Академический Документы
Профессиональный Документы
Культура Документы
Introduction
Windows Audit Policy is used to determine the verbosity of Windows Security Logs on domain controllers and other
computers on the domain. The recommendations in this document have been found to be most effective from both a
best practice and compliance standpoint and are based on customer experience and recommendations from Microsoft.
Requirements
Setting Windows Audit Policy for use with the SolarWinds Log & Event Manager requires the following.
• Active Directory deployed. Policies can be at the local machine if AD is not deployed.
• Windows Server 2003 or higher.
• Permissions to change Windows Audit Policy at the domain, site, or OU level using Group Policy Management or
similar application.
• Access to the web-based LEM console or the Adobe-Air-based LEM console.
You can find relevant articles by searching for audit policy best practice from the page linked above.
Logon events represent instances of users logging on to or logging off from a computer that is logging those events.
Account logon events are specifically related to domain logon events and are logged in the security log for the
related domain controller.
Account management events are the “change management” events on a computer. These events include all
changes made to users, groups and machines.
Copyright © 1999-2017 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any
means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain 1
the exclusive property of SolarWinds and its respective licensors.
Audit logon events
Logon events represent instances of users logging on to or logging off from a computer that is logging those events.
Events in this category are logged in the security log of the local computer onto which the user is logging, even when
the user is actually logging onto the domain using their local computer.
Object access events track users accessing objects that have their own system access control lists. Such objects
include files, folders and printers.
Policy change events represent instances in which local or group policy is changed. These changes include changes
to user rights assignments, audit policies and trust policies.
Privilege use events track users accessing objects based on their level of privilege to do so. Such objects include
files, folders and printers, or any object that has its own system access control list defined.
Process tracking logs all instances of process, service and program starts and stops. This can be useful to track both
wanted and unwanted processes such as AV services and malicious programs, respectively.
System events include start up and shut down events on the computer logging them, along with events that affect the
system’s security. These are operating system events and are only logged locally.
Copyright © 1999-2017 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any
means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain 2
the exclusive property of SolarWinds and its respective licensors.
• Audit privilege use
Default Domain Policy applies to all computers on your domain except your domain controllers.
For this policy, select Success and Failure for the following:
• Audit account logon events
• Audit account management
• Audit logon events
• Audit policy change
• Audit system events
You may also select Success and Failure for Audit process tracking to monitor critical processes such as the AV service
or unauthorized programs such as games or malicious executable files.
Note: Enabling auditing at the level of Audit process tracking will significantly increase the number of events in the
system logs. Therefore, Your LEM database will grow more quickly as it collects these logs. Similarly, there could be
bandwidth implications as well. This is wholly dependent upon your network’s traffic volume and bandwidth capacity.
Since agent traffic is transmitted to the manager as a real time “trickle” of data, bandwidth impact is typically minimal
Open the Group Policy Management Console (or gpedit.msc if not using AD), and go to:
Computer-Configuration > Windows-Settings > Security-Settings > Advanced Audit Policy Configuration
Computer-Configuration > Windows-Settings > Security-Settings > Local-Policies > Security-Options >
Audit:Force-audit-policy-subcategory-settings ==> enabled
Copyright © 1999-2017 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any
means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain 3
the exclusive property of SolarWinds and its respective licensors.
PCI-DSS log selection
System
Logon/Logoff
Object Access
Copyright © 1999-2017 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any
means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain 4
the exclusive property of SolarWinds and its respective licensors.
File System Success and Failure
SAM No Auditing
Privilege Use
Detailed Tracking
Copyright © 1999-2017 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any
means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain 5
the exclusive property of SolarWinds and its respective licensors.
Policy Change
Account Management
DS Access
Account Logon
Copyright © 1999-2017 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any
means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain 6
the exclusive property of SolarWinds and its respective licensors.
Kerberos Service Ticket Operations Success and Failure
Note: The above auditing includes disabling 9 of the sub-categories that create noise from Windows Filtering Platform.
Not disabling this 'noise' can cause in a higher level of events being sent to the LEM, rules firing needlessly, the need for
increased resource reservations in the LEM, and excessive number of events logged internally in the Windows security
event log.
Machine Logon ==> Generic Alert > Audit Alert > Auth Audit > Machine Auth Audit > Machine Logon
Machine Logoff ==> Generic Alert > Audit Alert > Auth Audit > Machine Auth Audit > Machine Logoff
Machine Auth Ticket ==> Generic Alert > Audit Alert > Auth Audit > Machine Auth Audit > Machine Auth Ticket
uncheck the check boxes for the following => console / database / warehouse / rules
Disclaimer: Please note, any content posted herein is provided as a suggestion or recommendation to you for your
internal use. This is not part of the SolarWinds software or documentation that you purchased from SolarWinds, and the
information set forth herein may come from third parties. Your organization should internally review and assess to what
extent, if any, such custom scripts or recommendations will be incorporated into your environment. You elect to use
third party content at your own risk, and you will be solely responsible for the incorporation of the same, if any.
Copyright © 1999-2017 SolarWinds Worldwide, LLC. All rights reserved worldwide. No part of this document may be reproduced by any
means nor modified, decompiled, disassembled, published or distributed, in whole or in part, or translated to any electronic medium or other
means without the written consent of SolarWinds. All right, title, and interest in and to the software and documentation are and shall remain 7
the exclusive property of SolarWinds and its respective licensors.