Audit Policies – Windows Server 2008

Políticas de auditoria de um domínio Windows 2008 mudaram significativamente. Até o Windows 2003 o gerenciamente das mesmas era através do GPMC / Gpedit (Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit policy). O Windows 2008 também permite o gerenciamento através destas ferramentas, mas por padrão utiliza auditoria de eventos detalhada onde você pode ativar e desativar as categorias e subcategorias. Desta forma você tem mais flexibilidade de definir exatamente os eventos a serem registrados do log de Segurança do Event Viewer.

Para obter a lista de todas categorias e subcategorias auditadas – Auditpol /list /subcategory:* /r

Para ver as configurações de auditoria aplicadas – Auditpol /get /category:”*”

Outros exemplos:

auditpol /set /subcategory:”user account management” /success:enable /failure:enable
auditpol /set /subcategory:”logon” /success:enable /failure:enable
auditpol /set /subcategory:”IPSEC Main Mode” /failure:enable

Lista de todas categorias (amarelo) e subcategorias:

System,{69979848-797A-11D9-BED3-505054503030}

Security State Change,{0CCE9210-69AE-11D9-BED3-505054503030}

Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030}

System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030}

IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030}

Other System Events,{0CCE9214-69AE-11D9-BED3-505054503030}

Logon/Logoff,{69979849-797A-11D9-BED3-505054503030}

Logon,{0CCE9215-69AE-11D9-BED3-505054503030}

Logoff,{0CCE9216-69AE-11D9-BED3-505054503030}

Account Lockout,{0CCE9217-69AE-11D9-BED3-505054503030}

IPsec Main Mode,{0CCE9218-69AE-11D9-BED3-505054503030}

IPsec Quick Mode,{0CCE9219-69AE-11D9-BED3-505054503030}

IPsec Extended Mode,{0CCE921A-69AE-11D9-BED3-505054503030}

Special Logon,{0CCE921B-69AE-11D9-BED3-505054503030}

Other Logon/Logoff Events,{0CCE921C-69AE-11D9-BED3-505054503030}

Network Policy Server,{0CCE9243-69AE-11D9-BED3-505054503030}

Object Access,{6997984A-797A-11D9-BED3-505054503030}

File System,{0CCE921D-69AE-11D9-BED3-505054503030}

Registry,{0CCE921E-69AE-11D9-BED3-505054503030}

Kernel Object,{0CCE921F-69AE-11D9-BED3-505054503030}

SAM,{0CCE9220-69AE-11D9-BED3-505054503030}

Certification Services,{0CCE9221-69AE-11D9-BED3-505054503030}

Application Generated,{0CCE9222-69AE-11D9-BED3-505054503030}

Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030}

File Share,{0CCE9224-69AE-11D9-BED3-505054503030}

Filtering Platform Packet Drop,{0CCE9225-69AE-11D9-BED3-505054503030}

Filtering Platform Connection,{0CCE9226-69AE-11D9-BED3-505054503030}

Other Object Access Events,{0CCE9227-69AE-11D9-BED3-505054503030}

Privilege Use,{6997984B-797A-11D9-BED3-505054503030}

Sensitive Privilege Use,{0CCE9228-69AE-11D9-BED3-505054503030}

Non Sensitive Privilege Use,{0CCE9229-69AE-11D9-BED3-505054503030}

Other Privilege Use Events,{0CCE922A-69AE-11D9-BED3-505054503030}

Detailed Tracking,{6997984C-797A-11D9-BED3-505054503030}

Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030}

Process Termination,{0CCE922C-69AE-11D9-BED3-505054503030}

DPAPI Activity,{0CCE922D-69AE-11D9-BED3-505054503030}

RPC Events,{0CCE922E-69AE-11D9-BED3-505054503030}

Policy Change,{6997984D-797A-11D9-BED3-505054503030}

Audit Policy Change,{0CCE922F-69AE-11D9-BED3-505054503030}

Authentication Policy Change,{0CCE9230-69AE-11D9-BED3-505054503030}

Authorization Policy Change,{0CCE9231-69AE-11D9-BED3-505054503030}

MPSSVC Rule-Level Policy Change,{0CCE9232-69AE-11D9-BED3-505054503030}

Filtering Platform Policy Change,{0CCE9233-69AE-11D9-BED3-505054503030}

Other Policy Change Events,{0CCE9234-69AE-11D9-BED3-505054503030}

Account Management,{6997984E-797A-11D9-BED3-505054503030}

User Account Management,{0CCE9235-69AE-11D9-BED3-505054503030}

Computer Account Management,{0CCE9236-69AE-11D9-BED3-505054503030}

Security Group Management,{0CCE9237-69AE-11D9-BED3-505054503030}

Distribution Group Management,{0CCE9238-69AE-11D9-BED3-505054503030}

Application Group Management,{0CCE9239-69AE-11D9-BED3-505054503030}

Other Account Management Events,{0CCE923A-69AE-11D9-BED3-505054503030}

DS Access,{6997984F-797A-11D9-BED3-505054503030}

Directory Service Access,{0CCE923B-69AE-11D9-BED3-505054503030}

Directory Service Changes,{0CCE923C-69AE-11D9-BED3-505054503030}

Directory Service Replication,{0CCE923D-69AE-11D9-BED3-505054503030}

Detailed Directory Service Replication,{0CCE923E-69AE-11D9-BED3-505054503030}

Account Logon,{69979850-797A-11D9-BED3-505054503030}

Credential Validation,{0CCE923F-69AE-11D9-BED3-505054503030}

Kerberos Service Ticket Operations,{0CCE9240-69AE-11D9-BED3-505054503030}

Other Account Logon Events,{0CCE9241-69AE-11D9-BED3-505054503030}

Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030}

Esse post foi publicado em Windows 2008. Bookmark o link permanente.

Deixe uma resposta

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s