Hier findet ihr ein paar Tabellen aus denen hervorgeht, wie die Audit Policys sinnvoll konfiguriert werden könnten. Die Aufstellung basiert auf die von Microsoft zur Verfügung gestellte Tabelle mit allen Windows Security Audit Events.
Auf dem ersten Blick sieht das vielleicht nicht gerade nach einer Empfehlung aus, weil so gut wie alles geloggt wird. Aber gerade die Failure sind heutzutage für eine Auswertung und Reverse-Recherche sehr interessant. Nur wenn wir wissen was auf unseren Systemen passiert, sind wir auch nachweislich in der Lage, im Falles eines Breaches den Vorfall oder auch nur den Versuch zu erklären bzw. aufzudecken.
Windows Sicherheitsaudit Empfehlungen Domain Controller Advanced Audit Configuration
| Description | Settings |
| Audit Credential Validation | Success, Failure |
| Audit Other Account Logon Events | Success, Failure |
| Audit Kerberos Authentication Service | Success, Failure |
| Audit Kerberos Service Ticket Operations | Success, Failure |
| Audit Computer Account Management | Success, Failure |
| Audit Distribution Group Management | Success, Failure |
| Audit Other Account Management Events | Success, Failure |
| Audit Security Group Management | Success, Failure |
| Audit User Account Management | Success, Failure |
| Audit DPAPI Activity | Success, Failure |
| Audit PNP Activity | Success, Failure |
| Audit Process Creation | Success, Failure |
| Audit Process Termination | Success, Failure |
| Audit Detailed Directory Service Replication | Success, Failure |
| Audit Directory Service Access | Success, Failure |
| Audit Directory Service Changes | Success, Failure |
| Audit Directory Service Replication | Success, Failure |
| Audit Account Lockout | Success, Failure |
| Audit User/Device Claims | Success, Failure |
| Audit Group Membership | Success, Failure |
| Audit Logoff | Success, Failure |
| Audit Logon | Success, Failure |
| Audit Other Logon/Logoff Events | Success, Failure |
| Audit Special Logon | Success, Failure |
| Audit Detailed File Share | Failure |
| Audit File Share | Success, Failure |
| Audit File System | Success, Failure |
| Audit Filtering Platform Connection | Failure |
| Audit Other Object Access Events | Success, Failure |
| Audit Registry | Success, Failure |
| Audit Removable Storage | Success, Failure |
| Audit Audit Policy Change | Success, Failure |
| Audit Authentication Policy Change | Success, Failure |
| Audit MPSSVC Rule-Level Policy Change | Success, Failure |
| Audit Other Policy Change Events | Success, Failure |
| Audit Non Sensitive Privilege Use | Failure |
| Audit Sensitive Privilege Use | Success, Failure |
| Audit Other System Events | Success, Failure |
| Audit Security State Change | Success, Failure |
| Audit Security System Extension | Success, Failure |
| Audit System Integrity | Success, Failure |
Windows Sicherheitsaudit Empfehlungen Member Server
| Description | Settings |
| Audit Credential Validation | Success, Failure |
| Audit Other Account Logon Events | Success, Failure |
| Audit Security Group Management | Success, Failure |
| Audit User Account Management | Success, Failure |
| Audit DPAPI Activity | Success, Failure |
| Audit PNP Activity | Success, Failure |
| Audit Process Creation | Success, Failure |
| Audit Process Termination | Success, Failure |
| Audit Account Lockout | Success, Failure |
| Audit User/Device Claims | Success, Failure |
| Audit Group Membership | Success, Failure |
| Audit Logoff | Success, Failure |
| Audit Logon | Success, Failure |
| Audit Other Logon/Logoff Events | Success, Failure |
| Audit Special Logon | Success, Failure |
| Audit Detailed File Share | Success, Failure |
| Audit File Share | Success, Failure |
| Audit File System | Success, Failure |
| Audit Filtering Platform Connection | Failure |
| Audit Other Object Access Events | Success, Failure |
| Audit Registry | Success, Failure |
| Audit Removable Storage | Success, Failure |
| Audit Audit Policy Change | Success, Failure |
| Audit Authentication Policy Change | Success, Failure |
| Audit MPSSVC Rule-Level Policy Change | Success, Failure |
| Audit Other Policy Change Events | Success, Failure |
| Audit Non Sensitive Privilege Use | Failure |
| Audit Sensitive Privilege Use | Success, Failure |
| Audit Other System Events | Success, Failure |
| Audit Security State Change | Success, Failure |
| Audit Security System Extension | Success, Failure |
| Audit System Integrity | Success, Failure |
Windows Sicherheitsaudit Empfehlungen Standalone Server
| Description | Settings |
| Audit Credential Validation | Success, Failure |
| Audit Other Account Logon Events | Success, Failure |
| Audit Security Group Management | Success, Failure |
| Audit User Account Management | Success, Failure |
| Audit DPAPI Activity | Success, Failure |
| Audit PNP Activity | Success, Failure |
| Audit Process Creation | Success, Failure |
| Audit Process Termination | Success, Failure |
| Audit Account Lockout | Success, Failure |
| Audit User/Device Claims | Success, Failure |
| Audit Group Membership | Success, Failure |
| Audit Logoff | Success, Failure |
| Audit Logon | Success, Failure |
| Audit Other Logon/Logoff Events | Success, Failure |
| Audit Special Logon | Success, Failure |
| Audit Detailed File Share | Success, Failure |
| Audit File Share | Success, Failure |
| Audit File System | Success, Failure |
| Audit Filtering Platform Connection | Failure |
| Audit Other Object Access Events | Success, Failure |
| Audit Registry | Success, Failure |
| Audit Removable Storage | Success, Failure |
| Audit Audit Policy Change | Success, Failure |
| Audit Authentication Policy Change | Success, Failure |
| Audit MPSSVC Rule-Level Policy Change | Success, Failure |
| Audit Other Policy Change Events | Success, Failure |
| Audit Non Sensitive Privilege Use | Failure |
| Audit Sensitive Privilege Use | Success, Failure |
| Audit Other System Events | Success, Failure |
| Audit Security State Change | Success, Failure |
| Audit Security System Extension | Success, Failure |
| Audit System Integrity | Success, Failure |
Windows Sicherheitsaudit Empfehlungen Clients
| Description | Settings |
| Audit Credential Validation | Success, Failure |
| Audit Other Account Logon Events | Success, Failure |
| Audit Security Group Management | Success, Failure |
| Audit User Account Management | Success, Failure |
| Audit DPAPI Activity | Success, Failure |
| Audit PNP Activity | Success, Failure |
| Audit Process Creation | Success, Failure |
| Audit Process Termination | Success, Failure |
| Audit Account Lockout | Success, Failure |
| Audit User/Device Claims | Success, Failure |
| Audit Group Membership | Success, Failure |
| Audit Logoff | Success, Failure |
| Audit Logon | Success, Failure |
| Audit Other Logon/Logoff Events | Success, Failure |
| Audit Special Logon | Success, Failure |
| Audit Detailed File Share | Success, Failure |
| Audit File Share | Success, Failure |
| Audit File System | Success, Failure |
| Audit Filtering Platform Connection | Failure |
| Audit Other Object Access Events | Success, Failure |
| Audit Registry | Success, Failure |
| Audit Removable Storage | Success, Failure |
| Audit Audit Policy Change | Success, Failure |
| Audit Authentication Policy Change | Success, Failure |
| Audit MPSSVC Rule-Level Policy Change | Success, Failure |
| Audit Other Policy Change Events | Success, Failure |
| Audit Non Sensitive Privilege Use | Failure |
| Audit Sensitive Privilege Use | Success, Failure |
| Audit Other System Events | Success, Failure |
| Audit Security State Change | Success, Failure |
| Audit Security System Extension | Success, Failure |
| Audit System Integrity | Success, Failure |
Windows Sicherheitsaudit Empfehlungen Domain Controller, Member Server, Clients Security Options
| Description | Settings | |
| Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options | | |
| Network security: Restrict NTLM: Audit Incoming NTLM Traffic | Enable auditing for all accounts | |
| Network security: Restrict NTLM: Audit NTLM authentication in this domain | Enable All | |
| Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers | Audit all | |
| Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell | | |
Turn on Module Logging
Module Names: * | Enabled | |
| Turn on Powershell Script Block Logging | Enabled | |
| Log script block invocation start / stop events | Disabled | |
| Computer Configuration -> Administrative Templates -> System -> Audit Process Creation | | |
| Include command line in process creation events | Enabled | |
