Selamlar,
Bu yazımızda Windows Server üzerinde Event ID Rerferanslarına, Auditing için gerekli olan Policy yapılandırmalarını ele alacağız.
Security Log
4732 – Local group member added
4733 – Local group member
removed
4731 – Local group created
4734 – Local group deleted
4720 – User account created
4726 – User account deleted
4735 – Local group changed
4738 – User account changed
4723 – Change password attempt
4724 – User account password set
4781 – User name changed
4657,4663 – Object access attempt
4656 – Object open
4658 – Handle closed
4698, 4699, 4700, 4701, 4702 –
Scheduled task created, deleted,
enabled, disabled, updated
Application Log
Event Source: MsiInstaller
11707 – Software was installed
11724 – Software was uninstalled
System Log
Event Source: Service Control
Manager
7036 – Service state changed
7040—Service start type changed
Local Policy Audit Settings
gpedit.msc > Local Computer Policy > Computer Configuration >
Windows Settings > Security Settings > Local Policies > Audit Policy:
Audit account management > Define > Success
Audit object access > Define > Success
Registry-level Auditing Settings
regedit.exe > HKEY_LOCAL_MACHINE > Right-click “SOFTWARE” >
Permissions > Advanced > Auditing (Tab) > Click “Add” > Principal
“Everyone” > Type “Success” > Applies to “This key and subkeys” >
Advanced Permissions > Check:
“Set Value”,
“Create Subkey”
“Delete”,
“Write DAC”
“Write Owner”
Repeat steps above for the “HKEY_LOCAL_MACHINE\SYSTEM” and
“HKEY_USERS.DEFAULT” nodes
Event Log Settings
eventvwr.msc > Windows Logs > Right-click “Application” log >
Properties:
Make sure the “Enable logging” check box is selected
Set retention method to “Overwrite events as needed” or “Archive the
log when full”
Set “Maximum log size” to 4gb
Repeat this operation for the “Security” and “System” event logs
Open Event viewer and search the corresponding log for the id’s listed
in the Event ID Reference box
kaynak: netwrix.com
Başka bir yazımızda görüşmek üzere,