案例:檔案存取稽核Scenario: File Access Auditing

適用於:Windows Server 2016、Windows Server 2012 R2、Windows Server 2012Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

安全性稽核是一種可協助維護企業的安全性最有力的工具。Security Auditing is one of the most powerful tools to help maintain the security of an enterprise. 安全性稽核的主要目標是法規。One of the key goals of security audits is regulatory compliance. 例如沙法案、健康保證移植性責任動作 (HIPAA),並付款卡片 Industry (PCI) 業界標準需要遵循嚴格組規則的相關資料的安全性和隱私權的企業。Industry standards such as Sarbanes Oxley, Health Insurance Portability and Accountability Act (HIPAA), and Payment Card Industry (PCI) require enterprises to follow a strict set of rules related to data security and privacy. 安全性稽核協助證明這些標準的相容性,並將該名的此類原則。Security audits help establish the presence of such policies and prove compliance with these standards. 此外,安全性稽核協助偵測異常行為,找出並減少縫隙中的安全性原則,並建立的使用者活動,可用於法庭分析古道阻止 irresponsible 行為。Additionally, security audits help detect anomalous behavior, identify and mitigate gaps in security policies, and deter irresponsible behavior by creating a trail of user activity that can be used for forensic analysis.

稽核的原則下列層級皆通常是需求:Audit policy requirements are typically driven at the following levels:

  • 資訊的安全。Information security. 法庭分析及入侵偵測常用可以沿著走存取稽核的檔案。File access audit trails are often used for forensic analysis and intrusion detection. 正在取得目標的活動的相關資訊高價值的存取權,讓我們組織大幅改善他們回應時間和調查準確度。Being able to get targeted events about access to high-value information lets organizations considerably improve their response time and investigation accuracy.

  • 組織的原則。Organizational policy. 例如,PCI 標準,管理組織可能有監視標示為信用卡資訊,以及個人資訊 (PII) 包含的所有檔案的存取權中央原則。For example, organizations regulated by PCI standards could have a central policy to monitor access to all files that are marked as containing credit card information and personally identifiable information (PII).

  • 部門原則。Departmental policy. 例如的修改(例如季獲利報告)特定財經文件限於財經部門,因此部門想要監視所有其他變更嘗試這些文件,可能需要財務部門。For example, the finance department may require that the ability to modify certain finance documents (such as a quarterly earnings report) be restricted to the finance department, and thus the department would want to monitor all other attempts to change these documents.

  • 企業的原則。Business policy. 例如,企業擁有者可能要監視所有未經授權的檢視屬於專案資料嘗試。For example, business owners may want to monitor all unauthorized attempts to view data that belongs to their projects.

此外,compliance 部門可能會想要監視中央授權原則和原則建構,例如使用者、電腦及資源屬性的所有變更。Additionally, the compliance department may want to monitor all changes to central authorization policies and policy constructs such as user, computer, and resource attributes.

其中一個最大的安全性稽核考量會收集、儲存和分析稽核活動的費用。One of the biggest considerations of security audits is the cost of collecting, storing, and analyzing audit events. 如果稽核原則太大,彈稽核收集到的事件磁碟區,和這增加成本。If the audit policies are too broad, the volume of audit events collected rises, and this increases costs. 如果稽核原則不太小,您可能會遺失重要活動。If the audit policies are too narrow, you risk missing important events.

與 Windows Server 2012,您可以使用宣告和資源屬性撰寫稽核原則。With Windows Server 2012 , you can author audit policies by using claims and resource properties. 這會導致更豐富、更目標,以及變得更容易管理稽核原則。This leads to richer, more targeted, and easier-to-manage audit policies. 它可以讓案例,到目前為止,不可能或太難執行。It enables scenarios that, until now, were impossible or too difficult to perform. 系統管理員可以撰寫稽核原則的範例如下:The following are examples of audit policies that administrators can author:

  • 稽核不具有高安全性的距離,嘗試存取 HBI 文件的人。Audit everyone who does not have a high-security clearance and tries to access an HBI document. 例如,稽核 |每個人都 |存取所有 |Resource.BusinessImpact=HBI 和 User.SecurityClearance!=High。For example, Audit | Everyone | All-Access | Resource.BusinessImpact=HBI AND User.SecurityClearance!=High.

  • 稽核所有廠商嘗試存取專案,無法運作的相關的文件。Audit all vendors when they try to access documents that are related to projects that they are not working on. 例如,稽核 |每個人都 |存取所有 |User.EmploymentStatus=Vendor 和 User.Project Not_AnyOf Resource.Project。For example, Audit | Everyone | All-Access | User.EmploymentStatus=Vendor AND User.Project Not_AnyOf Resource.Project.

這些原則協助管理稽核事件音量和限於只最相關的資料或使用者。These policies help regulate the volume of audit events and limit them to only the most relevant data or users.

已建立系統管理員,並套用稽核原則之後,他們的下一步考量有些有意義的稽核事件它們收集的資訊。After administrators have created and applied the audit policies, the next consideration for them is gleaning meaningful information from the audit events that they collected. 事件運算式型稽核協助降低稽核的音量。Expression-based audit events help reduce the volume of audits. 不過,使用者必須方式查詢這些事件有意義的資訊,並提出問題,例如,「人員存取我 HBI 的資料?」However, users need a way to query these events for meaningful information and ask questions such as, "Who is accessing my HBI data?" 或者「已有未經授權的嘗試存取敏感的資料?」or "Was there an unauthorized attempt to access sensitive data?"

Windows Server 2012 美化使用者、電腦及資源宣告的現有資料存取事件。Windows Server 2012 enhances existing data access events with user, computer, and resource claims. 下列事件專各伺服器上。These events are generated on a per-server basis. 跨組織提供完整的事件檢視,Microsoft 會與協力廠商提供的事件收集與分析工具,例如稽核收集服務 System Center 作業 Manager 中運作。To provide a full view of events across the organization, Microsoft is working with partners to provide event collection and analysis tools, such as the Audit Collection Services in System Center Operation Manager .

圖 4 顯示中央稽核原則的概觀。Figure 4 shows an overview of a central audit policy.

方案指南

圖 4稽核中央的體驗Figure 4 Central auditing experiences

設定並使用安全性稽核通常會包含一般的下列步驟:Setting up and consuming security audits typically involves the following general steps:

  1. 找出正確的資料和使用者監控一組Identify the correct set of data and users to monitor

  2. 建立和套用適當稽核原則Create and apply appropriate audit policies

  3. 會收集和分析稽核事件Collect and analyze audit events

  4. 管理及監視所建立的原則Manage and monitor the policies that were created

本案例中In this scenario

下列主題會提供額外的指導方針本案例:The following topics provide additional guidance for this scenario:

角色與包含在本案例中的功能Roles and features included in this scenario

下表列出的角色與本案例的功能,並告訴他們支援的方式。The following table lists the roles and features that are part of this scenario and describes how they support it.

角色/功能Role/feature 它如何支援此案例How it supports this scenario
Active Directory 網域 Services 角色Active Directory Doman Services role Windows Server 2012 中的 AD DS 導入宣告為基礎的授權平台,可以讓使用者宣告和裝置宣告、複合的身分、(使用者加上裝置宣告),建立新中央存取原則(端點)模式,以及授權決策檔案分類資訊的使用。AD DS in Windows Server 2012 introduces a claims-based authorization platform that enables creating user claims and device claims, compound identity, (user plus device claims), new central access policies (CAP) model, and the use of file classification information in authorization decisions.
檔案與儲存空間服務的角色File and Storage Services role Windows Server 2012 中的檔案伺服器提供其中系統管理員可以檢視有效的權限使用者的檔案或資料夾的存取問題的疑難排解並權限授與所需的使用者介面。File servers in Windows Server 2012 provide a user interface where administrators can view the effective permissions for users for a file or folder and troubleshoot access issues and grant access as required.