檔案計劃存取稽核Plan for File Access Auditing

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

此主題中的資訊解釋的安全性稽核引進 Windows Server 2012 和新的改進稽核考慮將動態存取控制您的企業中部署設定。The information in this topic explains the security auditing enhancements that are introduced in Windows Server 2012 and new audit settings that you should consider as you deploy Dynamic Access Control in your enterprise. 您要部署的實際稽核原則設定會在您的目標,其中可能包括法規、監視、法庭分析和疑難排解而定。The actual audit policy settings that you deploy will depend on your goals, which can include regulatory compliance, monitoring, forensic analysis, and troubleshooting.

注意

詳細資訊,了解如何規劃及部署整體安全性稽核策略企業所述的規劃和部署進階安全性稽核原則Detailed information about how to plan and deploy an overall security auditing strategy for your enterprise is explained in Planning and Deploying Advanced Security Audit Policies. 如需有關設定和部署安全性稽核原則的詳細資訊,請進階安全性稽核原則 Step-by-Step 指南For more information about configuring and deploying a security audit policy, see the Advanced Security Audit Policy Step-by-Step Guide.

下列安全性稽核功能在 Windows Server 2012 中的可以搭配動態存取控制延長整體安全性稽核策略。The following security auditing capabilities in Windows Server 2012 can be used with Dynamic Access Control to extend your overall security auditing strategy.

  • 運算式為基礎的稽核原則 」Expression-based audit policies. 動態存取控制可讓您使用運算式根據使用者、 電腦及資源宣告建立目標的稽核原則。Dynamic Access Control enables you to create targeted audit policies by using expressions based on user, computer, and resource claims. 例如,您可以建立追蹤歸類為高商務影響員工高安全性距離不需要的檔案上所有讀取和寫入作業稽核原則。For example, you could create an audit policy to track all Read and Write operations on files classified as high-business impact by employees who do not have a high-security clearance. 直接的檔案或資料夾或透過群組原則集中製作運算式型稽核原則。Expression-based audit policies can be authored directly for a file or folder or centrally through Group Policy. 如需詳細資訊,請查看群組原則,使用通用物件存取稽核For more information, see Group Policy using Global Object Access Auditing.

  • 從物件的稽核存取的其他資訊Additional information from object access auditing. 檔案存取稽核不是以 Windows Server 2012 的新功能。File access auditing is not new to Windows Server 2012 . 就地正確稽核原則,使用 Windows 和 Windows Server 作業系統產生稽核事件每次使用者存取檔案。With the right audit policy in place, the Windows and Windows Server operating systems generate an audit event each time a user accesses a file. 現有的檔案存取事件 4656 (4663) 包含屬性之檔案的存取的資訊。Existing File Access events (4656, 4663) contain information about the attributes of the file that was accessed. 事件登入篩選工具可以使用此資訊來協助您找出最相關稽核事件。This information can be used by event log filtering tools to help you identify the most relevant audit events. 如需詳細資訊,請查看稽核處理操作稽核安全性帳號管理員]For more information, see Audit Handle Manipulation and Audit Security Accounts Manager.

  • 從使用者登入事件的詳細資訊More information from user logon events. Windows 作業系統的正確稽核原則的位置產生稽核事件每次使用者登入電腦在本機或遠端。With the right audit policy in place, Windows operating systems generate an audit event every time a user signs in to a computer locally or remotely. 在 Windows Server 2012 或 Windows 8,您也可以監視使用者的安全性權杖相關聯的使用者與裝置宣告。In Windows Server 2012 or Windows 8, you can also monitor user and device claims associated with a user's security token. 範例包含 clearances 部門、 公司、 專案和安全性。事件 4626 包含這些使用者宣告和裝置宣告,可以利用相互關聯使用者登入以便事件篩選依據檔案屬性和使用者屬性物件存取事件事件稽核登入管理工具的相關資訊。Examples can include Department, Company, Project, and Security clearances.Event 4626 contains information about these user claims and device claims, which can be leveraged by audit log management tools to correlate user logon events with object access events to enable event filtering based on file attributes and user attributes. 如需有關使用者登入稽核資訊,請查看稽核登入For more information about user logon auditing, see Audit Logon.

  • 修訂新類型的安全物件Change tracking for new types of securable objects. 修訂安全物件很重要下列案例中:Tracking changes to securable objects can be important in the following scenarios:

    • 修訂的中央存取原則和中央存取規則Change tracking for central access policies and central access rules. 中央存取原則和中央存取規則定義中央的原則,可用來控制重要的資源。Central access policies and central access rules define the central policy that can be used to control access to critical resources. 這些的任何變更可以直接影響的檔案存取權限授與對使用者在多部電腦上。Any change to these can directly impact the file access permissions that are granted to users on multiple computers. 因此,修訂的中央存取原則和中央存取規則很重要的組織。Therefore, tracking changes to central access policies and central access rules can be important for your organization. 因為的中央存取原則和中央存取規則會儲存在 Active Directory Domain Services (AD DS),您可以嘗試修改,例如變更 AD DS 任何其他安全物件的稽核稽核。Because central access policies and central access rules are stored in Active Directory Domain Services (AD DS), you can audit attempts to modify them, like auditing changes to any other securable object in AD DS. 如需詳細資訊,請查看稽核 Directory 服務存取]For more information, see Audit Directory Service Access.

    • 修訂定義理賠要求字典中的Change tracking for definitions in the claim dictionary. 宣告定義包含宣告名稱、 描述,以及可能值。Claim definitions include the claim name, description, and possible values. 宣告定義的任何變更可能影響重要的資源的存取權限。Any change to the claim definition can impact the access permissions on critical resources. 因此,以取得定義修訂很重要您的組織。Therefore, tracking changes to claim definitions can be important to your organization. 例如中央存取原則,中央存取規則宣告定義會儲存在 AD DS;因此,它們可以稽核等 AD DS 中的任何其他安全物件。Like central access policies and central access rules, claim definitions are stored in AD DS; therefore, they can be audited like any another securable object in AD DS. 如需詳細資訊,請查看稽核 Directory 服務存取]For more information, see Audit Directory Service Access.

    • 修訂檔案屬性Change tracking for file attributes. 檔案屬性判斷的中央存取規則會套用至該檔案。File attributes determine which central access rule applies to the file. 變更檔案屬性可以可能會影響檔案的存取限制。A change to the file attributes can potentially impact the access restrictions on the file. 因此,這很重要修訂檔案屬性。Therefore, it can be important to track changes to file attributes. 您可以變更檔案屬性的任何電腦上設定的授權原則變更稽核原則。You can track changes to file attributes on any computer by configuring the authorization policy change auditing policy. 如需詳細資訊,請查看授權原則變更稽核檔案系統存取物件的稽核For more information, see Authorization Policy Change auditing and Object Access auditing for File Systems. 在 Windows Server 2012,事件 4911 會從其他授權原則變更事件處檔案屬性原則變更。In Windows Server 2012 , Event 4911 differentiates file attribute policy changes from other authorization policy change events.

    • Chang 追蹤與檔案關聯的中央存取原則。Chang tracking for the central access policy associated with a file. 事件 4913 顯示安全性識別碼 (Sid) 的舊和新的中央存取原則。Event 4913 displays the security identifiers (SIDs) of the old and new central access policies. 每個中央存取原則也有可供使用此安全性識別字的使用者易記名稱。Each central access policy also has a user friendly name that can be looked up using this security identifier. 如需詳細資訊,請查看授權原則變更稽核For more information, see Authorization Policy Change auditing.

    • 使用者和電腦屬性修訂Change tracking for user and computer attributes. 檔案,例如使用者與電腦物件的屬性,可能與這些屬性變更可能影響的使用者的能力來存取檔案。Like files, user and computer objects can have attributes, and changes to these attributes can impact the user's ability to access files. 因此,可以寶貴修訂使用者或電腦的屬性。Therefore, it can be valuable to track changes to user or computer attributes. 使用者與電腦物件會儲存在 AD DS;因此,您可以稽核變更他們屬性。User and computer objects are stored in AD DS; therefore, changes to their attributes can be audited. 如需詳細資訊,請查看DS 存取For more information, see DS Access.

  • 原則變更臨時Policy change staging. 中央存取原則變更可能影響存取控制決策上所有的電腦執行的原則的位置。Changes to central access policies can impact the access control decisions on all computers where the policies are enforced. 鬆散原則無法權限授與其他比,並過於限制原則可能會產生協助工程師過多。A loose policy could grant more access than desired, and an overly restrictive policy could generate an excessive number of Help Desk calls. 如此一來,它可以是非常寶貴之前,請先執行變更驗證變更的中央存取原則。As a result, it can be extremely valuable to verify changes to a central access policy before enforcing the change. Windows Server 2012 目的,介紹 「 臨時。 」 的概念For that purpose, Windows Server 2012 introduces the concept of "staging." 臨時可讓使用者驗證其建議的原則變更之前,請先執行它們。Staging enables users to verify their proposed policy changes before enforcing them. 建議的原則部署以執行的原則,使用臨時原則,但分段的原則不確實授與或拒絕權限。To use policy staging, proposed policies are deployed with the enforced policies, but staged policies do not actually grant or deny permissions. 改為、 Windows Server 2012 登稽核事件 (4818) 的隨時存取檢查使用分段的原則的結果是不同的存取檢查使用執行的原則,結果。Instead, Windows Server 2012 logs an audit event (4818) any time the result of the access check that uses the staged policy is different from the result of an access check that uses the enforced policy.