我最近发现我们所有的域控制器(2008 R2,域和林功能级别是 2008 R2)不再将 AD 帐户登录事件记录到安全日志中。
默认域控制器 GPO:
审计账户登录事件-成功、失败
审计账户管理事件-成功、失败
审计目录服务访问 - 成功
审计账户登录事件-成功、失败
审计系统事件-成功、失败
RSOP 显示上述策略为获胜的 GPO。组策略管理控制台生成的向导也显示上述策略为获胜者。
当我运行 auditpol /get category:* 时,我得到以下结果:
System audit policy
Category/Subcategory Setting
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing
所有其他类别也均为“无审计”。
我是否遗漏了什么显而易见的东西?还是我必须设置高级审计策略设置?
答案1
您应该使用高级审计策略。它们可以让您更好地控制审计内容。以下是基本策略和高级策略之间的区别的链接 https://technet.microsoft.com/en-us/library/ff182311%28v=ws.10%29.aspx#BKMK_2
如果您需要有关在高级审计策略中设置哪些选项的参考,请参阅 CIS 等基准 https://benchmarks.cisecurity.org/tools2/windows/CIS_Microsoft_Windows_Server_2008_R2_Benchmark_v2.1.0.pdf