Sobald eine Gruppenrichtlinie mit Auditeinstellungen aktiv ist, werden die Standard-Auditierungs-Regeln, die mit dem Betriebssystem vorkonfiguriert sind, ausgeschaltet und nur noch die explizit konfigurierten Auditeinstellungen angewendet.
Begründet ist dies dadurch, dass die Auditeinstellungen innerhalb der Gruppenrichtlinie als CSV-Datei abgebildet sind. Somit überschreibt die audit.csv der Gruppenrichtlinie auf unterster Ebene die aller übergeordneten.
Es wird daher empfohlen, die Standard-Auditierungsregeln mit in die Gruppenrichtlinie für die Zertifizierungsstelle auszunehmen.
Getestetes Betriebssystem: Windows Server 2019. Die Ergebnisse können für andere Betriebssysteme abweichen.
Connaissez-vous TameMyCerts? TameMyCerts est un add-on pour l'autorité de certification Microsoft (Active Directory Certificate Services). Il étend la fonction de l'autorité de certification et permet de Application de la réglementationIl s'agit d'un logiciel de gestion des certificats qui permet d'automatiser l'émission de certificats en toute sécurité. TameMyCerts est unique dans l'écosystème Microsoft, a déjà fait ses preuves dans d'innombrables entreprises du monde entier et est disponible sous une licence libre. Il peut téléchargé via GitHub et être utilisé gratuitement. Une maintenance professionnelle est également proposée.
| Réglage Standard | Réglage Microsoft Baseline | |
|---|---|---|
| Système | ||
| Security System Extension | No Auditing | Success |
| System Integrity | Success, Failure | Success, Failure |
| IPsec Driver | No Auditing | Not configured |
| Other System Events | Success, Failure | Success, Failure |
| Security State Change | Success | Success |
| Logon/Logoff | ||
| Logon | Success, Failure | Success, Failure |
| Logoff | Success | Not configured |
| Account Lockout | Success | Failure |
| IPsec Main Mode | No Auditing | Not configured |
| IPsec Quick Mode | No Auditing | Not configured |
| IPsec Extended Mode | No Auditing | Not configured |
| Special Logon | Success | Success |
| Other Logon/Logoff Events | No Auditing | Success, Failure |
| Network Policy Server | Success, Failure | Not configured |
| User / Device Claims | No Auditing | Not configured |
| Group Membership | No Auditing | Success |
| Object Access | ||
| File System | No Auditing | Not configured |
| Registre | No Auditing | Not configured |
| Kernel Object | No Auditing | Not configured |
| SAM | No Auditing | Not configured |
| Certification Services | No Auditing | Not configured |
| Application Generated | No Auditing | Not configured |
| Handle Manipulation | No Auditing | Not configured |
| File Share | No Auditing | Success, Failure |
| Filtering Platform Packet Drop | No Auditing | Not configured |
| Filtering Platform Connection | No Auditing | Not configured |
| Other Object Access Events | No Auditing | Success, Failure |
| Detailed File Share | No Auditing | Failure |
| Removable Storage | No Auditing | Success, Failure |
| Central Policy Staging | No Auditing | Not configured |
| Privilege Use | ||
| Non Sensitive Privilege Use | No Auditing | Not configured |
| Other Privilege Use Events | No Auditing | Not configured |
| Sensitive Privilege Use | No Auditing | Success, Failure |
| Detailed Tracking | ||
| Process Creation | No Auditing | Success |
| Process Termination | No Auditing | Not configured |
| DPAPI Activity | No Auditing | Not configured |
| RPC Events | No Auditing | Not configured |
| Plug and Play Events | No Auditing | Success |
| Token Right Adjusted Events | No Auditing | Not configured |
| Policy Change | ||
| Audit Policy Change | Success | Success |
| Authentication Policy Change | Success | Success |
| Authorization Policy Change | No Auditing | Not configured |
| MPSSVC Rule-Level Policy Change | No Auditing | Success, Failure |
| Filtering Platform Policy Change | No Auditing | Not configured |
| Other Policy Change Events | No Auditing | Failure |
| Account Management | ||
| Computer Account Management | Success | Not configured |
| Security Group Management | Success | Success |
| Distribution Group Management | No Auditing | Not configured |
| Application Group Management | No Auditing | Not configured |
| Other Account Management Events | No Auditing | Not configured |
| User Account Management | Success | Success, Failure |
| DS Access | ||
| Directory Service Access | Success | Not configured |
| Directory Service Changes | No Auditing | Not configured |
| Directory Service Replication | No Auditing | Not configured |
| Detailed Directory Service Replication | No Auditing | Not configured |
| Account Logon | ||
| Kerberos Service Ticket Operations | Success | Not defined |
| Other Account Logon Events | No Auditing | Not defined |
| Kerberos Authentication Service | Success | Not defined |
| Credential Validation | Success | Success and Failure |
Auditeinstellungen auf Betriebssystem-Ebene überprüfen
Die Auditeinstellungen auf Betriebssystem-Ebene können mit folgendem Befehl abgefragt werden. Im Bereich „Object Access“ gibt es eine Kategorie „Certification Services“.
auditpol.exe /get /category:*
Français 
Deutsch 
English
Les commentaires sont fermés.