首先我想说的是:我是一名 Linux 管理员。对我而言,Windows 就像驾驶一辆英国汽车一样——大部分操作都一样,但方向盘、按钮和控制杆的位置不对,而且标签的拼写也很奇怪。
我有一台服务器是域成员。域中应用了 GPO。很正常。
当我在此服务器上运行 auditpol 时,我看到已设置的策略未在 secpol.msc 中设置,也未在域 GPO 中设置。我还比较了运行 gpresult 时应用的 GPO 列表,发现只有三个 GPO 正在应用。(这个包含 3 个 GPO 的列表是我期望看到的列表,所以这很好)。
例子:
在成员服务器上运行:
PS C:\Windows\system32> .\auditpol.exe /get /category:\*
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events Success and Failure
Security State Change Success
Logon/Logoff
Logon Success and Failure
...(truncated)...
和
PS C:\Windows\system32> .\gpresult.exe /v /r /scope computer
...(truncated)...
RSOP data for CORP\fflintstone on MGMTWIN01A : Logging Mode
-----------------------------------------------------------
OS Configuration: Member Server
OS Version: 10.0.14393
Site Name: XYZ
Roaming Profile: N/A
Local Profile: C:\Users\fflintstone
Connected over a slow link?: No
COMPUTER SETTINGS
------------------
CN=MGMTWIN01A,OU=Windows,OU=Servers,DC=corp,DC=example,DC=com
Last time Group Policy was applied: 11/2/2018 at 2:13:01 PM
Group Policy was applied from: corpdc01a.corp.example.com
Group Policy slow link threshold: 500 kbps
Domain Name: CORP
Domain Type: Windows 2008 or later
...(truncated)...
Applied Group Policy Objects
-----------------------------
Default Domain Policy (CORP)
Windows Allow RDP Access
Windows Startup Script
The following GPOs were not applied because they were filtered out
-------------------------------------------------------------------
Local Group Policy
Filtering: Not Applied (Empty)
...(truncated)...
gpreseult 列出的三个“已应用” GPO 均不包含我的示例 auditpol 代码片段中列出的“成功”或“成功和失败”的任何设置。
它们被安置在哪里?我该如何追踪它们?
答案1
Windows 2016 的全新安装包含内置审核策略,其默认设置如下:
System
Security System Extension No Auditing
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events Success and Failure
Security State Change Success
Logon/Logoff
Logon Success and Failure
Logoff Success
Account Lockout Success
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success
Other Logon/Logoff Events No Auditing
Network Policy Server Success and Failure
User / Device Claims No Auditing
Group Membership No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Removable Storage No Auditing
Central Policy Staging No Auditing
Privilege Use
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Sensitive Privilege Use No Auditing
Detailed Tracking
Process Creation No Auditing
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Plug and Play Events No Auditing
Token Right Adjusted Events No Auditing
Policy Change
Audit Policy Change Success
Authentication Policy Change Success
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
Computer Account Management Success
Security Group Management Success
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
User Account Management Success
DS Access
Directory Service Access Success
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Account Logon
Kerberos Service Ticket Operations Success
Other Account Logon Events No Auditing
Kerberos Authentication Service Success
Credential Validation Success
在没有任何高级审核组策略(本地或域)的情况下,您可以使用命令修改内置策略auditpol /set。据我所知,auditpol这也是查看内置策略的唯一方法。
何时以及是否任何高级审计组策略应用于服务器,内置审计策略将被丢弃,所有审计设置都将关闭,但通过组策略明确启用的设置除外。[我不清楚在什么情况下(如果有的话),这个过程是可逆的;我仍在调查。]你仍然可以暂时地使用和/或本地旧审计策略修改审计设置auditpol /set,但下次处理组策略时,任何此类更改都将被丢弃。
从表面上看,您的服务器仍在使用默认审核策略。因此,您看到的策略是内置于全新 Windows 安装中的策略。
答案2
这些设置也可以在本地策略中设置。gpedit.msc在受影响的 PC 上打开并查找其中的设置。
答案3
微软有一篇文章说本地策略覆盖了 auditpol
在下一个组策略刷新周期中,CSE 将应用 .csv 文件%SYSTEMROOT%\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\Audit.csv中的修改