Upload
quach-kim-thu
View
61
Download
2
Embed Size (px)
Citation preview
AUDIT POLICY - Windows 2k8Tác Giả : Tấn Duy - Nhất Nghệ
Như các bạn đã biết muốn giám sát thông tin người dùng logon/logoff (máy tính nào, lần cuối khi nào, do DC nào ghi nhận lạị.Chúng ta triển khai Audit Policies và giám sát việc đó bằng Event Viewer trên nền Windows Server 2003.Bài viết này tôi sẽ triển khai Audit Policies trên nền Windows Server 2008 R2. Bạn xem có khác gì không nhé
Trong bài lab này : Tạo OU Nhatnghe và 2 user teo ,ti
Right click lên Ou nhatnghe chọn Properties > advanced > tab audit > Double Click teo
Dòng Apply onto : chọn Descendant User Object
Check vào Write all properties cột Successful
Mình đã cấu hình Special
Start > Administrator Tools > Group Policy Management
Right Click lên Ou nhatnghe > chọn Create a GPO in this domain
Trong New GPO >Name : Policy-teo (audit)
Xuất hiện dòng Policy- teo (audit)
Right click Policy vừa tạo chọn Edit
Trong Computer configuration > Policies > Windows Settings
Security Setting > Advanced Audit Policy Configuration
Chọn Audit Policies
Đây là các Policies Audit ( kiểm soát hệ thống )
Chọn Audit Other Account Logon Events
Chọn Success và Failure
Chọn Audit Logoff
Chọn SuccessHình ảnh này đã được thay đổi kích thước. Click vào đây để xem hình ảnh gốc với kích thước là 523x160
Chọn Audit Logon
Chọn SuccessHình ảnh này đã được thay đổi kích thước. Click vào đây để xem hình ảnh gốc với kích thước là 523x153
Chọn Audit Other Logon/logoff Events
Chọn Success và Failure
Start > Run > Gỏ CMD : trong cửa sổ dòng lệnh gõ Gpupdate /force Start > Admnistrator > Event Viewer
Trong cửa sổ Event Viewer > Window logs > Security
Xuất hiện việc logon của Administrator trên pc40
User teo logoff vào hệ thống thành công
Và đây là những chính sách trên Audit policy triển khai trên giao diện dòng lệnh CMD
auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable
auditpol /set /subcategory:"SAM" /success:disable /failure:disable
auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable
auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable
auditpol /set /subcategory:"File Share" /success:enable /failure:enable
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable
auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable
auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable
auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable
auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable
auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable
auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
auditpol /set /subcategory:"Other Policy Change Events" /success:enable /failure:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable
auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable
auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable
auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable__________________
Nhất Nghệ - ICT Training Center
Ghi Danh - Tư Vấn Học : (083) 9322 735 Giáo Vụ : (083) 9320 670 Hỗ Trợ Kỹ Thuật Cho HVNN : (083) 9322 962 Administrator : [email protected] - YM : Van_Nguyen03