Windows erweiterte Sicherheitsaudit Konfiguration

Windows erweiterte Sicherheitsaudit Konfiguration

Hier findet ihr ein paar Tabellen aus denen hervorgeht, wie die Audit Policys sinnvoll konfiguriert werden könnten. Die Aufstellung basiert auf die von Microsoft zur Verfügung gestellte Tabelle mit allen Windows Security Audit Events.

Auf dem ersten Blick sieht das vielleicht nicht gerade nach einer Empfehlung aus, weil so gut wie alles geloggt wird. Aber gerade die Failure sind heutzutage für eine Auswertung und Reverse-Recherche sehr interessant. Nur wenn wir wissen was auf unseren Systemen passiert, sind wir auch nachweislich in der Lage, im Falles eines Breaches den Vorfall oder auch nur den Versuch zu erklären bzw. aufzudecken.

Windows Sicherheitsaudit Empfehlungen Domain Controller Advanced Audit Configuration

DescriptionSettings
Audit Credential Validation Success, Failure
Audit Other Account Logon Events Success, Failure
Audit Kerberos Authentication Service Success, Failure
Audit Kerberos Service Ticket Operations Success, Failure
Audit Computer Account Management Success, Failure
Audit Distribution Group Management Success, Failure
Audit Other Account Management Events Success, Failure
Audit Security Group Management Success, Failure
Audit User Account Management Success, Failure
Audit DPAPI Activity Success, Failure
Audit PNP Activity Success, Failure
Audit Process Creation Success, Failure
Audit Process Termination Success, Failure
Audit Detailed Directory Service Replication Success, Failure
Audit Directory Service Access Success, Failure
Audit Directory Service Changes Success, Failure
Audit Directory Service Replication Success, Failure
Audit Account Lockout Success, Failure
Audit User/Device Claims Success, Failure
Audit Group Membership Success, Failure
Audit Logoff Success, Failure
Audit Logon Success, Failure
Audit Other Logon/Logoff Events Success, Failure
Audit Special Logon Success, Failure
Audit Detailed File Share Failure
Audit File Share Success, Failure
Audit File System Success, Failure
Audit Filtering Platform Connection Failure
Audit Other Object Access Events Success, Failure
Audit Registry Success, Failure
Audit Removable Storage Success, Failure
Audit Audit Policy Change Success, Failure
Audit Authentication Policy Change Success, Failure
Audit MPSSVC Rule-Level Policy Change Success, Failure
Audit Other Policy Change Events Success, Failure
Audit Non Sensitive Privilege Use Failure
Audit Sensitive Privilege Use Success, Failure
Audit Other System Events Success, Failure
Audit Security State Change Success, Failure
Audit Security System Extension Success, Failure
Audit System Integrity Success, Failure

Windows Sicherheitsaudit Empfehlungen Member Server

DescriptionSettings
Audit Credential Validation Success, Failure
Audit Other Account Logon Events Success, Failure
Audit Security Group Management Success, Failure
Audit User Account Management Success, Failure
Audit DPAPI Activity Success, Failure
Audit PNP Activity Success, Failure
Audit Process Creation Success, Failure
Audit Process Termination Success, Failure
Audit Account Lockout Success, Failure
Audit User/Device Claims Success, Failure
Audit Group Membership Success, Failure
Audit Logoff Success, Failure
Audit Logon Success, Failure
Audit Other Logon/Logoff Events Success, Failure
Audit Special Logon Success, Failure
Audit Detailed File Share Success, Failure
Audit File Share Success, Failure
Audit File System Success, Failure
Audit Filtering Platform Connection Failure
Audit Other Object Access Events Success, Failure
Audit Registry Success, Failure
Audit Removable Storage Success, Failure
Audit Audit Policy Change Success, Failure
Audit Authentication Policy Change Success, Failure
Audit MPSSVC Rule-Level Policy Change Success, Failure
Audit Other Policy Change Events Success, Failure
Audit Non Sensitive Privilege Use Failure
Audit Sensitive Privilege Use Success, Failure
Audit Other System Events Success, Failure
Audit Security State Change Success, Failure
Audit Security System Extension Success, Failure
Audit System Integrity Success, Failure

Windows Sicherheitsaudit Empfehlungen Standalone Server

DescriptionSettings
Audit Credential Validation Success, Failure
Audit Other Account Logon Events Success, Failure
Audit Security Group Management Success, Failure
Audit User Account Management Success, Failure
Audit DPAPI Activity Success, Failure
Audit PNP Activity Success, Failure
Audit Process Creation Success, Failure
Audit Process Termination Success, Failure
Audit Account Lockout Success, Failure
Audit User/Device Claims Success, Failure
Audit Group Membership Success, Failure
Audit Logoff Success, Failure
Audit Logon Success, Failure
Audit Other Logon/Logoff Events Success, Failure
Audit Special Logon Success, Failure
Audit Detailed File Share Success, Failure
Audit File Share Success, Failure
Audit File System Success, Failure
Audit Filtering Platform Connection Failure
Audit Other Object Access Events Success, Failure
Audit Registry Success, Failure
Audit Removable Storage Success, Failure
Audit Audit Policy Change Success, Failure
Audit Authentication Policy Change Success, Failure
Audit MPSSVC Rule-Level Policy Change Success, Failure
Audit Other Policy Change Events Success, Failure
Audit Non Sensitive Privilege Use Failure
Audit Sensitive Privilege Use Success, Failure
Audit Other System Events Success, Failure
Audit Security State Change Success, Failure
Audit Security System Extension Success, Failure
Audit System Integrity Success, Failure

Windows Sicherheitsaudit Empfehlungen Clients

DescriptionSettings
Audit Credential Validation Success, Failure
Audit Other Account Logon Events Success, Failure
Audit Security Group Management Success, Failure
Audit User Account Management Success, Failure
Audit DPAPI Activity Success, Failure
Audit PNP Activity Success, Failure
Audit Process Creation Success, Failure
Audit Process Termination Success, Failure
Audit Account Lockout Success, Failure
Audit User/Device Claims Success, Failure
Audit Group Membership Success, Failure
Audit Logoff Success, Failure
Audit Logon Success, Failure
Audit Other Logon/Logoff Events Success, Failure
Audit Special Logon Success, Failure
Audit Detailed File Share Success, Failure
Audit File Share Success, Failure
Audit File System Success, Failure
Audit Filtering Platform Connection Failure
Audit Other Object Access Events Success, Failure
Audit Registry Success, Failure
Audit Removable Storage Success, Failure
Audit Audit Policy Change Success, Failure
Audit Authentication Policy Change Success, Failure
Audit MPSSVC Rule-Level Policy Change Success, Failure
Audit Other Policy Change Events Success, Failure
Audit Non Sensitive Privilege Use Failure
Audit Sensitive Privilege Use Success, Failure
Audit Other System Events Success, Failure
Audit Security State Change Success, Failure
Audit Security System Extension Success, Failure
Audit System Integrity Success, Failure

Windows Sicherheitsaudit Empfehlungen Domain Controller, Member Server, Clients Security Options

DescriptionSettings 
Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options
Network security: Restrict NTLM: Audit Incoming NTLM TrafficEnable auditing for all accounts
Network security: Restrict NTLM: Audit NTLM authentication in this domainEnable All
Network security: Restrict NTLM: Outgoing NTLM traffic to remote serversAudit all
Computer Configuration -> Administrative Templates -> Windows Components -> Windows PowerShell
Turn on Module Logging
Module Names: *
Enabled
Turn on Powershell Script Block LoggingEnabled
Log script block invocation start / stop eventsDisabled
Computer Configuration -> Administrative Templates -> System -> Audit Process Creation
Include command line in process creation eventsEnabled