Active Directory 監視危害的符號Monitoring Active Directory for Signs of Compromise

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

法律號碼五:Eternal 警覺是安全的價格。Law Number Five: Eternal vigilance is the price of security. - 10 變的法律的安全性管理 - 10 Immutable Laws of Security Administration

監控系統實心事件登入是重要任何安全 Active Directory 設計的一部分。A solid event log monitoring system is a crucial part of any secure Active Directory design. 許多電腦安全性折衷可能會發現優先事件如果受害者准許監視和警告適當的事件登入。Many computer security compromises could be discovered early in the event if the victims enacted appropriate event log monitoring and alerting. 獨立報告長已經支援這個結束。Independent reports have long supported this conclusion. 例如,2009 Verizon 資料違約報告狀態:For example, the 2009 Verizon Data Breach Report states:

「明顯的事件監視和登入分析 ineffectiveness 繼續有些 enigma。"The apparent ineffectiveness of event monitoring and log analysis continues to be somewhat of an enigma. 機會偵測有;現場 experience 受害者 66%有充分探索違約它們已在分析這類資源更仔細他們登中可用的辨識項。」The opportunity for detection is there; investigators noted that 66 percent of victims had sufficient evidence available within their logs to discover the breach had they been more diligent in analyzing such resources."

許多公司安全性防護計劃缺乏監視使用事件登維持一致的弱點。This lack of monitoring active event logs remains a consistent weakness in many companies' security defense plans. 2012 Verizon 資料違約報告中找到,即使破壞 85%拍攝幾個星期會注意到,受害者 84%有書面違約辨識他們事件登入。The 2012 Verizon Data Breach report found that even though 85 percent of breaches took several weeks to be noticed, 84 percent of victims had evidence of the breach in their event logs.

Windows 稽核原則Windows Audit Policy

以下是 Microsoft 正式企業支援部落格的連結。The following are links to the Microsoft official enterprise support blog. Content 的這些部落格提供建議、指導方針和建議的稽核會協助您美化 Active Directory 基礎結構的安全性,而且有價值的資源時設計稽核原則。The content of these blogs provides advice, guidance, and recommendations about auditing that will assist you in enhancing the security of your Active Directory infrastructure and are a valuable resource when designing an audit policy.

下列連結提供稽核在 Windows 8 和 Windows Server 2012、Windows 改良功能的相關資訊和資訊 AD DS 稽核 Windows Server 2008。The following links provide information about improvements to Windows auditing in Windows 8 and Windows Server 2012, and information about AD DS auditing in Windows Server 2008.

Windows 稽核類型Windows Audit Categories

之前 Windows Vista 和 Windows Server 2008、Windows 有只九事件登入稽核原則分類:Prior to Windows Vista and Windows Server 2008, Windows had only nine event log audit policy categories:

  • Account 登入事件Account Logon Events

  • Account 管理Account Management

  • Directory 服務的存取Directory Service Access

  • 事件登入Logon Events

  • 存取物件Object Access

  • 變更原則Policy Change

  • 使用權限Privilege Use

  • 追蹤程序Process Tracking

  • 系統事件System Events

這些九傳統稽核分類組成稽核原則。These nine traditional audit categories comprise an audit policy. 每個稽核原則分類均可的成功、失敗,成功或失敗事件。Each audit policy category can be enabled for Success, Failure, or Success and Failure events. 下一節包含及其描述。Their descriptions are included in the next section.

稽核原則分類描述Audit Policy Category Descriptions

稽核原則分類讓下列事件登入郵件類型。The audit policy categories enable the following event log message types.

按兩下Audit Account Logon Events

回報安全性原則(例如,使用者、電腦或服務 account)登入或登出一部電腦,在另一部電腦用來驗證 account 每個執行的個體。Reports each instance of a security principal (for example, user, computer, or service account) that is logging on to or logging off from one computer in which another computer is used to validate the account. 安全性主體核對網域控制站驗證時,專 account 登入事件。Account logon events are generated when a domain security principal account is authenticated on a domain controller. 本機使用者的本機電腦上的驗證產生登入事件登入本機安全性登入。Authentication of a local user on a local computer generates a logon event that is logged in the local security log. 不 account 登出事件是登入。No account logoff events are logged.

這個分類產生「聲音」許多因為 Windows 會持續遇到帳號登入和本機和遠端電腦使用一般過程中的企業。This category generates a lot of "noise" because Windows is constantly having accounts logging on to and off of the local and remote computers during the normal course of business. 成功與此稽核分類的失敗,仍然,應包含任何安全性計劃。Still, any security plan should include the success and failure of this audit category.

稽核 Account 管理Audit Account Management

此稽核設定判斷追蹤管理使用者和群組。This audit setting determines whether to track management of users and groups. 例如,使用者和群組應當追蹤時建立、變更或刪除; 使用者或電腦 account、安全性群組 distribution 群組 account 使用者或電腦時重新命名、停用,或功能。或當使用者或電腦已變更密碼。For example, users and groups should be tracked when a user or computer account, a security group, or a distribution group is created, changed, or deleted; when a user or computer account is renamed, disabled, or enabled; or when a user or computer password is changed. 事件可以因使用者或群組,若要新增或移除其他群組。An event can be generated for users or groups that are added to or removed from other groups.

稽核 Directory 服務的存取Audit Directory Service Access

這項原則設定判斷是否安全性主體存取 Active Directory 物件的稽核,有它自己指定的系統存取控制清單 (SACL)。This policy setting determines whether to audit security principal access to an Active Directory object that has its own specified system access control list (SACL). 一般而言,這個分類應該只網域控制站上。In general, this category should only be enabled on domain controllers. 此設定時支援,產生許多「聲音」。When enabled, this setting generates a lot of "noise."

稽核登入事件Audit Logon Events

登入事件專本機電腦上已本機安全性原則時。Logon events are generated when a local security principal is authenticated on a local computer. 事件記錄網域登入本機電腦上發生的登入。Logon Events records domain logons that occur on the local computer. 專不 account 登出事件。Account logoff events are not generated. 當功能,登入事件產生許多「聲音」,但它們應該會支援預設任何安全性稽核計劃中。When enabled, Logon Events generates a lot of "noise," but they should be enabled by default in any security auditing plan.

存取物件的稽核Audit Object Access

存取物件可以產生後續定義的物件的稽核支援的存取(的範例、Opened、讀取、重新命名,刪除或已關閉)的活動。Object Access can generate events when subsequently defined objects with auditing enabled are accessed (for example, Opened, Read, Renamed, Deleted, or Closed). 支援的主要稽核分類是之後,系統管理員必須排列定義此物件會稽核支援。After the main auditing category is enabled, the administrator must individually define which objects will have auditing enabled. 稽核支援,讓這個分類通常會開始產生系統管理員所定義任何前的事件隨附許多 Windows 系統物件。Many Windows system objects come with auditing enabled, so enabling this category will usually begin to generate events before the administrator has defined any.

這種是非常」吵的「,而且會發出 5 到 10 活動的每個物件存取。This category is very "noisy" and will generate five to ten events for each object access. 就很難適用於系統管理員新物件的稽核以取得有用的資訊。It can be difficult for administrators new to object auditing to gain useful information. 它應該只需要時。It should only be enabled when needed.

稽核原則的變更Auditing Policy Change

這項原則設定判斷稽核使用者權限指派原則、Windows 防火牆原則、信任原則或變更稽核原則的變更的每個發生率。This policy setting determines whether to audit every incidence of a change to user rights assignment policies, Windows Firewall policies, Trust policies, or changes to the audit policy. 應該將這個分類支援所有的電腦上。This category should be enabled on all computers. 它會產生幾乎雜音。It generates very little noise.

稽核權限使用Audit Privilege Use

有許多使用者權限」及「Windows(,例如登入為分批和部分作業系統作為)中的權限。There are dozens of user rights and permissions in Windows (for example, Logon as a Batch Job and Act as Part of the Operating System). 這項原則設定判斷是否稽核每個執行個體的安全性原則來執行正確的使用者或權限。This policy setting determines whether to audit each instance of a security principal by exercising a user right or privilege. 讓這個分類會導致許多「聲音」,但它可能有幫助的追蹤安全性主體帳號使用提高權限。Enabling this category results in a lot of "noise," but it can be helpful in tracking security principal accounts using elevated privileges.

審核Audit Process Tracking

這項原則設定判斷是否稽核詳細的程序追蹤事件程式啟用、結束處理程序,控點 20gb,和間接物件存取的資訊。This policy setting determines whether to audit detailed process tracking information for events such as program activation, process exit, handle duplication, and indirect object access. 它是適用於追蹤惡意的使用者,他們使用的程式。It is useful for tracking malicious users and the programs they use.

讓稽核程序追蹤,通常是設定為產生了大量的事件,無稽核Enabling Audit Process Tracking generates a large number of events, so typically it is set to No Auditing. 不過,這項設定可以提供事件回應詳細登入開始程序的期間變得更好的優點和已啟動的時間。However, this setting can provide a great benefit during an incident response from the detailed log of the processes started and the time they were launched. 網域控制站及其他單一角色基礎結構伺服器,這個分類可以放心地已在任何時候。For domain controllers and other single-role infrastructure servers, this category can be safely turned on all the time. 伺服器角色單一不會產生追蹤資料傳輸期間一般他們責任多少處理程序。Single role servers do not generate much process tracking traffic during the normal course of their duties. 因此,它們可以發生擷取未經授權的事件支援。As such, they can be enabled to capture unauthorized events if they occur.

系統事件稽核System Events Audit

系統事件是幾乎一般包羅萬象分類,登記各種不同的電腦或系統安全性,安全性登影響活動。System Events is almost a generic catch-all category, registering various events that impact the computer, its system security, or the security log. 它包括事件電腦的關機並重新開機,停電、時間的系統變更、驗證套件初始設定、登入空地所稽核構成、模擬問題,以及其他一般事件主機。It includes events for computer shutdowns and restarts, power failures, system time changes, authentication package initializations, audit log clearings, impersonation issues, and a host of other general events. 一般而言,讓這個稽核分類產生許多」雜音,」,但它產生不足,無法很有幫助的事件,很難以往,建議您不讓它。In general, enabling this audit category generates a lot of "noise," but it generates enough very useful events that it is difficult to ever recommend not enabling it.

進階的稽核原則Advanced Audit Policies

開始使用 Windows Vista 和 Windows Server 2008、Microsoft 改善建立在每個主要稽核分類子進行分類的事件登入選項的方式。Starting with Windows Vista and Windows Server 2008, Microsoft improved the way event log category selections can be made by creating subcategories under each main audit category. 子允許將更多遠比其他可能使用主要分類細微稽核。Subcategories allow auditing to be far more granular than it could otherwise by using the main categories. 使用子,您可以讓部分特定主要分類,並略過產生您有未使用的活動。By using subcategories, you can enable only portions of a particular main category, and skip generating events for which you have no use. 每個稽核原則子分類均可的成功、失敗,成功或失敗事件。Each audit policy subcategory can be enabled for Success, Failure, or Success and Failure events.

請列出所有可用的稽核子,進階稽核原則容器在群組原則物件的檢視,或輸入下列命令提示字元中執行 Windows Server 2012、Windows Server 2008 R2 或 Windows Server 2008、Windows 8、Windows 7 或 Windows Vista 的任何電腦上:To list all the available auditing subcategories, review the Advanced Audit Policy container in a Group Policy Object, or type the following at a command prompt on any computer running Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008, Windows 8, Windows 7, or Windows Vista:

auditpol//list /subcategory: \ *auditpol /list /subcategory:*

若要取得目前設定稽核子清單上的電腦執行的是 Windows Server 2012、Windows Server 2008 R2 或 Windows 2008,輸入下列動作:To get a list of currently configured auditing subcategories on a computer running Windows Server 2012, Windows Server 2008 R2, or Windows 2008, type the following:

auditpol//get /category: \ *auditpol /get /category:*

下圖顯示 auditpol.exe 列出目前稽核原則的範例。The following screenshot shows an example of auditpol.exe listing the current audit policy.

監視廣告

注意

群組原則不會一定可以正確地報告的狀態的所有讓稽核原則,而會 auditpol.exe。Group Policy does not always accurately report the status of all enabled auditing policies, whereas auditpol.exe does. 查看取得有效 Windows 7 和 2008 R2 的稽核原則如需詳細資訊。See Getting the Effective Audit Policy in Windows 7 and 2008 R2 for more details.

每個主要分類有多個子。Each main category has multiple subcategories. 以下是清單分類、其子,並描述的功能。Below is a list of categories, their subcategories, and a description of their functions.

稽核子描述Auditing Subcategories Descriptions

稽核原則子讓下列事件登入郵件類型:Audit policy subcategories enable the following event log message types:

Account 登入Account Logon

Credential 驗證Credential Validation

此子分類提交 account 登入的使用者要求的認證報告驗證測試的結果。This subcategory reports the results of validation tests on credentials submitted for a user account logon request. 下列事件發生授權的認證的電腦上。These events occur on the computer that is authoritative for the credentials. 網域帳號,網域控制站是授權,而本機帳號,會在本機電腦是授權。For domain accounts, the domain controller is authoritative, whereas for local accounts, the local computer is authoritative.

在網域環境中,最 account 登入的登入的網域控制站的網域帳號授權的安全登入。In domain environments, most of the account logon events are logged in the security log of the domain controllers that are authoritative for the domain accounts. 不過,這些事件可能是在組織中的其他電腦上時本機帳號用來登入。However, these events can occur on other computers in the organization when local accounts are used to log on.

Kerberos 服務票證作業Kerberos Service Ticket Operations

此子分類報告 Kerberos 票證要求處理程序網域控制站的核對授權的事件。This subcategory reports events generated by Kerberos ticket request processes on the domain controller that is authoritative for the domain account.

Kerberos 驗證服務Kerberos Authentication Service

此子分類報告事件 Kerberos 驗證服務。This subcategory reports events generated by the Kerberos authentication service. 下列事件發生授權的認證的電腦上。These events occur on the computer that is authoritative for the credentials.

其他 Account 登入事件Other Account Logon Events

此子分類報告中不有關的認證驗證或 Kerberos 門票提交 account 登入的使用者要求的認證回應出現的活動。This subcategory reports the events that occur in response to credentials submitted for a user account logon request that do not relate to credential validation or Kerberos tickets. 下列事件發生授權的認證的電腦上。These events occur on the computer that is authoritative for the credentials. 網域帳號,網域控制站是授權,而本機帳號,會在本機電腦是授權。For domain accounts, the domain controller is authoritative, whereas for local accounts, the local computer is authoritative.

網域的環境中,最 account 登入事件被登入的網域控制站的網域帳號授權的安全登入。In domain environments, most account logon events are logged in the security log of the domain controllers that are authoritative for the domain accounts. 不過,這些事件可能是在組織中的其他電腦上時本機帳號用來登入。However, these events can occur on other computers in the organization when local accounts are used to log on. 範例可以包含下列類型:Examples can include the following:

  • 遠端桌面服務工作階段中斷Remote Desktop Services session disconnections

  • 新遠端桌面服務工作階段New Remote Desktop Services sessions

  • 鎖定及解除鎖定工作站Locking and unlocking a workstation

  • 叫用螢幕保護裝置Invoking a screen saver

  • 關閉螢幕保護裝置Dismissing a screen saver

  • 偵測 Kerberos 重新執行的攻擊,兩次收到相同資訊要求 Kerberos 時Detection of a Kerberos replay attack, in which a Kerberos request with identical information is received twice

  • Wireless 授權給使用者或電腦帳號網路的存取權Access to a wireless network granted to a user or computer account

  • 存取有線 802.1 x 授權給使用者或電腦帳號網路Access to a wired 802.1x network granted to a user or computer account

Account 管理Account Management

使用者 Account 管理User Account Management

此子分類報告每個使用者 account 管理使用者 account 時建立、變更或刪除; 例如事件使用者 account 重新命名,停用,或功能。或設定或變更密碼。This subcategory reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. 如果此稽核原則設定時,系統管理員可以曲目活動偵測到惡意、誤,並授權帳號建立。If this audit policy setting is enabled, administrators can track events to detect malicious, accidental, and authorized creation of user accounts.

電腦 Account 管理Computer Account Management

此子分類報告電腦 account 管理,例如時電腦 account 是建立、變更、刪除、重新命名,停用,或讓每個的事件。This subcategory reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled.

安全性群組管理Security Group Management

此子分類報告每個事件安全性群組管理,例如或建立、變更或刪除安全性群組時時要新增或移除從安全性群組成員。This subcategory reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. 如果此稽核原則設定時,系統管理員可以曲目活動偵測到惡意、誤,並會在授權的安全性群組帳號建立。If this audit policy setting is enabled, administrators can track events to detect malicious, accidental, and authorized creation of security group accounts.

管理通訊群組Distribution Group Management

此子分類報告每個事件 distribution 群組管理,例如時建立、變更或刪除 distribution 群組或時新增或移除 distribution 群組成員。This subcategory reports each event of distribution group management, such as when a distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group. 如果此稽核原則設定時,系統管理員可以曲目活動偵測到惡意、誤,並會在授權的群組帳號建立。If this audit policy setting is enabled, administrators can track events to detect malicious, accidental, and authorized creation of group accounts.

管理應用程式群組Application Group Management

此子分類報告應用程式群組管理每個的事件在電腦上,例如時建立、變更或刪除應用程式群組或時新增或移除應用程式群組成員。This subcategory reports each event of application group management on a computer, such as when an application group is created, changed, or deleted or when a member is added to or removed from an application group. 如果此稽核原則設定時,系統管理員可以偵測到惡意、誤,並會在授權的應用程式群組帳號建立曲目事件。If this audit policy setting is enabled, administrators can track events to detect malicious, accidental, and authorized creation of application group accounts.

其他 Account 管理事件Other Account Management Events

此子分類報告其他 account 管理事件。This subcategory reports other account management events.

追蹤詳細的程序Detailed Process Tracking

建立程序Process Creation

此子分類報告建立的處理程序,以及的程式建立的使用者名稱。This subcategory reports the creation of a process and the name of the user or program that created it.

處理程序終止Process Termination

此子分類報告時結束處理程序。This subcategory reports when a process terminates.

DPAPI 活動DPAPI Activity

此子分類報告加密或解密呼叫到的資料保護應用程式開發介面 (DPAPI)。This subcategory reports encrypt or decrypt calls into the data protection application programming interface (DPAPI). DPAPI 用來保護的機密資訊,例如儲存密碼和資訊。DPAPI is used to protect secret information such as stored password and key information.

事件 RPCRPC Events

此子分類報告遠端程序呼叫 (RPC) 連接事件。This subcategory reports remote procedure call (RPC) connection events.

Directory 服務的存取Directory Service Access

Directory 服務的存取Directory Service Access

此子分類報告時存取 AD DS 物件。This subcategory reports when an AD DS object is accessed. 僅限的物件設定 Sacl 導致稽核事件存取它們的方式符合 SACL 項目時,會並只。Only objects with configured SACLs cause audit events to be generated, and only when they are accessed in a manner that matches the SACL entries. 這些事件有在舊版的 Windows Server directory 服務存取事件類似。These events are similar to the directory service access events in earlier versions of Windows Server. 此子分類只能套用至網域控制站。This subcategory applies only to domain controllers.

變更 directory 服務Directory Service Changes

此子分類報告變更 AD DS 中的物件。This subcategory reports changes to objects in AD DS. 會建立報告的變更的類型、修改、移動,以及取消對物件執行作業。The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. Directory 服務變更稽核,在適當的地方,表示舊新變更已變更物件的屬性的值。Directory service change auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed. 僅限的物件 Sacl 導致稽核事件存取它們的方式符合他們 SACL 項目時,會並只。Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL entries. 某些物件和屬性並不會因為物件課程架構中設定被轉換稽核事件。Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. 此子分類只能套用至網域控制站。This subcategory applies only to domain controllers.

Directory 服務複寫Directory Service Replication

此子分類回報兩個網域控制站之間複製開始與結束。This subcategory reports when replication between two domain controllers begins and ends.

詳細的 Directory 服務複寫Detailed Directory Service Replication

此子分類報告網域控制站之間複製資訊的詳細的資訊。This subcategory reports detailed information about the information replicated between domain controllers. 下列事件可以是非常高磁碟區中。These events can be very high in volume.

登入/登出Logon/Logoff

登入Logon

此子分類報告時使用者嘗試登入系統。This subcategory reports when a user attempts to log on to the system. 下列事件會發生存取電腦上。These events occur on the accessed computer. 下列事件代互動式登入,登入電腦上發生。For interactive logons, the generation of these events occurs on the computer that is logged on to. 如果網路登入來存取共用發生,這些事件產生裝載資源存取電腦上。If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. 若要有此設定未稽核,很難或無法以判斷有存取的使用者,或嘗試存取組織電腦。If this setting is configured to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers.

網路原則伺服器Network Policy Server

此子分類報告 RADIUS (IAS) 和網路存取保護 (NAP) 使用者存取要求事件。This subcategory reports events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. 可以將這些要求授與拒絕捨棄隔離鎖定,和解除鎖定These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. 稽核此設定會導致中或高記錄 NPS 及 IAS 的伺服器上的磁碟區。Auditing this setting will result in a medium or high volume of records on NPS and IAS servers.

主要 IPsec 模式IPsec Main Mode

此子分類主要模式交涉期間報告網際網路金鑰交換(ikemefuna udeze,綽號)通訊協定和驗證網際網路通訊協定 (AuthIP) 的結果。This subcategory reports the results of Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.

IPsec 延伸模式IPsec Extended Mode

此子分類期間延伸模式交涉報告 AuthIP 的結果。This subcategory reports the results of AuthIP during Extended Mode negotiations.

其他登入/登出事件Other Logon/Logoff Events

此子分類報告其他登入及登出相關的事件,例如遠端桌面服務中斷連接工作階段,並重新連接,使用 [執行身分執行處理程序在不同的帳號,鎖定及解除鎖定工作站。This subcategory reports other logon and logoff-related events, such as Remote Desktop Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation.

登出Logoff

此子分類報告時的使用者登入時系統。This subcategory reports when a user logs off the system. 下列事件會發生存取電腦上。These events occur on the accessed computer. 下列事件代互動式登入,登入電腦上發生。For interactive logons, the generation of these events occurs on the computer that is logged on to. 如果網路登入來存取共用發生,這些事件產生裝載資源存取電腦上。If a network logon takes place to access a share, these events generate on the computer that hosts the accessed resource. 若要有此設定未稽核,很難或無法以判斷有存取的使用者,或嘗試存取組織電腦。If this setting is configured to No auditing, it is difficult or impossible to determine which user has accessed or attempted to access organization computers.

鎖定Account Lockout

此子分類報告時帳號鎖定登入失敗次數過的結果。This subcategory reports when a user's account is locked out as a result of too many failed logon attempts.

快速 IPsec 模式IPsec Quick Mode

此子分類快速模式交涉期間報告 ikemefuna udeze,綽號通訊協定與 AuthIP 的結果。This subcategory reports the results of IKE protocol and AuthIP during Quick Mode negotiations.

特殊登入Special Logon

此子分類報告時特殊登入。This subcategory reports when a special logon is used. 特殊的登入是具有系統管理員相當權限,並且可用於更高等級台中的程序登入。A special logon is a logon that has administrator equivalent privileges and can be used to elevate a process to a higher level.

變更原則Policy Change

稽核原則變更]Audit Policy Change

此子分類報告稽核原則 SACL 變更變更。This subcategory reports changes in audit policy including SACL changes.

驗證原則的變更Authentication Policy Change

此子分類報告驗證原則中的變更。This subcategory reports changes in authentication policy.

授權原則變更Authorization Policy Change

此子分類報告變更授權原則,包括 (DACL) 的權限的變更。This subcategory reports changes in authorization policy including permissions (DACL) changes.

Mpssvc 規則層級原則變更MPSSVC Rule-Level Policy Change

此子分類報告中使用 Microsoft 保護服務 (MPSSVC.exe) 原則規則的變更。This subcategory reports changes in policy rules used by the Microsoft Protection Service (MPSSVC.exe). 這項服務是由 Windows 防火牆。This service is used by Windows Firewall.

篩選平台變更中原則Filtering Platform Policy Change

此子分類報告新增與移除 WFP,包括開機篩選物件。This subcategory reports the addition and removal of objects from WFP, including startup filters. 下列事件可以是非常高磁碟區中。These events can be very high in volume.

其他原則變更事件Other Policy Change Events

此子分類報告其他類型的安全性原則變更,例如信賴平台模組 (TPM) 或密碼編譯提供者的設定。This subcategory reports other types of security policy changes such as configuration of the Trusted Platform Module (TPM) or cryptographic providers.

使用權限Privilege Use

使用機密的權限Sensitive Privilege Use

此子分類報告時帳號或服務會使用機密的權限。This subcategory reports when a user account or service uses a sensitive privilege. 機密的權限包括下列權利:做為作業系統的一部分,備份的檔案和目錄、建立權杖物件、程式進行偵錯、讓電腦和使用者受信任的委派產生安全性稽核、模擬驗證後的 client、載入與釋放裝置驅動程式、管理稽核帳號和安全性登入,修改 firmware 環境值、取代程序層級、還原的檔案和目錄,並取得檔案或其他物件的擁有權。A sensitive privilege includes the following user rights: act as part of the operating system, back up files and directories, create a token object, debug programs, enable computer and user accounts to be trusted for delegation, generate security audits, impersonate a client after authentication, load and unload device drivers, manage auditing and security log, modify firmware environment values, replace a process-level token, restore files and directories, and take ownership of files or other objects. 稽核這個子分類會建立大量事件。Auditing this subcategory will create a high volume of events.

使用 nonsensitive 權限Nonsensitive Privilege Use

此子分類報告時帳號或服務使用 nonsensitive 權限。This subcategory reports when a user account or service uses a nonsensitive privilege. Nonsensitive 權限包括下列權利:存取認證管理員為信任的本機號碼、存取這台電腦與網路、加入網域工作站、調整記憶體配額處理程序,允許登入本機、允許透過遠端桌面服務登入,略過周遊檢查、變更系統時間、建立分頁檔、建立通用物件、建立永久共用的物件、建立符號連結拒絕這台電腦與網路的存取、拒絕以分批登入、拒絕登入以服務、拒絕登入本機、拒絕登入透過遠端桌面服務、強制關機從遠端系統、增加程序運作設定、增加排程優先順序、鎖定記憶體中的網頁、分批身分登入,登入即服務,修改物件標籤執行音量維護工作設定檔單一程序,設定檔的系統效能,請移除電腦的連接基座、關機,並 directory 服務的資料同步處理。A nonsensitive privilege includes the following user rights: access Credential Manager as a trusted caller, access this computer from the network, add workstations to domain, adjust memory quotas for a process, allow log on locally, allow log on through Remote Desktop Services, bypass traverse checking, change the system time, create a pagefile, create global objects, create permanent shared objects, create symbolic links, deny access this computer from the network, deny log on as a batch job, deny log on as a service, deny log on locally, deny log on through Remote Desktop Services, force shutdown from a remote system, increase a process working set, increase scheduling priority, lock pages in memory, log on as a batch job, log on as a service, modify an object label, perform volume maintenance tasks, profile single process, profile system performance, remove computer from docking station, shut down the system, and synchronize directory service data. 稽核這個子分類會建立非常大量的活動。Auditing this subcategory will create a very high volume of events.

其他雲端使用事件Other Privilege Use Events

目前無法使用此安全性原則設定。This security policy setting is not currently used.

存取物件Object Access

檔案系統File System

此子分類報告時存取檔案系統物件。This subcategory reports when file system objects are accessed. 僅限檔案系統物件與 Sacl 導致稽核事件存取它們的方式有違符合他們 SACL 項目時,會並只。Only file system objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL entries. 本身這項原則設定不會造成的任何事件稽核。By itself, this policy setting will not cause auditing of any events. 它會判斷是否稽核使用者存取指定的系統存取控制清單 (SACL) 的檔案系統物件的事件有效地讓稽核才會生效。It determines whether to audit the event of a user who accesses a file system object that has a specified system access control list (SACL), effectively enabling auditing to take place.

如果稽核物件存取設定設定為成功,稽核項目也每次的使用者順利存取指定 SACL 物件。If the audit object access setting is configured to Success, an audit entry is generated each time that a user successfully accesses an object with a specified SACL. 如果這項原則設定設定為失敗,稽核項目也每次嘗試存取物件 SACL 指定的使用者失敗。If this policy setting is configured to Failure, an audit entry is generated each time that a user fails in an attempt to access an object with a specified SACL.

登錄Registry

此子分類報告時存取登錄物件。This subcategory reports when registry objects are accessed. 僅限登錄物件 Sacl 導致稽核事件存取它們的方式有違符合他們 SACL 項目時,會並只。Only registry objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL entries. 本身這項原則設定不會造成的任何事件稽核。By itself, this policy setting will not cause auditing of any events.

核心物件Kernel Object

此子分類報告時存取處理程序和 mutex 核心物件。This subcategory reports when kernel objects such as processes and mutexes are accessed. 僅限使用 Sacl 核心物件導致稽核事件存取它們的方式有違符合他們 SACL 項目時,會並只。Only kernel objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL entries. 通常核心物件只會提供 Sacl,如果 AuditBaseObjects 或 AuditBaseDirectories 稽核選項的功能。Typically kernel objects are only given SACLs if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.

薩姆SAM

此子分類報告時存取本機安全性帳號 Manager(坡)驗證資料庫物件。This subcategory reports when local Security Accounts Manager (SAM) authentication database objects are accessed.

認證服務Certification Services

此子分類報告時認證服務作業。This subcategory reports when Certification Services operations are performed.

產生應用程式Application Generated

此子分類報告時使用稽核應用程式開發介面 (Api) 的 Windows 產生稽核事件嘗試應用程式。This subcategory reports when applications attempt to generate audit events by using the Windows auditing application programming interfaces (APIs).

控點操作Handle Manipulation

此子分類報告時開放或已關閉物件控點。This subcategory reports when a handle to an object is opened or closed. 僅限的物件 Sacl 造成,並嘗試控點操作符合 SACL 項目只有將這些事件。Only objects with SACLs cause these events to be generated, and only if the attempted handle operation matches the SACL entries. 處理操作事件只專為物件類型(例如,檔案系統或登錄)的功能對應物件存取子分類的位置。Handle Manipulation events are only generated for object types where the corresponding object access subcategory is enabled (for example, file system or registry).

檔案共用File Share

此子分類報告時存取檔案共用。This subcategory reports when a file share is accessed. 本身這項原則設定不會造成的任何事件稽核。By itself, this policy setting will not cause auditing of any events. 它會判斷是否稽核使用者存取指定的系統存取控制清單 (SACL) 的檔案共用物件的事件有效地讓稽核才會生效。It determines whether to audit the event of a user who accesses a file share object that has a specified system access control list (SACL), effectively enabling auditing to take place.

篩選平台封包拖放Filtering Platform Packet Drop

此子分類報告時封包會卸除的 Windows 篩選平台 (WFP)。This subcategory reports when packets are dropped by Windows Filtering Platform (WFP). 下列事件可以是非常高磁碟區中。These events can be very high in volume.

篩選平台連接Filtering Platform Connection

此子分類報告時允許或封鎖 WFP 連接。This subcategory reports when connections are allowed or blocked by WFP. 下列事件可能高磁碟區中。These events can be high in volume.

其他物件存取事件Other Object Access Events

此子分類報告其他物件存取相關事件工作排程器工作和 COM + 物件。This subcategory reports other object access-related events such as Task Scheduler jobs and COM+ objects.

系統System

變更安全性狀態Security State Change

此子分類報告變更系統,例如安全性子系統時開始和停止的安全狀態。This subcategory reports changes in security state of the system, such as when the security subsystem starts and stops.

安全性系統的擴充功能Security System Extension

此子分類的安全性子系統報告載入驗證套件例如擴充功能程式碼。This subcategory reports the loading of extension code such as authentication packages by the security subsystem.

系統整合System Integrity

此子分類的安全性子系統完整性違反報告。This subcategory reports on violations of integrity of the security subsystem.

IPsec 驅動程式IPsec Driver

此子分類的「網際網路通訊協定的安全性 (IPsec) 驅動程式的活動報告。This subcategory reports on the activities of the Internet Protocol security (IPsec) driver.

其他系統事件Other System Events

此子分類其他系統活動報告。This subcategory reports on other system events.

如需子分類描述的相關資訊,請參考Microsoft Security Compliance Manager 工具For more information about the subcategory descriptions, refer to the Microsoft Security Compliance Manager tool.

每個組織應該上述涵蓋的分類和子以及安裝的最適合自己的環境。Each organization should review the previous covered categories and subcategories and enable the ones which best fit their environment. 隨時應該 production 環境中部署之前測試稽核原則的變更。Changes to audit policy should always be tested prior to deployment in a production environment.

設定 Windows 稽核原則Configuring Windows Audit Policy

使用群組原則、auditpol.exe、Api 或登錄編輯可以設定 Windows 稽核原則。Windows audit policy can be set using group policies, auditpol.exe, APIs, or registry edits. 大部分的公司稽核原則設定的建議的方法的群組原則」或「auditpol.exe。The recommended methods for configuring audit policy for most companies are Group Policy or auditpol.exe. 將系統稽核原則設定需要 account 系統管理員等級權限] 或 [委派適當權限。Setting a system's audit policy requires administrator-level account permissions or the appropriate delegated permissions.

注意

管理稽核和安全性登入的安全性原則必須給予權限(系統管理員讓它預設)允許修改物件存取稽核個人資源,例如的檔案、Active Directory 物件和登錄鍵的選項。The Manage auditing and security log privilege must be given to security principals (Administrators have it by default) to allow the modification of object access auditing options of individual resources, such as files, Active Directory objects, and registry keys.

使用群組原則設定 Windows 稽核原則Setting Windows Audit Policy by Using Group Policy

若要設定使用群組原則稽核原則,設定適當稽核分類位於電腦 \windows 安全性設定本機稽核原則(查看下列的本機群組原則編輯器 (gpedit.msc) 例如螢幕擷取畫面)。To set audit policy using group policies, configure the appropriate audit categories located under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy (see the following screenshot for an example from the Local Group Policy Editor (gpedit.msc)). 每個稽核原則分類均可適用於成功失敗,或成功和失敗事件。Each audit policy category can be enabled for Success, Failure, or Success and Failure events.

監視廣告

進階的稽核原則可以使用 Active Directory 或的本機群組原則設定。Advanced Audit Policy can be set by using Active Directory or local group policies. 若要設定進階稽核原則,設定適當的子位於電腦 \windows 安全性設定 Settings\Advanced 稽核原則(查看下列的本機群組原則編輯器 (gpedit.msc) 例如螢幕擷取畫面)。To set Advanced Audit Policy, configure the appropriate subcategories located under Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy (see the following screenshot for an example from the Local Group Policy Editor (gpedit.msc)). 每個稽核原則子分類均可適用於成功失敗,或成功失敗活動。Each audit policy subcategory can be enabled for Success, Failure, or Success and Failure events.

監視廣告

使用 Auditpol.exe 設定 Windows 稽核原則Setting Windows Audit Policy Using Auditpol.exe

Windows Server 2008 和 Windows Vista 中引進 Auditpol.exe(適用於設定 Windows 稽核原則)。Auditpol.exe (for setting Windows audit policy) was introduced in Windows Server 2008 and Windows Vista. 一開始 auditpol.exe 可用於設定進階稽核原則,但在 Windows Server 2012、Windows Server 2008 R2 或 Windows Server 2008、Windows 8 和 Windows 7 中可以使用群組原則。Initially, only auditpol.exe could be used to set Advanced Audit Policy, but Group Policy can be used in Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008, Windows 8, and Windows 7.

Auditpol.exe 是一個命令列的公用程式。Auditpol.exe is a command-line utility. 語法如下:The syntax is as follows:

auditpol//set 日 < 分類 |子分類 >:日 < 成功 | 錯誤:> 日 < 讓 | 停用 >auditpol /set /<Category|Subcategory>: /<success|failure:> /<enable|disable>

Auditpol.exe 語法範例:Auditpol.exe syntax examples:

auditpol//set /subcategory:「使用者 account 管理」/success:讓 /failure:讓auditpol /set /subcategory:"user account management" /success:enable /failure:enable

auditpol//set /subcategory:「登入「/success:讓 /failure:讓auditpol /set /subcategory:"logon" /success:enable /failure:enable

auditpol//set /subcategory:「IPSEC 主要模式」/failure:讓auditpol /set /subcategory:"IPSEC Main Mode" /failure:enable

注意

Auditpol.exe 本機設定進階稽核原則。Auditpol.exe sets Advanced Audit Policy locally. 如果您本機原則衝突 Active Directory 或本機群組原則,群組原則設定通常優先適用透過 auditpol.exe 設定。If local policy conflicts with Active Directory or local Group Policy, Group Policy settings usually prevail over auditpol.exe settings. 當會有多個群組] 或 [本機原則衝突時,只有一個原則將會優先適用(也就,請更換)。When multiple group or local policy conflicts exist, only one policy will prevail (that is, replace). 不會將合併稽核原則。Audit policies will not merge.

指令碼 AuditpolScripting Auditpol

Microsoft 提供樣本指令碼針對想要進階稽核原則設定使用指令碼,而不是每個 auditpol.exe 命令手動輸入系統管理員。Microsoft provides a sample script for administrators who want to set Advanced Audit Policy by using a script instead of manually typing in each auditpol.exe command.

注意群組原則不會不一定可以正確地報告狀態的所有讓稽核原則,而 auditpol.exe 會。Note Group Policy does not always accurately report the status of all enabled auditing policies, whereas auditpol.exe does. 查看取得有效 Windows 7 和 Windows 2008 R2 的稽核原則如需詳細資訊。See Getting the Effective Audit Policy in Windows 7 and Windows 2008 R2 for more details.

Auditpol 的其他命令Other Auditpol Commands

Auditpol.exe 可用來儲存和還原本機稽核原則,以及檢視其他稽核相關的命令。Auditpol.exe can be used to save and restore a local audit policy, and to view other auditing related commands. 以下是另auditpol的命令。Here are the other auditpol commands.

auditpol/清除-用來清除和本機稽核原則防重設auditpol /clear - Used to clear and reset local audit policies

auditpol /backup /file: -使用二進位檔案備份目前的本機稽核原則auditpol /backup /file: - Used to back up a current local audit policy to a binary file

auditpol /restore /file: -使用匯入之前儲存的稽核原則檔案到本機稽核原則auditpol /restore /file: - Used to import a previously saved audit policy file to a local audit policy

auditpol / < 取得日設定 > /option: / < 讓或停用 > -如果這個稽核原則設定時,它會導致系統立刻停止 (停止使用:C0000244 {稽核無法} 訊息) 是否有任何原因安全性稽核無法登入。auditpol /<get/set> /option: /<enable/disable> - If this audit policy setting is enabled, it causes the system to immediately stop (with STOP: C0000244 {Audit Failed} message) if a security audit cannot be logged for any reason. 通常,便無法事件時安全性稽核已滿,指定的安全性登入保持方法是登入不覆寫事件覆寫依日期事件Typically, an event fails to be logged when the security audit log is full and the retention method specified for the security log is Do Not Overwrite Events or Overwrite Events by Days. 通常它僅適,需要更高安全性登入登入保證的環境。Typically it is only enabled by environments that need higher assurance that the security log is logging. 如果功能,系統管理員必須密切觀賞安全性登入的大小,並旋轉視需要登。If enabled, administrators must closely watch security log size and rotate logs as required. 它也可以設定群組原則來修改的安全性選項稽核:系統如果無法登入安全性稽核立即關機] (預設值 = 停用)。It can also be set with Group Policy by modifying the security option Audit: Shut down system immediately if unable to log security audits (default=disabled).

Auditpol / < 取得日設定 > /option: / < 讓或停用 > -此稽核原則設定判斷是否稽核物件全域系統的存取。Auditpol /<get/set> /option: /<enable/disable> - This audit policy setting determines whether to audit the access of global system objects. 如果這項原則功能,它會導致系統物件,例如 mutex、誌,以及 DOS 裝置使用預設系統存取控制清單 (SACL) 來建立。If this policy is enabled, it causes system objects, such as mutexes, events, semaphores, and DOS devices to be created with a default system access control list (SACL). 大部分的系統管理員考慮稽核全域系統物件太」吵,「,這些只可以讓它如果惡意駭客懷疑。Most administrators consider auditing global system objects to be too "noisy," and they will only enable it if malicious hacking is suspected. 僅限命名的物件可以 SACL。Only named objects are given a SACL. 如果稽核物件存取稽核原則(或核心物件的稽核子分類)也功能,被稽核這些系統物件的存取權。If the audit object access audit policy (or Kernel Object audit subcategory) is also enabled, access to these system objects is audited. 當這個安全性設定,變更會生效您重新開機的 Windows。When configuring this security setting, changes will not take effect until you restart Windows. 這項原則也可以設定群組原則來修改全域系統物件的安全性選項稽核存取 (預設值 = 停用)。This policy can also be set with Group Policy by modifying the security option Audit the access of global system objects (default=disabled).

auditpol / < 取得日設定 > /option: / < 讓或停用 > -此稽核原則設定指定命名的核心物件(例如 mutex 和誌)會在建立時提供 Sacl。auditpol /<get/set> /option: /<enable/disable> - This audit policy setting specifies that named kernel objects (such as mutexes and semaphores) are to be given SACLs when they are created. AuditBaseDirectories 影響容器物件時 AuditBaseObjects 影響不包含其他物件的物件。AuditBaseDirectories affects container objects while AuditBaseObjects affects objects that cannot contain other objects.

Auditpol / < 取得日設定 > /option: / < 讓或停用 > -Auditpol /<get/set> /option: /<enable/disable> -

此稽核原則設定指定 client 產生事件時一或多個這些權限已指派給使用者的安全性權杖:AssignPrimaryTokenPrivilege、AuditPrivilege、BackupPrivilege、CreateTokenPrivilege、DebugPrivilege、EnableDelegationPrivilege、ImpersonatePrivilege、LoadDriverPrivilege、RestorePrivilege、SecurityPrivilege、SystemEnvironmentPrivilege、TakeOwnershipPrivilege 及 TcbPrivilege。This audit policy setting specifies whether the client generates an event when one or more of these privileges are assigned to a user security token: AssignPrimaryTokenPrivilege, AuditPrivilege, BackupPrivilege, CreateTokenPrivilege, DebugPrivilege, EnableDelegationPrivilege, ImpersonatePrivilege, LoadDriverPrivilege, RestorePrivilege, SecurityPrivilege, SystemEnvironmentPrivilege, TakeOwnershipPrivilege, and TcbPrivilege. 如果不支援此選項會 (預設值 = 停用),不會記錄 BackupPrivilege 和 RestorePrivilege 權限。If this option is not enabled (default=Disabled), the BackupPrivilege and RestorePrivilege privileges are not recorded. 讓這個選項可以備份操作期間,讓安全性登入很吵(有時候數百種第二事件)。Enabling this option can make the security log extremely noisy (sometimes hundreds of events a second) during a backup operation. 這項原則也可以設定群組原則來修改的安全性選項稽核:稽核使用備份與還原權限的This policy can also be set with Group Policy by modifying the security option Audit: Audit the use of Backup and Restore privilege.

注意

以下提供一些資訊來自 Microsoft 的稽核選項類型和 [Microsoft SCM 工具。Some information provided here was taken from the Microsoft Audit Option Type and the Microsoft SCM tool.

執行傳統稽核或進階稽核Enforcing Traditional Auditing or Advanced Auditing

在 Windows Server 2012、Windows Server 2008 R2、Windows Server 2008、Windows 8、Windows 7 和 Windows Vista,系統管理員可以選擇讓九傳統類型,或使用子。In Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista, administrators can choose to enable the nine traditional categories or to use the subcategories. 這是每個 Windows 系統中進行必須二進位選擇。It's a binary choice that must be made in each Windows system. 主要分類均可或 subcategoriesit 不能同時。Either the main categories can be enabled or the subcategoriesit cannot be both.

您必須以避免覆寫稽核原則子原則舊的傳統分類,讓推動稽核原則子分類設定 (Windows Vista 或更新版本) 若要覆寫稽核原則分類設定原則設定位於電腦 \windows 安全性設定本機原則安全性選項To prevent the legacy traditional category policy from overwriting audit policy subcategories, you must enable the Force audit policy subcategory settings(Windows Vista or later) to override audit policy category settings policy setting located under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.

我們建議功能,而不是九主要分類設定子。We recommend that the subcategories be enabled and configured instead of the nine main categories. 這需要(若要允許覆寫稽核分類子)功能的群組原則設定,以及設定不同子支援稽核原則。This requires that a Group Policy setting be enabled (to allow subcategories to override the auditing categories) along with configuring the different subcategories that support auditing policies.

稽核子可以透過數種方式,包括群組原則和的命令列程式 auditpol.exe 設定。Auditing subcategories can be configured by using several methods, including Group Policy and the command-line program, auditpol.exe.

如需關於 Windows 稽核,查看下列的文件:For more information about Windows auditing, see the following articles: