Hier findet ihr ein paar Tabellen aus denen hervorgeht, wie die Audit Policys sinnvoll konfiguriert werden könnten. Die Aufstellung basiert auf die von Microsoft zur Verfügung gestellte Tabelle mit allen Windows Security Audit Events.
Auf dem ersten Blick sieht das vielleicht nicht gerade nach einer Empfehlung aus, weil so gut wie alles geloggt wird. Aber gerade die Failure sind heutzutage für eine Auswertung und Reverse-Recherche sehr interessant. Nur wenn wir wissen was auf unseren Systemen passiert, sind wir auch nachweislich in der Lage, im Falles eines Breaches den Vorfall oder auch nur den Versuch zu erklären bzw. aufzudecken.
Windows Sicherheitsaudit Empfehlungen Domain Controller Advanced Audit Configuration
Description
Settings
Audit Credential Validation
Success, Failure
Audit Other Account Logon Events
Success, Failure
Audit Kerberos Authentication Service
Success, Failure
Audit Kerberos Service Ticket Operations
Success, Failure
Audit Computer Account Management
Success, Failure
Audit Distribution Group Management
Success, Failure
Audit Other Account Management Events
Success, Failure
Audit Security Group Management
Success, Failure
Audit User Account Management
Success, Failure
Audit DPAPI Activity
Success, Failure
Audit PNP Activity
Success, Failure
Audit Process Creation
Success, Failure
Audit Process Termination
Success, Failure
Audit Detailed Directory Service Replication
Success, Failure
Audit Directory Service Access
Success, Failure
Audit Directory Service Changes
Success, Failure
Audit Directory Service Replication
Success, Failure
Audit Account Lockout
Success, Failure
Audit User/Device Claims
Success, Failure
Audit Group Membership
Success, Failure
Audit Logoff
Success, Failure
Audit Logon
Success, Failure
Audit Other Logon/Logoff Events
Success, Failure
Audit Special Logon
Success, Failure
Audit Detailed File Share
Failure
Audit File Share
Success, Failure
Audit File System
Success, Failure
Audit Filtering Platform Connection
Failure
Audit Other Object Access Events
Success, Failure
Audit Registry
Success, Failure
Audit Removable Storage
Success, Failure
Audit Audit Policy Change
Success, Failure
Audit Authentication Policy Change
Success, Failure
Audit MPSSVC Rule-Level Policy Change
Success, Failure
Audit Other Policy Change Events
Success, Failure
Audit Non Sensitive Privilege Use
Failure
Audit Sensitive Privilege Use
Success, Failure
Audit Other System Events
Success, Failure
Audit Security State Change
Success, Failure
Audit Security System Extension
Success, Failure
Audit System Integrity
Success, Failure
Windows Sicherheitsaudit Empfehlungen Member Server
Description
Settings
Audit Credential Validation
Success, Failure
Audit Other Account Logon Events
Success, Failure
Audit Security Group Management
Success, Failure
Audit User Account Management
Success, Failure
Audit DPAPI Activity
Success, Failure
Audit PNP Activity
Success, Failure
Audit Process Creation
Success, Failure
Audit Process Termination
Success, Failure
Audit Account Lockout
Success, Failure
Audit User/Device Claims
Success, Failure
Audit Group Membership
Success, Failure
Audit Logoff
Success, Failure
Audit Logon
Success, Failure
Audit Other Logon/Logoff Events
Success, Failure
Audit Special Logon
Success, Failure
Audit Detailed File Share
Success, Failure
Audit File Share
Success, Failure
Audit File System
Success, Failure
Audit Filtering Platform Connection
Failure
Audit Other Object Access Events
Success, Failure
Audit Registry
Success, Failure
Audit Removable Storage
Success, Failure
Audit Audit Policy Change
Success, Failure
Audit Authentication Policy Change
Success, Failure
Audit MPSSVC Rule-Level Policy Change
Success, Failure
Audit Other Policy Change Events
Success, Failure
Audit Non Sensitive Privilege Use
Failure
Audit Sensitive Privilege Use
Success, Failure
Audit Other System Events
Success, Failure
Audit Security State Change
Success, Failure
Audit Security System Extension
Success, Failure
Audit System Integrity
Success, Failure
Windows Sicherheitsaudit Empfehlungen Standalone Server
Description
Settings
Audit Credential Validation
Success, Failure
Audit Other Account Logon Events
Success, Failure
Audit Security Group Management
Success, Failure
Audit User Account Management
Success, Failure
Audit DPAPI Activity
Success, Failure
Audit PNP Activity
Success, Failure
Audit Process Creation
Success, Failure
Audit Process Termination
Success, Failure
Audit Account Lockout
Success, Failure
Audit User/Device Claims
Success, Failure
Audit Group Membership
Success, Failure
Audit Logoff
Success, Failure
Audit Logon
Success, Failure
Audit Other Logon/Logoff Events
Success, Failure
Audit Special Logon
Success, Failure
Audit Detailed File Share
Success, Failure
Audit File Share
Success, Failure
Audit File System
Success, Failure
Audit Filtering Platform Connection
Failure
Audit Other Object Access Events
Success, Failure
Audit Registry
Success, Failure
Audit Removable Storage
Success, Failure
Audit Audit Policy Change
Success, Failure
Audit Authentication Policy Change
Success, Failure
Audit MPSSVC Rule-Level Policy Change
Success, Failure
Audit Other Policy Change Events
Success, Failure
Audit Non Sensitive Privilege Use
Failure
Audit Sensitive Privilege Use
Success, Failure
Audit Other System Events
Success, Failure
Audit Security State Change
Success, Failure
Audit Security System Extension
Success, Failure
Audit System Integrity
Success, Failure
Windows Sicherheitsaudit Empfehlungen Clients
Description
Settings
Audit Credential Validation
Success, Failure
Audit Other Account Logon Events
Success, Failure
Audit Security Group Management
Success, Failure
Audit User Account Management
Success, Failure
Audit DPAPI Activity
Success, Failure
Audit PNP Activity
Success, Failure
Audit Process Creation
Success, Failure
Audit Process Termination
Success, Failure
Audit Account Lockout
Success, Failure
Audit User/Device Claims
Success, Failure
Audit Group Membership
Success, Failure
Audit Logoff
Success, Failure
Audit Logon
Success, Failure
Audit Other Logon/Logoff Events
Success, Failure
Audit Special Logon
Success, Failure
Audit Detailed File Share
Success, Failure
Audit File Share
Success, Failure
Audit File System
Success, Failure
Audit Filtering Platform Connection
Failure
Audit Other Object Access Events
Success, Failure
Audit Registry
Success, Failure
Audit Removable Storage
Success, Failure
Audit Audit Policy Change
Success, Failure
Audit Authentication Policy Change
Success, Failure
Audit MPSSVC Rule-Level Policy Change
Success, Failure
Audit Other Policy Change Events
Success, Failure
Audit Non Sensitive Privilege Use
Failure
Audit Sensitive Privilege Use
Success, Failure
Audit Other System Events
Success, Failure
Audit Security State Change
Success, Failure
Audit Security System Extension
Success, Failure
Audit System Integrity
Success, Failure
Windows Sicherheitsaudit Empfehlungen Domain Controller, Member Server, Clients Security Options
Description
Settings
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options