Это сводит меня с ума. Я искал решение проблемы, но ничего не нашел. Я нашел этот вопрос , который я думал , держал решение через auditpol.exe. Нет кости.

Я могу установить мою политику аудита Windows, используя secpol.msc или gpedit.msc. Проблема в том, что через несколько минут они очищаются (все настроены на "Нет аудита"). Из журнала событий я получаю только одну подсказку:

System audit policy was changed.

Subject:
Security ID:        SYSTEM
Account Name:       MYCOMPUTERNAME$
Account Domain:     WORKGROUP
Logon ID:           0x3e7

Audit Policy Change:
Category:           Account Logon
Subcategory:        Kerberos Authentication Service
Subcategory GUID:   {0cce9242-69ae-11d9-bed3-505054503030}
Changes:            Success removed, Failure removed

После последнего из них никакие дальнейшие записи не будут записываться в журнал событий безопасности.

Конфигурация моей системы:

OS: Windows 7 Ultimate w/ SP1
Processor: x64
RAM: 12 GB
NOT Domain-joined. In WORKGROUP (so, no Group Policy is being applied).
Windows Firewall enabled
Microsoft Security Essentials

Обновить:

Я также обратился за помощью на форумы сообщества Microsoft по этому вопросу, и из полученного мной ответа (от Microsoft) ясно, что они не понимают проблему. С этой целью я подумал, что было бы целесообразно добавить дополнительные детали здесь.

Конкретные команды, которые я использую для настройки аудита, следующие:

auditpol.exe /set /category:"Account Logon" /success:enable /failure:enable
auditpol.exe /set /category:"Account Management" /success:enable /failure:enable
auditpol.exe /set /category:"Detailed Tracking" /success:disable /failure:disable
auditpol.exe /set /category:"DS Access" /success:disable /failure:enable
auditpol.exe /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol.exe /set /category:"Object Access" /success:disable /failure:disable
auditpol.exe /set /category:"Policy Change" /success:disable /failure:enable
auditpol.exe /set /category:"Privilege Use" /success:disable /failure:enable
auditpol.exe /set /category:"System" /success:enable /failure:enable

auditpol.exe /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:enable

и вывод файла audpol.exe /get /category:*

System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               Success and Failure
  System Integrity                        Success and Failure
  IPsec Driver                            Success and Failure
  Other System Events                     Success and Failure
  Security State Change                   Success and Failure
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success and Failure
  Account Lockout                         Success and Failure
  IPsec Main Mode                         Success and Failure
  IPsec Quick Mode                        Success and Failure
  IPsec Extended Mode                     Success and Failure
  Special Logon                           Success and Failure
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   Success and Failure
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
Privilege Use
  Sensitive Privilege Use                 Failure
  Non Sensitive Privilege Use             Failure
  Other Privilege Use Events              Failure
Detailed Tracking
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Process Creation                        No Auditing
Policy Change
  Audit Policy Change                     Success and Failure
  Authentication Policy Change            Success and Failure
  Authorization Policy Change             Success and Failure
  MPSSVC Rule-Level Policy Change         Failure
  Filtering Platform Policy Change        Failure
  Other Policy Change Events              Failure
Account Management
  User Account Management                 Success and Failure
  Computer Account Management             Success and Failure
  Security Group Management               Success and Failure
  Distribution Group Management           Success and Failure
  Application Group Management            Success and Failure
  Other Account Management Events         Success and Failure
DS Access
  Directory Service Changes               Failure
  Directory Service Replication           Failure
  Detailed Directory Service Replication  Failure
  Directory Service Access                Failure
Account Logon
  Kerberos Service Ticket Operations      Success and Failure
  Other Account Logon Events              Success and Failure
  Kerberos Authentication Service         Success and Failure
  Credential Validation                   Success and Failure

Через несколько минут, не затрагивая ничего, касающегося одитинга, повтор дает:

System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        No Auditing
  IPsec Driver                            No Auditing
  Other System Events                     No Auditing
  Security State Change                   No Auditing
Logon/Logoff
  Logon                                   No Auditing
  Logoff                                  No Auditing
  Account Lockout                         No Auditing
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           No Auditing
  Other Logon/Logoff Events               No Auditing
  Network Policy Server                   No Auditing
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
Privilege Use
  Sensitive Privilege Use                 No Auditing
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
Detailed Tracking
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Process Creation                        No Auditing
Policy Change
  Audit Policy Change                     No Auditing
  Authentication Policy Change            No Auditing
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
Account Management
  User Account Management                 No Auditing
  Computer Account Management             No Auditing
  Security Group Management               No Auditing
  Distribution Group Management           No Auditing
  Application Group Management            No Auditing
  Other Account Management Events         No Auditing
DS Access
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                No Auditing
Account Logon
  Kerberos Service Ticket Operations      No Auditing
  Other Account Logon Events              No Auditing
  Kerberos Authentication Service         No Auditing
  Credential Validation                   No Auditing

В журнале событий нет указаний на то, что внесены изменения.

1 ответ1

0

Возможно, для параметра «Аудит: принудительно настроить параметры подкатегории политики аудита» установлено значение "Включено"? Кажется, это будет перезаписывать "устаревшие" политики аудита периодически и после перезагрузки.

Смотрите: http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx

Всё ещё ищете ответ? Посмотрите другие вопросы с метками .