進階安全性稽核原則設定Advanced security audit policy settings

適用對象:Applies to

  • Windows 10Windows 10

此適用于 IT 專業人員的參考資訊提供有關 Windows 中可用的進位稽核政策設定及其產生的稽核事件的資訊。This reference for IT professionals provides information about the advanced audit policy settings that are available in Windows and the audit events that they generate.

安全性稽核原則設定 \進 位稽核原則設定可追蹤精確定義的活動,協助貴組織稽核重要業務相關及安全性相關規則的合規性,例如:The security audit policy settings under Security Settings\Advanced Audit Policy Configuration can help your organization audit compliance with important business-related and security-related rules by tracking precisely defined activities, such as:

  • 群組系統管理員已修改伺服器上包含財務資訊的設定或資料。A group administrator has modified settings or data on servers that contain finance information.
  • 已定義群組中的員工已存取重要檔案。An employee within a defined group has accessed an important file.
  • 正確的系統存取控制清單 (SACL) 會用於電腦或檔案共用上的每一個檔案和資料夾或登錄機碼,以驗證防止未發現存取。The correct system access control list (SACL) is applied to every file and folder or registry key on a computer or file share as a verifiable safeguard against undetected access.

您可以透過本地電腦或群組原則上的 secpol.msc (管理單元) 存取這些稽核策略設定。You can access these audit policy settings through the Local Security Policy snap-in (secpol.msc) on the local computer or by using Group Policy.

這些進位稽核政策設定僅允許您選取您想要監控的行為。These advanced audit policy settings allow you to select only the behaviors that you want to monitor. 您可以排除您很少或完全不擔心的行為,或建立過多記錄專案的行為的稽核結果。You can exclude audit results for behaviors that are of little or no concern to you, or behaviors that create an excessive number of log entries. 此外,由於安全性稽核原則可以使用網域群組原則物件來加以應用,因此可以修改、測試稽核原則設定,並部署至相對簡單的所選使用者和群組。In addition, because security audit policies can be applied by using domain Group Policy Objects, audit policy settings can be modified, tested, and deployed to selected users and groups with relative simplicity. 安全性設定 \進一步稽核策略設定 下的稽核策略設定可在下列類別中使用:Audit policy settings under Security Settings\Advanced Audit Policy Configuration are available in the following categories:

帳戶登入Account Logon

在此類別中設定策略設定可協助您記錄嘗試驗證網域控制站或本地安全性帳戶管理員或 (登錄) 。Configuring policy settings in this category can help you document attempts to authenticate account data on a domain controller or on a local Security Accounts Manager (SAM). 不同于登入和登出策略設定與事件,這些設定和事件會追蹤存取特定電腦的嘗試,此類別中的設定和事件會著重于使用的帳戶資料庫。Unlike Logon and Logoff policy settings and events, which track attempts to access a particular computer, settings and events in this category focus on the account database that is used. 此類別包含下列子類別:This category includes the following subcategories:

帳戶管理Account Management

此類別中的安全性稽核策略設定可用來監控使用者和電腦帳戶和群組的變更。The security audit policy settings in this category can be used to monitor changes to user and computer accounts and groups. 此類別包含下列子類別:This category includes the following subcategories:

詳細追蹤Detailed Tracking

詳細追蹤安全性原則設定和稽核事件可用來監控該電腦上個別應用程式和使用者的活動,並瞭解電腦的使用方式。Detailed Tracking security policy settings and audit events can be used to monitor the activities of individual applications and users on that computer, and to understand how a computer is being used. 此類別包含下列子類別:This category includes the following subcategories:

DS AccessDS Access

DS Access 安全性稽核策略設定提供在 Active Directory Domain Services (AD DS) 中嘗試存取及修改物件的詳細稽核) 。DS Access security audit policy settings provide a detailed audit trail of attempts to access and modify objects in Active Directory Domain Services (AD DS). 這些稽核事件只會記錄在網域控制站上。These audit events are logged only on domain controllers. 此類別包含下列子類別:This category includes the following subcategories:

登入/登出Logon/Logoff

登入/登出安全性原則設定和稽核事件,讓您以互動方式或網路追蹤登入電腦的嘗試。Logon/Logoff security policy settings and audit events allow you to track attempts to log on to a computer interactively or over a network. 這些事件對於追蹤使用者活動及識別網路資源的潛在攻擊特別有用。These events are particularly useful for tracking user activity and identifying potential attacks on network resources. 此類別包含下列子類別:This category includes the following subcategories:

物件存取Object Access

物件 Access 策略設定和稽核事件讓您追蹤嘗試存取網路或電腦上特定物件或物件類型。Object Access policy settings and audit events allow you to track attempts to access specific objects or types of objects on a network or computer. 若要稽核嘗試存取檔案、目錄、登錄鍵或其他任何物件,您必須啟用適當的物件存取稽核子類別,才能成功和/或失敗事件。To audit attempts to access a file, directory, registry key, or any other object, you must enable the appropriate Object Access auditing subcategory for success and/or failure events. 例如,檔案系統子類別必須啟用以稽核檔案作業,且必須啟用 Registry 子類別來稽核註冊表存取。For example, the file system subcategory needs to be enabled to audit file operations, and the Registry subcategory needs to be enabled to audit registry accesses.

若要證明這些稽核政策對外部稽核者有效,則比較困難。Proving that these audit policies are in effect to an external auditor is more difficult. 要驗證所有繼承物件上已設定正確的 SACLs,是不容易的方法。There is no easy way to verify that the proper SACLs are set on all inherited objects. 若要解決此問題,請參閱 全域物件存取稽核To address this issue, see Global Object Access Auditing.

此類別包含下列子類別:This category includes the following subcategories:

策略變更Policy Change

策略變更稽核事件讓您追蹤本地系統或網路上重要安全性原則的變更。Policy Change audit events allow you to track changes to important security policies on a local system or network. 由於系統管理員通常會建立策略,協助保護網路資源,因此監控變更或嘗試變更這些策略,可能是網路安全性管理的一項重要內容。Because policies are typically established by administrators to help secure network resources, monitoring changes or attempts to change these policies can be an important aspect of security management for a network. 此類別包含下列子類別:This category includes the following subcategories:

許可權使用Privilege Use

使用者或電腦會授予網路上的許可權,以完成已定義的工作。Permissions on a network are granted for users or computers to complete defined tasks. 許可權 使用安全性原則設定和稽核事件,讓您追蹤一或多個系統上特定許可權的使用。Privilege Use security policy settings and audit events allow you to track the use of certain permissions on one or more systems. 此類別包含下列子類別:This category includes the following subcategories:

系統System

系統安全性原則設定和稽核事件讓您追蹤未包含在其他類別且有潛在安全性影響之電腦的系統層級變更。System security policy settings and audit events allow you to track system-level changes to a computer that are not included in other categories and that have potential security implications. 此類別包含下列子類別:This category includes the following subcategories:

全域物件存取稽核Global Object Access Auditing

全域物件存取稽核策略設定允許系統管理員定義電腦系統存取控制清單 (檔案系統或登錄) 每個物件類型的 SACLS。Global Object Access Auditing policy settings allow administrators to define computer system access control lists (SACLs) per object type for the file system or for the registry. 指定的 SACL 隨即會自動適用于該類型的每一個物件。The specified SACL is then automatically applied to every object of that type. 稽核員將能夠檢視全域物件存取稽核策略設定的內容,證明系統內每一個資源都受到稽核政策保護。Auditors will be able to prove that every resource in the system is protected by an audit policy by viewing the contents of the Global Object Access Auditing policy settings. 例如,如果稽核員看到名為「追蹤群組系統管理員進行的所有變更」的政策設定,他們瞭解此政策已生效。For example, if auditors see a policy setting called "Track all changes made by group administrators," they know that this policy is in effect.

資源 SACLs 對於診斷案例也很有用。Resource SACLs are also useful for diagnostic scenarios. 例如,設定全域物件存取稽核策略以記錄特定使用者的所有活動,並啟用該策略來追蹤檔案系統或登錄的「拒絕存取」事件,可協助系統管理員快速識別系統內拒絕使用者存取的物件。For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access.

注意

如果在電腦上設定了檔案或資料夾 SACL 和全域物件存取稽核策略設定 (或單一註冊表設定 SACL 和全域物件存取稽核策略設定) ,則有效的 SACL 衍生自結合檔案或資料夾 SACL 和全域物件存取稽核策略。If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. 這表示如果活動符合檔案或資料夾 SACL 或全域物件存取稽核政策,即會產生稽核事件。This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy.

此類別包含下列子類別:This category includes the following subcategories: