Windows Server Auditing

Selamlar,

Bu yazımızda Windows Server üzerinde Event ID Rerferanslarına, Auditing için gerekli olan Policy yapılandırmalarını ele alacağız.

Security Log
 4732 – Local group member added
 4733 – Local group member
removed
 4731 – Local group created
 4734 – Local group deleted
 4720 – User account created
 4726 – User account deleted
 4735 – Local group changed
 4738 – User account changed
 4723 – Change password attempt
 4724 – User account password set
 4781 – User name changed
 4657,4663 – Object access attempt
 4656 – Object open
 4658 – Handle closed
 4698, 4699, 4700, 4701, 4702 –
Scheduled task created, deleted,
enabled, disabled, updated
Application Log
Event Source: MsiInstaller
 11707 – Software was installed
 11724 – Software was uninstalled
System Log
Event Source: Service Control
Manager
 7036 – Service state changed
 7040—Service start type changed

Local Policy Audit Settings

gpedit.msc > Local Computer Policy > Computer Configuration >
Windows Settings > Security Settings > Local Policies > Audit Policy:
 Audit account management > Define > Success
 Audit object access > Define > Success

Registry-level Auditing Settings

regedit.exe > HKEY_LOCAL_MACHINE > Right-click “SOFTWARE” >
Permissions > Advanced > Auditing (Tab) > Click “Add” > Principal
“Everyone” > Type “Success” > Applies to “This key and subkeys” >
Advanced Permissions > Check:
 “Set Value”,
 “Create Subkey”
 “Delete”,
 “Write DAC”
 “Write Owner”
 Repeat steps above for the “HKEY_LOCAL_MACHINE\SYSTEM” and
“HKEY_USERS.DEFAULT” nodes

Event Log Settings

eventvwr.msc > Windows Logs > Right-click “Application” log >
Properties:
 Make sure the “Enable logging” check box is selected
 Set retention method to “Overwrite events as needed” or “Archive the
log when full”
 Set “Maximum log size” to 4gb
 Repeat this operation for the “Security” and “System” event logs
 Open Event viewer and search the corresponding log for the id’s listed
in the Event ID Reference box

kaynak: netwrix.com

Başka bir yazımızda görüşmek üzere,

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir