Windows 7 安全审核被关闭-为什么?

Windows 7 安全审核被关闭-为什么?

这让我很抓狂。我到处寻找解决方案,但一无所获。我做过寻找我认为这个问题的解决方案审计工具。没有骰子。

我可以使用以下任一方式设置 Windows 审核策略安全警察管理系统或者管理控制台问题是几分钟后,它们就被清除了(全部设置为“无审计”)。从事件日志中,我得到的唯一线索是:

System audit policy was changed.

Subject:
Security ID:        SYSTEM
Account Name:       MYCOMPUTERNAME$
Account Domain:     WORKGROUP
Logon ID:           0x3e7

Audit Policy Change:
Category:           Account Logon
Subcategory:        Kerberos Authentication Service
Subcategory GUID:   {0cce9242-69ae-11d9-bed3-505054503030}
Changes:            Success removed, Failure removed

在最后一次之后,任何类型的其他条目都不会写入安全事件日志。

我的系统配置

OS: Windows 7 Ultimate w/ SP1
Processor: x64
RAM: 12 GB
NOT Domain-joined. In WORKGROUP (so, no Group Policy is being applied).
Windows Firewall enabled
Microsoft Security Essentials

更新:

我也在 Microsoft 社区论坛上寻求有关此问题的帮助,从我收到的回复(来自 Microsoft)来看,他们显然不了解此问题。为此,我认为在这里添加更多细节可能是合适的。

我用来配置审计的具体命令如下:

auditpol.exe /set /category:"Account Logon" /success:enable /failure:enable
auditpol.exe /set /category:"Account Management" /success:enable /failure:enable
auditpol.exe /set /category:"Detailed Tracking" /success:disable /failure:disable
auditpol.exe /set /category:"DS Access" /success:disable /failure:enable
auditpol.exe /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol.exe /set /category:"Object Access" /success:disable /failure:disable
auditpol.exe /set /category:"Policy Change" /success:disable /failure:enable
auditpol.exe /set /category:"Privilege Use" /success:disable /failure:enable
auditpol.exe /set /category:"System" /success:enable /failure:enable

auditpol.exe /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:enable

以及 auditpol.exe /get /category:* 的输出

System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               Success and Failure
  System Integrity                        Success and Failure
  IPsec Driver                            Success and Failure
  Other System Events                     Success and Failure
  Security State Change                   Success and Failure
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success and Failure
  Account Lockout                         Success and Failure
  IPsec Main Mode                         Success and Failure
  IPsec Quick Mode                        Success and Failure
  IPsec Extended Mode                     Success and Failure
  Special Logon                           Success and Failure
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   Success and Failure
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
Privilege Use
  Sensitive Privilege Use                 Failure
  Non Sensitive Privilege Use             Failure
  Other Privilege Use Events              Failure
Detailed Tracking
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Process Creation                        No Auditing
Policy Change
  Audit Policy Change                     Success and Failure
  Authentication Policy Change            Success and Failure
  Authorization Policy Change             Success and Failure
  MPSSVC Rule-Level Policy Change         Failure
  Filtering Platform Policy Change        Failure
  Other Policy Change Events              Failure
Account Management
  User Account Management                 Success and Failure
  Computer Account Management             Success and Failure
  Security Group Management               Success and Failure
  Distribution Group Management           Success and Failure
  Application Group Management            Success and Failure
  Other Account Management Events         Success and Failure
DS Access
  Directory Service Changes               Failure
  Directory Service Replication           Failure
  Detailed Directory Service Replication  Failure
  Directory Service Access                Failure
Account Logon
  Kerberos Service Ticket Operations      Success and Failure
  Other Account Logon Events              Success and Failure
  Kerberos Authentication Service         Success and Failure
  Credential Validation                   Success and Failure

几分钟后,没有触及任何与审计相关的内容,重复结果如下:

System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        No Auditing
  IPsec Driver                            No Auditing
  Other System Events                     No Auditing
  Security State Change                   No Auditing
Logon/Logoff
  Logon                                   No Auditing
  Logoff                                  No Auditing
  Account Lockout                         No Auditing
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           No Auditing
  Other Logon/Logoff Events               No Auditing
  Network Policy Server                   No Auditing
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
Privilege Use
  Sensitive Privilege Use                 No Auditing
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
Detailed Tracking
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Process Creation                        No Auditing
Policy Change
  Audit Policy Change                     No Auditing
  Authentication Policy Change            No Auditing
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
Account Management
  User Account Management                 No Auditing
  Computer Account Management             No Auditing
  Security Group Management               No Auditing
  Distribution Group Management           No Auditing
  Application Group Management            No Auditing
  Other Account Management Events         No Auditing
DS Access
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                No Auditing
Account Logon
  Kerberos Service Ticket Operations      No Auditing
  Other Account Logon Events              No Auditing
  Kerberos Authentication Service         No Auditing
  Credential Validation                   No Auditing

事件日志中没有迹象表明是什么导致了这些改变。

答案1

也许“审计:强制审计策略子类别设置”设置为已启用?似乎这会定期和在重新启动后覆盖“旧”审计策略。

看:http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

相关内容