Hier findet ihr ein paar Tabellen aus denen hervorgeht, wie die Audit Policys sinnvoll konfiguriert werden könnten. Die Aufstellung basiert auf die von Microsoft zur Verfügung gestellte Tabelle mit allen Windows Security Audit Events.

Auf dem ersten Blick sieht das vielleicht nicht gerade nach einer Empfehlung aus, weil so gut wie alles geloggt wird. Aber gerade die Failure sind heutzutage für eine Auswertung und Reverse-Recherche sehr interessant. Nur wenn wir wissen was auf unseren Systemen passiert, sind wir auch nachweislich in der Lage, im Falles eines Breaches den Vorfall oder auch nur den Versuch zu erklären bzw. aufzudecken.

Windows Sicherheitsaudit Empfehlungen Domain Controller Advanced Audit Configuration

Description	Settings
Audit Credential Validation	Success, Failure
Audit Other Account Logon Events	Success, Failure
Audit Kerberos Authentication Service	Success, Failure
Audit Kerberos Service Ticket Operations	Success, Failure
Audit Computer Account Management	Success, Failure
Audit Distribution Group Management	Success, Failure
Audit Other Account Management Events	Success, Failure
Audit Security Group Management	Success, Failure
Audit User Account Management	Success, Failure
Audit DPAPI Activity	Success, Failure
Audit PNP Activity	Success, Failure
Audit Process Creation	Success, Failure
Audit Process Termination	Success, Failure
Audit Detailed Directory Service Replication	Success, Failure
Audit Directory Service Access	Success, Failure
Audit Directory Service Changes	Success, Failure
Audit Directory Service Replication	Success, Failure
Audit Account Lockout	Success, Failure
Audit User/Device Claims	Success, Failure
Audit Group Membership	Success, Failure
Audit Logoff	Success, Failure
Audit Logon	Success, Failure
Audit Other Logon/Logoff Events	Success, Failure
Audit Special Logon	Success, Failure
Audit Detailed File Share	Failure
Audit File Share	Success, Failure
Audit File System	Success, Failure
Audit Filtering Platform Connection	Failure
Audit Other Object Access Events	Success, Failure
Audit Registry	Success, Failure
Audit Removable Storage	Success, Failure
Audit Audit Policy Change	Success, Failure
Audit Authentication Policy Change	Success, Failure
Audit MPSSVC Rule-Level Policy Change	Success, Failure
Audit Other Policy Change Events	Success, Failure
Audit Non Sensitive Privilege Use	Failure
Audit Sensitive Privilege Use	Success, Failure
Audit Other System Events	Success, Failure
Audit Security State Change	Success, Failure
Audit Security System Extension	Success, Failure
Audit System Integrity	Success, Failure

Windows Sicherheitsaudit Empfehlungen Member Server

Description	Settings
Audit Credential Validation	Success, Failure
Audit Other Account Logon Events	Success, Failure
Audit Security Group Management	Success, Failure
Audit User Account Management	Success, Failure
Audit DPAPI Activity	Success, Failure
Audit PNP Activity	Success, Failure
Audit Process Creation	Success, Failure
Audit Process Termination	Success, Failure
Audit Account Lockout	Success, Failure
Audit User/Device Claims	Success, Failure
Audit Group Membership	Success, Failure
Audit Logoff	Success, Failure
Audit Logon	Success, Failure
Audit Other Logon/Logoff Events	Success, Failure
Audit Special Logon	Success, Failure
Audit Detailed File Share	Success, Failure
Audit File Share	Success, Failure
Audit File System	Success, Failure
Audit Filtering Platform Connection	Failure
Audit Other Object Access Events	Success, Failure
Audit Registry	Success, Failure
Audit Removable Storage	Success, Failure
Audit Audit Policy Change	Success, Failure
Audit Authentication Policy Change	Success, Failure
Audit MPSSVC Rule-Level Policy Change	Success, Failure
Audit Other Policy Change Events	Success, Failure
Audit Non Sensitive Privilege Use	Failure
Audit Sensitive Privilege Use	Success, Failure
Audit Other System Events	Success, Failure
Audit Security State Change	Success, Failure
Audit Security System Extension	Success, Failure
Audit System Integrity	Success, Failure

Windows Sicherheitsaudit Empfehlungen Standalone Server

Description	Settings
Audit Credential Validation	Success, Failure
Audit Other Account Logon Events	Success, Failure
Audit Security Group Management	Success, Failure
Audit User Account Management	Success, Failure
Audit DPAPI Activity	Success, Failure
Audit PNP Activity	Success, Failure
Audit Process Creation	Success, Failure
Audit Process Termination	Success, Failure
Audit Account Lockout	Success, Failure
Audit User/Device Claims	Success, Failure
Audit Group Membership	Success, Failure
Audit Logoff	Success, Failure
Audit Logon	Success, Failure
Audit Other Logon/Logoff Events	Success, Failure
Audit Special Logon	Success, Failure
Audit Detailed File Share	Success, Failure
Audit File Share	Success, Failure
Audit File System	Success, Failure
Audit Filtering Platform Connection	Failure
Audit Other Object Access Events	Success, Failure
Audit Registry	Success, Failure
Audit Removable Storage	Success, Failure
Audit Audit Policy Change	Success, Failure
Audit Authentication Policy Change	Success, Failure
Audit MPSSVC Rule-Level Policy Change	Success, Failure
Audit Other Policy Change Events	Success, Failure
Audit Non Sensitive Privilege Use	Failure
Audit Sensitive Privilege Use	Success, Failure
Audit Other System Events	Success, Failure
Audit Security State Change	Success, Failure
Audit Security System Extension	Success, Failure
Audit System Integrity	Success, Failure

Windows Sicherheitsaudit Empfehlungen Clients

Description	Settings
Audit Credential Validation	Success, Failure
Audit Other Account Logon Events	Success, Failure
Audit Security Group Management	Success, Failure
Audit User Account Management	Success, Failure
Audit DPAPI Activity	Success, Failure
Audit PNP Activity	Success, Failure
Audit Process Creation	Success, Failure
Audit Process Termination	Success, Failure
Audit Account Lockout	Success, Failure
Audit User/Device Claims	Success, Failure
Audit Group Membership	Success, Failure
Audit Logoff	Success, Failure
Audit Logon	Success, Failure
Audit Other Logon/Logoff Events	Success, Failure
Audit Special Logon	Success, Failure
Audit Detailed File Share	Success, Failure
Audit File Share	Success, Failure
Audit File System	Success, Failure
Audit Filtering Platform Connection	Failure
Audit Other Object Access Events	Success, Failure
Audit Registry	Success, Failure
Audit Removable Storage	Success, Failure
Audit Audit Policy Change	Success, Failure
Audit Authentication Policy Change	Success, Failure
Audit MPSSVC Rule-Level Policy Change	Success, Failure
Audit Other Policy Change Events	Success, Failure
Audit Non Sensitive Privilege Use	Failure
Audit Sensitive Privilege Use	Success, Failure
Audit Other System Events	Success, Failure
Audit Security State Change	Success, Failure
Audit Security System Extension	Success, Failure
Audit System Integrity	Success, Failure

Windows Sicherheitsaudit Empfehlungen Domain Controller, Member Server, Clients Security Options

Description	Settings
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
Network security: Restrict NTLM: Audit Incoming NTLM Traffic	Enable auditing for all accounts
Network security: Restrict NTLM: Audit NTLM authentication in this domain	Enable All
Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers	Audit all
Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell
Turn on Module Logging Module Names: *	Enabled
Turn on Powershell Script Block Logging	Enabled
Log script block invocation start / stop events	Disabled
Computer Configuration -> Administrative Templates -> System -> Audit Process Creation
Include command line in process creation events	Enabled