Sobald eine Gruppenrichtlinie mit Auditeinstellungen aktiv ist, werden die Standard-Auditierungs-Regeln, die mit dem Betriebssystem vorkonfiguriert sind, ausgeschaltet und nur noch die explizit konfigurierten Auditeinstellungen angewendet.
Begründet ist dies dadurch, dass die Auditeinstellungen innerhalb der Gruppenrichtlinie als CSV-Datei abgebildet sind. Somit überschreibt die audit.csv der Gruppenrichtlinie auf unterster Ebene die aller übergeordneten.
Es wird daher empfohlen, die Standard-Auditierungsregeln mit in die Gruppenrichtlinie für die Zertifizierungsstelle auszunehmen.
Getestetes Betriebssystem: Windows Server 2019. Die Ergebnisse können für andere Betriebssysteme abweichen.
| Einstellung Standard | Einstellung Microsoft Baseline | |
|---|---|---|
| System | ||
| Security System Extension | No Auditing | Success |
| System Integrity | Success, Failure | Success, Failure |
| IPsec Driver | No Auditing | Not configured |
| Other System Events | Success, Failure | Success, Failure |
| Security State Change | Success | Success |
| Logon/Logoff | ||
| Logon | Success, Failure | Success, Failure |
| Logoff | Success | Not configured |
| Account Lockout | Success | Failure |
| IPsec Main Mode | No Auditing | Not configured |
| IPsec Quick Mode | No Auditing | Not configured |
| IPsec Extended Mode | No Auditing | Not configured |
| Special Logon | Success | Success |
| Other Logon/Logoff Events | No Auditing | Success, Failure |
| Network Policy Server | Success, Failure | Not configured |
| User / Device Claims | No Auditing | Not configured |
| Group Membership | No Auditing | Success |
| Object Access | ||
| File System | No Auditing | Not configured |
| Registry | No Auditing | Not configured |
| Kernel Object | No Auditing | Not configured |
| SAM | No Auditing | Not configured |
| Certification Services | No Auditing | Not configured |
| Application Generated | No Auditing | Not configured |
| Handle Manipulation | No Auditing | Not configured |
| File Share | No Auditing | Success, Failure |
| Filtering Platform Packet Drop | No Auditing | Not configured |
| Filtering Platform Connection | No Auditing | Not configured |
| Other Object Access Events | No Auditing | Success, Failure |
| Detailed File Share | No Auditing | Failure |
| Removable Storage | No Auditing | Success, Failure |
| Central Policy Staging | No Auditing | Not configured |
| Privilege Use | ||
| Non Sensitive Privilege Use | No Auditing | Not configured |
| Other Privilege Use Events | No Auditing | Not configured |
| Sensitive Privilege Use | No Auditing | Success, Failure |
| Detailed Tracking | ||
| Process Creation | No Auditing | Success |
| Process Termination | No Auditing | Not configured |
| DPAPI Activity | No Auditing | Not configured |
| RPC Events | No Auditing | Not configured |
| Plug and Play Events | No Auditing | Success |
| Token Right Adjusted Events | No Auditing | Not configured |
| Policy Change | ||
| Audit Policy Change | Success | Success |
| Authentication Policy Change | Success | Success |
| Authorization Policy Change | No Auditing | Not configured |
| MPSSVC Rule-Level Policy Change | No Auditing | Success, Failure |
| Filtering Platform Policy Change | No Auditing | Not configured |
| Other Policy Change Events | No Auditing | Failure |
| Account Management | ||
| Computer Account Management | Success | Not configured |
| Security Group Management | Success | Success |
| Distribution Group Management | No Auditing | Not configured |
| Application Group Management | No Auditing | Not configured |
| Other Account Management Events | No Auditing | Not configured |
| User Account Management | Success | Success, Failure |
| DS Access | ||
| Directory Service Access | Success | Not configured |
| Directory Service Changes | No Auditing | Not configured |
| Directory Service Replication | No Auditing | Not configured |
| Detailed Directory Service Replication | No Auditing | Not configured |
| Account Logon | ||
| Kerberos Service Ticket Operations | Success | Not defined |
| Other Account Logon Events | No Auditing | Not defined |
| Kerberos Authentication Service | Success | Not defined |
| Credential Validation | Success | Success and Failure |
Auditeinstellungen auf Betriebssystem-Ebene überprüfen
Die Auditeinstellungen auf Betriebssystem-Ebene können mit folgendem Befehl abgefragt werden. Im Bereich "Object Access" gibt es eine Kategorie "Certification Services".
auditpol.exe /get /category:*
3 Gedanken zu „Standard-Auditierungsregeln für Windows Server Betriebssysteme“
Kommentare sind geschlossen.