audit Sensitive Privilege Use
系統System
稽核 IPsec 驅動程式Audit IPsec Driver [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
稽核其他系統事件Audit Other System Events [是] 的 [是]Yes Yes
變更安全性稽核的狀態Audit Security State Change [否是]Yes No [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
稽核安全性系統的擴充功能Audit Security System Extension [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
稽核系統整合Audit System Integrity [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes [是] 的 [是]Yes Yes
存取全球物件的稽核Global Object Access Auditing
稽核 IPsec 驅動程式Audit IPsec Driver
稽核其他系統事件Audit Other System Events
變更安全性稽核的狀態Audit Security State Change
稽核安全性系統的擴充功能Audit Security System Extension
稽核系統整合Audit System Integrity

稽核原則設定工作站和伺服器Set Audit Policy on Workstations and Servers

所有事件登入管理計劃應該都監視工作站和伺服器。All event log management plans should monitor workstations and servers. 常見的錯誤才監視的網域控制站伺服器或是。A common mistake is to only monitor servers or domain controllers. 因為惡意駭客最初通常會發生工作站,不會監視工作站略過資訊的最佳和最早來源。Because malicious hacking often initially occurs on workstations, not monitoring workstations is ignoring the best and earliest source of information.

系統管理員念應該檢視,並其 production 環境中執行測試之前實作任何稽核原則。Administrators should thoughtfully review and test any audit policy prior to implementation in their production environment.

事件監視器Events to Monitor

產生安全性警告完美的事件編號應包含下列屬性:A perfect event ID to generate a security alert should contain the following attributes:

  • 很可能該發生表示未經授權的活動High likelihood that occurrence indicates unauthorized activity

  • 較少的誤判Low number of false positives

  • 發生應該會變為調查日 forensics 回應Occurrence should result in an investigative/forensics response

兩種類型的事件應該會監視和提醒:Two types of events should be monitored and alerted:

  1. 在這一次表示未經授權的活動的事件Those events in which even a single occurrence indicates unauthorized activity

  2. 事件預期和接受基準上方的累積An accumulation of events above an expected and accepted baseline

第一次約會的範例如下:An example of the first event is:

如果登入電腦不為網域控制站禁止網域系統管理員 (DAs),執行一次登入的使用者工作站 DA 成員應該產生警示和調查。If Domain Admins (DAs) are forbidden from logging on to computers that are not domain controllers, a single occurrence of a DA member logging on to an end-user workstation should generate an alert and be investigated. 這種類型的警示很容易使用稽核特殊登入事件 4964 產生 (特殊群組已指派給新的登入)。This type of alert is easy to generate by using the Audit Special Logon event 4964 (Special groups have been assigned to a new logon). 其他的單一警示的範例包括:Other examples of single instance alerts include:

  • 如果伺服器 B,當連接到彼此的警示不應該連接伺服器 A。If Server A should never connect to Server B, alert when they connect to each other.

  • 如果一般使用者 account 意外加入機密安全性群組,警示。Alert if a normal end-user account is unexpectedly added to a sensitive security group.

  • 如果原廠位置 A 員工一律不運作晚上,警示時的使用者登入午夜。If employees in factory location A never work at night, alert when a user logs on at midnight.

  • 如果已安裝未經授權的服務網域控制站,提醒。Alert if an unauthorized service is installed on a domain controller.

  • 如果一般的使用者想要直接登入的他們使用的是不清除理由這樣 SQL Server,調查。Investigate if a regular end-user attempts to directly log on to a SQL Server for which they have no clear reason for doing so.

  • 如果您有任何成員 DA 群組中,且其他發生新增本身,請立即檢查。If you have no members in your DA group, and someone adds themselves there, check it immediately.

是的第二個事件範例:An example of the second event is:

登入失敗的 aberrant 數字可能猜測攻擊密碼。An aberrant number of failed logons could indicate a password guessing attack. 為企業提供警示大量登入失敗,就必須先了解登入失敗之前惡意的安全性事件它們的環境中的一般層級。For an enterprise to provide an alert for an unusually high number of failed logons, they must first understand the normal levels of failed logons within their environment prior to a malicious security event.

當您監視危害的症狀,您應該包含事件的完整清單,請查看到監視器附錄 l: 事件For a comprehensive list of events that you should include when you monitor for signs of compromise, please see Appendix L: Events to Monitor.

Active Directory 物件和屬性,監視器Active Directory Objects and Attributes to Monitor

以下是帳號、 群組和屬性,您應該會監視可協助您偵測嘗試侵入您的 Active Directory Domain Services 安裝。The following are the accounts, groups, and attributes that you should monitor to help you detect attempts to compromise your Active Directory Domain Services installation.

  • 系統停用或移除防毒軟體並反惡意程式碼軟體 (自動重新開機保護手動停用時)Systems for disabling or removal of antivirus and antimalware software (automatically restart protection when it is manually disabled)

  • 系統管理員帳號未經授權的變更Administrator accounts for unauthorized changes

  • 使用有特殊權限的帳號 (自動完成可疑的活動,或者分配時間時移除 account 已到期) 執行的活動Activities that are performed by using privileged accounts (automatically remove account when suspicious activities are completed or allotted time has expired)

  • 權限,並在 AD DS VIP 帳號。Privileged and VIP accounts in AD DS. 監視器的變更,尤其是變更 (例如,data-cn、 名稱、 sAMAccountName、 userPrincipalName 或 userAccountControl) Account 索引標籤上的屬性。Monitor for changes, particularly changes to attributes on the Account tab (for example, cn, name, sAMAccountName, userPrincipalName, or userAccountControl). 監視帳號,除了限制誰可以修改以較小的帳號一組盡可能管理使用者。In addition to monitoring the accounts, restrict who can modify the accounts to as small a set of administrative users as possible.

請參考到監視器附錄 l: 事件針對一份建議的事件監視器,其關鍵性評等,並事件郵件摘要。Refer to Appendix L: Events to Monitor for a list of recommended events to monitor, their criticality ratings, and an event message summary.

  • 他們工作負載,可讓您快速地找出應該是非常受監視和最嚴格設定伺服器的分類的群組伺服器Group servers by the classification of their workloads, which allows you to quickly identify the servers that should be the most closely monitored and most stringently configured

  • 變更為下列 AD DS 群組成員資格與屬性: 企業系統管理員 (EA)、 網域系統管理員 (DA),系統管理員 (BA) 和架構系統管理員 (索)Changes to the properties and membership of following AD DS groups: Enterprise Admins (EA), Domain Admins (DA), Administrators (BA), and Schema Admins (SA)

  • 停用特殊權限的帳號 (例如建管理員帳號 Active Directory 中和成員系統) 讓帳號Disabled privileged accounts (such as built-in Administrator accounts in Active Directory and on member systems) for enabling the accounts

  • 管理帳號所有寫入 account 登都入Management accounts to log all writes to the account

  • 設定服務、 登錄、 稽核及防火牆設定以減少伺服器的攻擊 surface 建安全性設定精靈。Built-in Security Configuration Wizard to configure service, registry, audit, and firewall settings to reduce the server's attack surface. 如果您為您管理主機策略的一部分實作捷徑伺服器,請使用這個精靈。Use this wizard if you implement jump servers as part of your administrative host strategy.

其他資訊,用於監視 Active Directory Domain ServicesAdditional Information for Monitoring Active Directory Domain Services

檢視的下列連結,如需有關監視 AD DS:Review the following links for additional information about monitoring AD DS:

一般的安全性事件 ID 建議 Criticalities 的清單General List of Security Event ID Recommendation Criticalities

所有 263 建議都附帶關鍵性評等,如下所示:All Event ID recommendations are accompanied by a criticality rating as follows:

高:事件 Id 高嚴重性評等與務必立即會提醒及調查。High: Event IDs with a high criticality rating should always and immediately be alerted and investigated.

媒體:中嚴重性評等與 263 可能表示惡意的活動,但必須伴隨一些其他 abnormality (例如,特殊號碼特定時段、 未預期的項目或通常會未預期事件登入的電腦上的項目中發生。)。Medium: An Event ID with a medium criticality rating could indicate malicious activity, but it must be accompanied by some other abnormality (for example, an unusual number occurring in a particular time period, unexpected occurrences, or occurrences on a computer that normally would not be expected to log the event.). 媒體-關鍵性事件可能也會收集為計量並隨著時間相較於 r。A medium-criticality event may also r be collected as a metric and compared over time.

低:低嚴重性事件的事件編號應該不會獲得注意或造成警示,除非中或高嚴重性活動的相互關聯。Low: And Event ID with a low criticality events should not garner attention or cause alerts, unless correlated with medium or high criticality events.

這些建議是基準指南提供系統管理員。These recommendations are meant to provide a baseline guide for the administrator. 應該完全之前實作 production 環境中檢視所有的建議。All recommendations should be thoroughly reviewed prior to implementation in a production environment.

請參考到監視器附錄 l: 事件針對一份建議的事件監視器,其關鍵性評等,並事件郵件摘要。Refer to Appendix L: Events to Monitor for a list of the recommended events to monitor, their criticality ratings, and an event message summary.