Active Directory 审核清单

---

要正确审核 Active Directory，您必须启用正确的策略设置。这些策略设置可确保您的域控制器记录满足您的合规性和审核要求的安全事件。

挑战在于，有许多审核策略设置可供选择，这些设置可能会让人不知所措，并会满足您的审核需求。

我创建了一个简单的 Active Directory 审核清单，您可以下载该清单以用作快速参考。此清单将向您显示要启用的审核设置以及策略设置。这些设置取自 Microsoft 安全合规性检查表。使用 Active Directory 审核工具时，需要这些策略设置，以便您的域控制器可以生成日志供该工具进行分析。

Active Directory 审核策略清单

免费审核政策清单。

Active Directory Pro 创建了审核策略清单参考指南。

此免费 PDF 可用作参考指南，向您显示建议的 Active Directory 审核策略设置。这些设置使用 Microsoft 安全基线建议。

下载 PDF 清单

本指南中的审核策略设置需要在默认域控制器策略 GPO 中配置。

政策位置：

计算机配置 -> 策略 -> Windows 设置 -> 安全设置 -> 高级审核策略配置

以下是高级审核策略配置的推荐设置。

帐户登录

NamePolicy SettingDescriptionAudit Credential ValidationFailureThis policy setting allows you to audit events generated by validation tests on user account logon credentials.Audit Kerberos Authentication ServicesFailureThis policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests.Audit Kerberos Service Ticket OperationsSuccess and FailureThis policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts.

帐户管理

NamePolicy SettingDescriptionAudit Computer Account ManagementSuccessThis policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.Audit Other Account Management EventsSuccessThis policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following:Audit Security Group ManagementSuccessThis policy setting allows you to audit events generated by changes to security groups such as the following:Audit User Account ManagementSuccess and FailureThis policy setting allows you to audit changes to user accounts

详细跟踪

Audit PNP Activity

成功

Audit Process Creation

成功

DS 访问

Audit Directory Service Access

失败

Audit Directory Service Changes

成功

登录/注销

NamePolicy SettingDescriptionAudit Account LockoutFailureThis policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out.Audit Group MembershipSuccessThis policy allows you to audit the group memberhsip information in the user’s logon tokenAudit LogonSuccess and FailureThis policy setting allows you to audit events generated by user account logon attempts on the computer.Audit Other Logon/Logoff EventsSuccess and FailureThis policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff”.Audit Special LogonSuccessThis policy setting allows you to audit events generated by special logons such as those with administrator equivalent privileges.

对象访问

NamePolicy SettingDescriptionAudit Detailed File ShareFailureThis policy setting allows you to audit attempts to access files and folders on a shared folder.Audit File ShareSuccess and FailureThis policy setting allows you to audit attempts to access a shared folder.Audit Other Object Access EventsSuccess and FailureThis policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects.Audit Removable StorageSuccess and FailureThis policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested.

政策变更

NamePolicy SettingDescriptionAudit Audit Policy ChangeSuccessThis policy setting allows you to audit changes in the security audit policy settings.Audit Authentication Policy ChangeSuccessThis policy setting allows you to audit events generated by changes to the authentication policyAudit MPSSVC Rule-Level Policy ChangeSuccess and FailureThis policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC)Audit Other Policy Change EventsFailureThis policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category

权限使用

NamePolicy SettingDescriptionAudit Sensitive Privilege UseSuccess and FailureThis policy setting allows you to audit events generated when sensitive privileges (user rights) are used.

系统

Name Policy SettingDescriptionAudit Other System EventsSuccess and FailureThis policy setting allows you to audit systems events such as the startup and shutdown of the Windows firewall. Audit Security State ChangeSuccessThis policy setting allows you to audit systems events such as the startup and shutdown of the Windows firewall. Audit Security System ExtensionSuccessThis policy setting allows you to audit events related to security system extensions or servicesAudit System IntegritySuccess and FailureThis policy setting allows you to audit events that violate the integrity of the security subsystem

启用这些 Windows 审核策略设置后，将在域控制器上生成 Active Directory 日志。可以使用 Windows 事件查看器查看这些日志，但建议使用审核工具来分析它们。通过使用提供的审核策略清单，您可以确保启用策略设置以在域控制器上执行审核。