部署安全性稽核中央稽核原則(示範步驟)Deploy Security Auditing with Central Audit Policies (Demonstration Steps)

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

在本案例中,您將會使用您在 [財經原則稽核存取財經文件] 資料夾中的檔案部署的中央存取原則與 #40; 示範步驟和 #41;.In this scenario, you will audit access to files in the Finance Documents folder by using the Finance Policy that you created in Deploy a Central Access Policy (Demonstration Steps). 如果存取嘗試存取資料夾未授權的使用者,事件檢視器擷取的活動。If a user who is not authorized to access the folder attempts to access it, the activity is captured in the event viewer.
測試案例這需要下列步驟。The following steps are required to test this scenario.

工作Task 描述Description
設定全球物件存取Configure Global Object Access 在此步驟,您可以設定全球物件存取原則網域控制站。In this step, you configure the global object access policy on the domain controller.
更新的群組原則設定Update Group Policy Settings 登入該檔案伺服器,並套用群組原則的更新。Sign in to the file server and apply the Group Policy update.
確認已套用全球物件存取原則Verify that the global object access policy has been applied 檢視相關事件的事件檢視器中。View the relevant events in the event viewer. 事件應包含的國家/地區和文件類型中繼資料。The events should include metadata for the country and document type.

設定全球物件存取原則Configure global object access policy

在此步驟,您可以設定的網域控制站全球物件存取原則。In this step, you configure the global object access policy in the domain controller.

若要設定的全域物件存取原則To configure a global object access policy

  1. contoso\administrator 使用密碼登入的網域控制站 DC1 pass@word1Sign in to the domain controller DC1 as contoso\administrator with the password pass@word1.

  2. 在伺服器管理員中,移至工具,然後按群組原則管理In Server Manager, point to Tools, and then click Group Policy Management.

  3. 在主控台按兩下 [網域,按兩下 [ contoso.com,按一下 [以 Contoso,,然後按兩下 [檔案伺服器In the console tree, double-click Domains, double-click contoso.com, click Contoso, and then double-click File Servers.

  4. 以滑鼠右鍵按一下FlexibleAccessGPO,按一下 [編輯Right-click FlexibleAccessGPO, and click Edit.

  5. 按兩下電腦設定,按兩下 [原則,然後按兩下 [的 Windows 設定Double-click Computer Configuration, double-click Policies, and then double-click Windows Settings.

  6. 按兩下安全性設定,按兩下 [進階稽核原則設定,然後按兩下 [稽核原則Double-click Security Settings, double-click Advanced Audit Policy Configuration, and then double-click Audit Policies.

  7. 按兩下物件存取,然後按兩下 [稽核檔案系統Double-click Object Access, and then double-click Audit File System.

  8. 選取 [設定下列事件核取方塊中,選取成功失敗核取方塊,然後按一下[確定]Select the Configure the following events check box, select the Success and Failure check boxes, and then click OK.

  9. 在瀏覽窗格中,按兩下 [全球物件存取稽核,然後按兩下 [檔案系統In the navigation pane, double-click Global Object Access Auditing, and then double-click File system.

  10. 選取 [定義這項原則設定核取方塊,然後按設定Select the Define this policy setting check box, and click Configure.

  11. 的全球檔案 SACL 進階安全性設定方塊中,按一下 [新增,然後按一下 [選取主體,輸入每個人都,,然後按一下 [ [確定]In the Advanced Security Settings for Global File SACL box, click Add, then click Select a principal, type Everyone, and then click OK.

  12. 的全球檔案 SACL 稽核項目方塊中,選取完全控制權限]方塊。In the Auditing Entry for Global File SACL box, select Full control in the Permissions box.

  13. [新增條件:區段中,按一下 [ [新增條件及中下拉式清單選取In the Add a condition: section, click Add a condition and in the drop-down lists select
    [資源][部門][Any of][Value][財經]。[Resource] [Department] [Any of] [Value] [Finance].

  14. 按一下[確定]三次,以完成設定存取全球物件的稽核原則設定。Click OK three times to complete the configuration of the global object access audit policy setting.

  15. 在瀏覽窗格中,按一下 [存取物件,並在 [結果] 窗格中,按兩下 [稽核處理操作In the navigation pane, click Object Access, and in the results pane, double-click Audit Handle Manipulation. 按一下設定下列稽核事件成功,並失敗,按一下[確定],,然後關閉 [GPO 彈性存取。Click Configure the following audit events, Success, and Failure, click OK, and then close the flexible access GPO.

更新群組原則」設定Update Group Policy settings

在此步驟,您更新的群組原則設定之後您所建立的稽核原則。In this step, you update the Group Policy settings after you have created the audit policy.

若要更新的群組原則設定To update Group Policy settings

  1. 該檔案伺服器,1 為 contoso\Administrator,使用密碼登入pass@word1Sign in to the file server, FILE1 as contoso\Administrator, with the password pass@word1.

  2. 長按 Windows 鍵 + R,然後輸入cmd打開在命令提示字元視窗。Press the Windows key+R, then type cmd to open a Command Prompt window.

    注意

    如果使用者 Account 控制項對話方塊,請確認您的動作,它會顯示是您想要然後按一下 [If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  3. 輸入gpupdate /force,然後按 ENTER 鍵。Type gpupdate /force and then press ENTER.

確認已套用全球物件存取原則Verify that the global object access policy has been applied

已套用群組原則設定之後,您就可以驗證已正確套用的稽核原則設定。After the Group Policy settings have been applied, you can verify that the audit policy settings were applied correctly.

若要確認已套用全球物件存取原則To verify that the global object access policy has been applied

  1. Client 電腦上,為 Contoso\MReid CLIENT1 登入。Sign in to client computer, CLIENT1 as Contoso\MReid. 瀏覽到超連結「file:///\\ID_AD_FILE1\\Finance「\\ FILE1\Finance 文件,以及修改 Word 文件 2。Browse to the folder HYPERLINK "file:///\\\\ID_AD_FILE1\\Finance" \\ FILE1\Finance Documents, and modify Word Document 2.

  2. 登入該檔案伺服器,為 contoso\administrator 1。Sign in to the file server, FILE1 as contoso\administrator. 打開事件檢視器、瀏覽] Windows 登,請選取安全性,並確認您的活動,會導致稽核事件46564663(即使您並未設定明確稽核 Sacl 上的檔案或資料夾,您所建立,修改,以及刪除)。Open Event Viewer, browse to Windows Logs, select Security, and confirm that your activities resulted in audit events 4656 and 4663 (even though you did not set explicit auditing SACLs on the files or folders that you created, modified, and deleted).

重要

新的登入事件也資源所在的位置、正在對象檢查有效的存取權的使用者代表電腦上。A new logon event is generated on the computer where the resource is located, on behalf of the user for whom effective access is being checked. 當分析安全性稽核登的使用者登入活動,若要登入事件專因為有效的存取,因為生成來區分公司互動式網路使用者登入,包含模擬層級資訊。When analyzing security audit logs for user sign-in activity, to differentiate between logon events that are generated because of effective access and those generated because of an interactive network user sign in, the Impersonation Level information is included. 登入事件也因為有效的存取,模擬層級會的身分。When the logon event is generated because of effective access, the Impersonation Level will be Identity. 網路互動式使用者登入通常產生模擬層級的登入事件 = 模擬或委派。A network interactive user sign in typically generates a logon event with the Impersonation Level = Impersonation or Delegation.

也了See also