- План аудита доступа к файлам Plan for File Access Auditing
- Audit Policy Recommendations
- Recommended Audit Policies by Operating System
- Set Audit Policy on Workstations and Servers
- Events to Monitor
- Active Directory Objects and Attributes to Monitor
- Additional Information for Monitoring Active Directory Domain Services
- General List of Security Event ID Recommendation Criticalities
План аудита доступа к файлам Plan for File Access Auditing
Область применения. Windows Server 2016, Windows Server 2012 R2, Windows Server 2012 Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
В этом разделе описываются усовершенствования аудита безопасности, появившиеся в Windows Server 2012, и новые параметры аудита, которые следует учитывать при развертывании динамического контроля доступа на предприятии. The information in this topic explains the security auditing enhancements that are introduced in Windows Server 2012 and new audit settings that you should consider as you deploy Dynamic Access Control in your enterprise. Фактические параметры политики аудита будут зависеть от поставленных целей, которые могут включать проверку соответствия нормативным требованиям, наблюдение, криминалистический анализ и устранение неисправностей. The actual audit policy settings that you deploy will depend on your goals, which can include regulatory compliance, monitoring, forensic analysis, and troubleshooting.
Для получения подробной информации о планировании и развертывании общей стратегии аудита безопасности предприятия см. статью Планирование и развертывание расширенных политик аудита безопасности. Detailed information about how to plan and deploy an overall security auditing strategy for your enterprise is explained in Planning and Deploying Advanced Security Audit Policies. Для получения дополнительной информации о настройке и развертывании политики аудита безопасности см. Пошаговое руководство по расширенной политике аудита безопасности. For more information about configuring and deploying a security audit policy, see the Advanced Security Audit Policy Step-by-Step Guide.
Следующие возможности аудита безопасности в Windows Server 2012 можно использовать с динамическим контролем доступа для расширения общей стратегии аудита безопасности. The following security auditing capabilities in Windows Server 2012 can be used with Dynamic Access Control to extend your overall security auditing strategy.
Политики аудита на основе выражений. Expression-based audit policies. Динамический контроль доступа позволяет создавать адресные политики аудита, используя выражения на основе требований пользователя, компьютера и ресурсов. Dynamic Access Control enables you to create targeted audit policies by using expressions based on user, computer, and resource claims. Например, можно создать политику аудита для отслеживания всех операций чтения и записи в файлах, которые классифицируются как «оказывающие сильное влияние на бизнес», для сотрудников, не обладающих высокой категорией доступа. For example, you could create an audit policy to track all Read and Write operations on files classified as high-business impact by employees who do not have a high-security clearance. Политики аудита на основе выражений могут быть созданы непосредственно для файла или папки либо централизованно через групповую политику. Expression-based audit policies can be authored directly for a file or folder or centrally through Group Policy. Дополнительные сведения см. в разделе Групповая политика использование аудита доступа к глобальным объектам. For more information, see Group Policy using Global Object Access Auditing.
Дополнительная информация от аудита доступа к объектам. Additional information from object access auditing. Аудит доступа к файлам не является новым для Windows Server 2012. File access auditing is not new to Windows Server 2012 . Если применяется правильная политика аудита, операционные системы Windows и Windows Server будут создавать событие аудита при каждой попытке пользователя получить доступ к файлу. With the right audit policy in place, the Windows and Windows Server operating systems generate an audit event each time a user accesses a file. События доступа к существующим файлам (4656, 4663) содержат сведения об атрибутах файла, к которому был получен доступ. Existing File Access events (4656, 4663) contain information about the attributes of the file that was accessed. Эту информацию могут использовать средства фильтрации журнала событий, чтобы помочь в определении наиболее значимых событий аудита. This information can be used by event log filtering tools to help you identify the most relevant audit events. Дополнительные сведения см. в разделах Аудит работы с дескрипторами и Диспетчер учетных записей безопасности аудита. For more information, see Audit Handle Manipulation and Audit Security Accounts Manager.
Дополнительные сведения о событиях входа пользователя. More information from user logon events. Если применяется правильная политика аудита, операционные системы Windows создают событие аудита при каждом локальном или удаленном входе пользователя в систему. With the right audit policy in place, Windows operating systems generate an audit event every time a user signs in to a computer locally or remotely. В Windows Server 2012 или Windows 8 можно также отслеживать утверждения пользователей и устройств, связанные с маркером безопасности пользователя. In Windows Server 2012 or Windows 8, you can also monitor user and device claims associated with a user’s security token. Например, это могут быть такие категории доступа, как «Отдел», «Организация», «Проект» и «Безопасность». Событие 4626 содержит информацию об этих заявках пользователей и устройств на доступ, что может использоваться в средствах управления журналом аудита, чтобы связать события входа пользователя с событиями доступа к объектам и разрешить фильтрацию событий на основе атрибутов файлов и атрибутов пользователей. Examples can include Department, Company, Project, and Security clearances.Event 4626 contains information about these user claims and device claims, which can be leveraged by audit log management tools to correlate user logon events with object access events to enable event filtering based on file attributes and user attributes. Дополнительные сведения о аудите входа пользователей см. в разделе Аудит входа в систему. For more information about user logon auditing, see Audit Logon.
Отслеживание изменений в новых типах защищаемых объектов. Change tracking for new types of securable objects. В следующих сценариях важно отслеживать изменения в защищаемых объектах. Tracking changes to securable objects can be important in the following scenarios:
Отслеживание изменений в централизованных политиках и правилах доступа. Change tracking for central access policies and central access rules. Централизованные политики и правила доступа определяют централизованную политику, которая может быть использована при управлении доступом к критическим ресурсам. Central access policies and central access rules define the central policy that can be used to control access to critical resources. Любые их изменения могут непосредственно влиять на права доступа к файлам, которые предоставлены пользователям на нескольких компьютерах. Any change to these can directly impact the file access permissions that are granted to users on multiple computers. Поэтому отслеживание изменений в централизованных политиках и правилах доступа может быть важно для организации. Therefore, tracking changes to central access policies and central access rules can be important for your organization. Так как централизованные политики и правила доступа хранятся в доменных службах Active Directory (AD DS), можно проводить аудит попыток их изменения, так же как и проводить аудит изменений любых других защищаемых объектов в доменных службах Active Directory. Because central access policies and central access rules are stored in Active Directory Domain Services (AD DS), you can audit attempts to modify them, like auditing changes to any other securable object in AD DS. Дополнительные сведения см. в разделе Аудит доступа к службе каталогов. For more information, see Audit Directory Service Access.
Отслеживание изменений в определениях словаря утверждений. Change tracking for definitions in the claim dictionary. Определения утверждений включают имя утверждения, описание и возможные значения. Claim definitions include the claim name, description, and possible values. Любые изменения в определении утверждения могут влиять на права доступа к критическим ресурсам. Any change to the claim definition can impact the access permissions on critical resources. Поэтому отслеживание изменений в определениях утверждений может быть важно для организации. Therefore, tracking changes to claim definitions can be important to your organization. Подобно централизованным политикам и правилам доступа, определения утверждений хранятся в доменных службах Active Directory, поэтому для них аудит может быть выполнен так же, как и для других защищаемых объектов в AD DS. Like central access policies and central access rules, claim definitions are stored in AD DS; therefore, they can be audited like any another securable object in AD DS. Дополнительные сведения см. в разделе Аудит доступа к службе каталогов. For more information, see Audit Directory Service Access.
Отслеживание изменений в атрибутах файла. Change tracking for file attributes. Атрибуты файла определяют, какое централизованное правило доступа применяется к этому файлу. File attributes determine which central access rule applies to the file. Изменение атрибутов файла потенциально может влиять на ограничения доступа к файлу. A change to the file attributes can potentially impact the access restrictions on the file. Поэтому важно отслеживать изменения атрибутов файла. Therefore, it can be important to track changes to file attributes. Можно отслеживать изменения атрибутов файла на любом компьютере, настроив политику аудита для изменения политики авторизации. You can track changes to file attributes on any computer by configuring the authorization policy change auditing policy. Дополнительные сведения см. в разделе Аудит изменения политики авторизации и Аудит доступа к объектам для файловых систем. For more information, see Authorization Policy Change auditing and Object Access auditing for File Systems. В Windows Server 2012 событие 4911 отличает изменения политики атрибутов файлов от других событий изменения политики авторизации. In Windows Server 2012 , Event 4911 differentiates file attribute policy changes from other authorization policy change events.
Отслеживание изменений в централизованной политике доступа, связанной с файлом. Chang tracking for the central access policy associated with a file. Событие 4913 отображает идентификаторы безопасности (SID) для старой и новой централизованных политик доступа. Event 4913 displays the security identifiers (SIDs) of the old and new central access policies. Каждая централизованная политика доступа также имеет имя, понятное для пользователя, которое может быть найдено с помощью этого идентификатора безопасности. Each central access policy also has a user friendly name that can be looked up using this security identifier. Дополнительные сведения см. в разделе Аудит изменений политики авторизации. For more information, see Authorization Policy Change auditing.
Отслеживание изменений атрибутов пользователя и компьютера. Change tracking for user and computer attributes. Как и файлы, объекты пользователей и компьютеров могут иметь атрибуты, а изменения этих атрибутов могут повлиять на возможность доступа пользователя к файлам. Like files, user and computer objects can have attributes, and changes to these attributes can impact the user’s ability to access files. Таким образом, важно отслеживать изменения атрибутов пользователя или компьютера. Therefore, it can be valuable to track changes to user or computer attributes. Объект-пользователь и объект-компьютер хранятся в доменных службах Active Directory, следовательно, можно проводить аудит изменения их атрибутов. User and computer objects are stored in AD DS; therefore, changes to their attributes can be audited. Дополнительные сведения см. в разделе доступ к службам каталогов. For more information, see DS Access.
Промежуточное сохранение изменений политики. Policy change staging. Изменения в централизованных политиках доступа могут влиять на решения о предоставлении доступа на всех компьютерах, на которых применяются политики. Changes to central access policies can impact the access control decisions on all computers where the policies are enforced. Нестрогая политика может предоставить больше доступа, чем предполагается, в то время как чрезмерно строгая политика может вызвать огромное количество обращений в службу поддержки. A loose policy could grant more access than desired, and an overly restrictive policy could generate an excessive number of Help Desk calls. Поэтому очень важно проверить изменения централизованной политики доступа до того, как они будут применены. As a result, it can be extremely valuable to verify changes to a central access policy before enforcing the change. Для этой цели в Windows Server 2012 введена концепция «промежуточного хранения». For that purpose, Windows Server 2012 introduces the concept of «staging.» Промежуточное сохранение позволяет пользователям проверить предложенные изменения политики до того, как применить их. Staging enables users to verify their proposed policy changes before enforcing them. Для использования промежуточного сохранения предложенные политики разворачиваются вместе с принятыми политиками, но промежуточные политики фактически не предоставляют доступ и не запрещают его. To use policy staging, proposed policies are deployed with the enforced policies, but staged policies do not actually grant or deny permissions. Вместо этого в Windows Server 2012 регистрируется событие аудита (4818) в любой момент, когда проверка доступа, использующая промежуточную политику, отличается от результата проверки доступа, использующей принудительную политику. Instead, Windows Server 2012 logs an audit event (4818) any time the result of the access check that uses the staged policy is different from the result of an access check that uses the enforced policy.
Audit Policy Recommendations
Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows 10, Windows 8.1, Windows 7
This section addresses the Windows default audit policy settings, baseline recommended audit policy settings, and the more aggressive recommendations from Microsoft, for workstation and server products.
The SCM baseline recommendations shown here, along with the settings we recommend to help detect compromise, are intended only to be a starting baseline guide to administrators. Each organization must make its own decisions regarding the threats they face, their acceptable risk tolerances, and what audit policy categories or subcategories they should enable. For further information about threats, refer to the Threats and Countermeasures Guide. Administrators without a thoughtful audit policy in place are encouraged to start with the settings recommended here, and then to modify and test, prior to implementing in their production environment.
The recommendations are for enterprise-class computers, which Microsoft defines as computers that have average security requirements and require a high level of operational functionality. Entities needing higher security requirements should consider more aggressive audit policies.
Microsoft Windows defaults and baseline recommendations were taken from the Microsoft Security Compliance Manager tool.
The following baseline audit policy settings are recommended for normal security computers that are not known to be under active, successful attack by determined adversaries or malware.
Recommended Audit Policies by Operating System
This section contains tables that list the audit setting recommendations that apply to the following operating systems:
- Windows Server 2016
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2008
- Windows 10
- Windows 8.1
- Windows 7
These tables contain the Windows default setting, the baseline recommendations, and the stronger recommendations for these operating systems.
Audit Policy Tables Legend
| Notation | Recommendation |
|---|---|
| YES | Enable in general scenarios |
| NO | Do not enable in general scenarios |
| IF | Enable if needed for a specific scenario, or if a role or feature for which auditing is desired is installed on the machine |
| DC | Enable on domain controllers |
| [Blank] | No recommendation |
Windows 10, Windows 8, and Windows 7 Audit Settings Recommendations
Audit Policy
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Account Logon | |||
| Audit Credential Validation | No \ | No | Yes \ | No | Yes \ | Yes |
| Audit Kerberos Authentication Service | Yes \ | Yes | ||
| Audit Kerberos Service Ticket Operations | Yes \ | Yes | ||
| Audit Other Account Logon Events | Yes \ | Yes |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Account Management | |||
| Audit Application Group Management | |||
| Audit Computer Account Management | Yes \| No | Yes \| Yes | |
| Audit Distribution Group Management | |||
| Audit Other Account Management Events | Yes \| No | Yes \| Yes | |
| Audit Security Group Management | Yes \| No | Yes \| Yes | |
| Audit User Account Management | Yes \| No | Yes \| No | Yes \| Yes |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Detailed Tracking | |||
| Audit DPAPI Activity | Yes \| Yes | ||
| Audit Process Creation | Yes \| No | Yes \| Yes | |
| Audit Process Termination | |||
| Audit RPC Events |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| DS Access | |||
| Audit Detailed Directory Service Replication | |||
| Audit Directory Service Access | |||
| Audit Directory Service Changes | |||
| Audit Directory Service Replication |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Logon and Logoff | |||
| Audit Account Lockout | Yes \| No | Yes \| No | |
| Audit User/Device Claims | |||
| Audit IPsec Extended Mode | |||
| Audit IPsec Main Mode | IF \| IF | ||
| Audit IPsec Quick Mode | |||
| Audit Logoff | Yes \| No | Yes \| No | Yes \| No |
| Audit Logon 1 | Yes \| Yes | Yes \| Yes | Yes \| Yes |
| Audit Network Policy Server | Yes \| Yes | ||
| Audit Other Logon/Logoff Events | |||
| Audit Special Logon | Yes \| No | Yes \| No | Yes \| Yes |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Object Access | |||
| Audit Application Generated | |||
| Audit Certification Services | |||
| Audit Detailed File Share | |||
| Audit File Share | |||
| Audit File System | |||
| Audit Filtering Platform Connection | |||
| Audit Filtering Platform Packet Drop | |||
| Audit Handle Manipulation | |||
| Audit Kernel Object | |||
| Audit Other Object Access Events | |||
| Audit Registry | |||
| Audit Removable Storage | |||
| Audit SAM | |||
| Audit Central Access Policy Staging |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Policy Change | |||
| Audit Audit Policy Change | Yes \| No | Yes \| Yes | Yes \| Yes |
| Audit Authentication Policy Change | Yes \| No | Yes \| No | Yes \| Yes |
| Audit Authorization Policy Change | |||
| Audit Filtering Platform Policy Change | |||
| Audit MPSSVC Rule-Level Policy Change | Yes | ||
| Audit Other Policy Change Events |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Privilege Use | |||
| Audit Non Sensitive Privilege Use | |||
| Audit Other Privilege Use Events | |||
| Audit Sensitive Privilege Use |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| System | |||
| Audit IPsec Driver | Yes \| Yes | Yes \| Yes | |
| Audit Other System Events | Yes \| Yes | ||
| Audit Security State Change | Yes \| No | Yes \| Yes | Yes \| Yes |
| Audit Security System Extension | Yes \| Yes | Yes \| Yes | |
| Audit System Integrity | Yes \| Yes | Yes \| Yes | Yes \| Yes |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Global Object Access Auditing | |||
| Audit IPsec Driver | |||
| Audit Other System Events | |||
| Audit Security State Change | |||
| Audit Security System Extension | |||
| Audit System Integrity |
1 Beginning with Windows 10 version 1809, Audit Logon is enabled by default for both Success and Failure. In previous versions of Windows, only Success is enabled by default.
Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, and Windows Server 2008 Audit Settings Recommendations
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Account Logon | |||
| Audit Credential Validation | No \| No | Yes \| Yes | Yes \| Yes |
| Audit Kerberos Authentication Service | Yes \| Yes | ||
| Audit Kerberos Service Ticket Operations | Yes \| Yes | ||
| Audit Other Account Logon Events | Yes \| Yes |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Account Management | |||
| Audit Application Group Management | |||
| Audit Computer Account Management | Yes \| DC | Yes \| Yes | |
| Audit Distribution Group Management | |||
| Audit Other Account Management Events | Yes \| Yes | Yes \| Yes | |
| Audit Security Group Management | Yes \| Yes | Yes \| Yes | |
| Audit User Account Management | Yes \| No | Yes \| Yes | Yes \| Yes |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Detailed Tracking | |||
| Audit DPAPI Activity | Yes \| Yes | ||
| Audit Process Creation | Yes \| No | Yes \| Yes | |
| Audit Process Termination | |||
| Audit RPC Events |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| DS Access | |||
| Audit Detailed Directory Service Replication | |||
| Audit Directory Service Access | DC \| DC | DC \| DC | |
| Audit Directory Service Changes | DC \| DC | DC \| DC | |
| Audit Directory Service Replication |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Logon and Logoff | |||
| Audit Account Lockout | Yes \| No | Yes \| No | |
| Audit User/Device Claims | |||
| Audit IPsec Extended Mode | |||
| Audit IPsec Main Mode | IF \| IF | ||
| Audit IPsec Quick Mode | |||
| Audit Logoff | Yes \| No | Yes \| No | Yes \| No |
| Audit Logon | Yes \| Yes | Yes \| Yes | Yes \| Yes |
| Audit Network Policy Server | Yes \| Yes | ||
| Audit Other Logon/Logoff Events | Yes \| Yes | ||
| Audit Special Logon | Yes \| No | Yes \| No | Yes \| Yes |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Object Access | |||
| Audit Application Generated | |||
| Audit Certification Services | |||
| Audit Detailed File Share | |||
| Audit File Share | |||
| Audit File System | |||
| Audit Filtering Platform Connection | |||
| Audit Filtering Platform Packet Drop | |||
| Audit Handle Manipulation | |||
| Audit Kernel Object | |||
| Audit Other Object Access Events | |||
| Audit Registry | |||
| Audit Removable Storage | |||
| Audit SAM | |||
| Audit Central Access Policy Staging |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Policy Change | |||
| Audit Audit Policy Change | Yes \| No | Yes \| Yes | Yes \| Yes |
| Audit Authentication Policy Change | Yes \| No | Yes \| No | Yes \| Yes |
| Audit Authorization Policy Change | |||
| Audit Filtering Platform Policy Change | |||
| Audit MPSSVC Rule-Level Policy Change | Yes | ||
| Audit Other Policy Change Events |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Privilege Use | |||
| Audit Non Sensitive Privilege Use | |||
| Audit Other Privilege Use Events | |||
| Audit Sensitive Privilege Use |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| System | |||
| Audit IPsec Driver | Yes \| Yes | Yes \| Yes | |
| Audit Other System Events | Yes \| Yes | ||
| Audit Security State Change | Yes \| No | Yes \| Yes | Yes \| Yes |
| Audit Security System Extension | Yes \| Yes | Yes \| Yes | |
| Audit System Integrity | Yes \| Yes | Yes \| Yes | Yes \| Yes |
| Audit Policy Category or Subcategory | Windows Default Success \ | Failure | Baseline Recommendation Success \ | Failure | Stronger Recommendation Success \ | Failure |
|---|---|---|---|
| Global Object Access Auditing | |||
| Audit IPsec Driver | |||
| Audit Other System Events | |||
| Audit Security State Change | |||
| Audit Security System Extension | |||
| Audit System Integrity |
Set Audit Policy on Workstations and Servers
All event log management plans should monitor workstations and servers. A common mistake is to only monitor servers or domain controllers. Because malicious hacking often initially occurs on workstations, not monitoring workstations is ignoring the best and earliest source of information.
Administrators should thoughtfully review and test any audit policy prior to implementation in their production environment.
Events to Monitor
A perfect event ID to generate a security alert should contain the following attributes:
High likelihood that occurrence indicates unauthorized activity
Low number of false positives
Occurrence should result in an investigative/forensics response
Two types of events should be monitored and alerted:
Those events in which even a single occurrence indicates unauthorized activity
An accumulation of events above an expected and accepted baseline
An example of the first event is:
If Domain Admins (DAs) are forbidden from logging on to computers that are not domain controllers, a single occurrence of a DA member logging on to an end-user workstation should generate an alert and be investigated. This type of alert is easy to generate by using the Audit Special Logon event 4964 (Special groups have been assigned to a new logon). Other examples of single instance alerts include:
If Server A should never connect to Server B, alert when they connect to each other.
Alert if a normal end-user account is unexpectedly added to a sensitive security group.
If employees in factory location A never work at night, alert when a user logs on at midnight.
Alert if an unauthorized service is installed on a domain controller.
Investigate if a regular end-user attempts to directly log on to a SQL Server for which they have no clear reason for doing so.
If you have no members in your DA group, and someone adds themselves there, check it immediately.
An example of the second event is:
An aberrant number of failed logons could indicate a password guessing attack. For an enterprise to provide an alert for an unusually high number of failed logons, they must first understand the normal levels of failed logons within their environment prior to a malicious security event.
For a comprehensive list of events that you should include when you monitor for signs of compromise, please see Appendix L: Events to Monitor.
Active Directory Objects and Attributes to Monitor
The following are the accounts, groups, and attributes that you should monitor to help you detect attempts to compromise your Active Directory Domain Services installation.
Systems for disabling or removal of antivirus and anti-malware software (automatically restart protection when it is manually disabled)
Administrator accounts for unauthorized changes
Activities that are performed by using privileged accounts (automatically remove account when suspicious activities are completed or allotted time has expired)
Privileged and VIP accounts in AD DS. Monitor for changes, particularly changes to attributes on the Account tab (for example, cn, name, sAMAccountName, userPrincipalName, or userAccountControl). In addition to monitoring the accounts, restrict who can modify the accounts to as small a set of administrative users as possible.
Refer to Appendix L: Events to Monitor for a list of recommended events to monitor, their criticality ratings, and an event message summary.
Group servers by the classification of their workloads, which allows you to quickly identify the servers that should be the most closely monitored and most stringently configured
Changes to the properties and membership of following AD DS groups: Enterprise Admins (EA), Domain Admins (DA), Administrators (BA), and Schema Admins (SA)
Disabled privileged accounts (such as built-in Administrator accounts in Active Directory and on member systems) for enabling the accounts
Management accounts to log all writes to the account
Built-in Security Configuration Wizard to configure service, registry, audit, and firewall settings to reduce the server’s attack surface. Use this wizard if you implement jump servers as part of your administrative host strategy.
Additional Information for Monitoring Active Directory Domain Services
Review the following links for additional information about monitoring AD DS:
Global Object Access Auditing is Magic — Provides information about configuring and using Advanced Audit Policy Configuration that was added to Windows 7 and Windows Server 2008 R2.
Introducing Auditing Changes in Windows 2008 — Introduces the auditing changes made in Windows 2008.
Cool Auditing Tricks in Vista and 2008 — Explains interesting new features of auditing in Windows Vista and Windows Server 2008 that can be used for troubleshooting problems or seeing what’s happening in your environment.
One-Stop Shop for Auditing in Windows Server 2008 and Windows Vista — Contains a compilation of auditing features and information contained in Windows Server 2008 and Windows Vista.
AD DS Auditing Step-by-Step Guide — Describes the new Active Directory Domain Services (AD DS) auditing feature in Windows Server 2008. It also provides procedures to implement this new feature.
General List of Security Event ID Recommendation Criticalities
All Event ID recommendations are accompanied by a criticality rating as follows:
High: Event IDs with a high criticality rating should always and immediately be alerted and investigated.
Medium: An Event ID with a medium criticality rating could indicate malicious activity, but it must be accompanied by some other abnormality (for example, an unusual number occurring in a particular time period, unexpected occurrences, or occurrences on a computer that normally would not be expected to log the event.). A medium-criticality event may also r be collected as a metric and compared over time.
Low: And Event ID with a low criticality events should not garner attention or cause alerts, unless correlated with medium or high criticality events.
These recommendations are meant to provide a baseline guide for the administrator. All recommendations should be thoroughly reviewed prior to implementation in a production environment.
Refer to Appendix L: Events to Monitor for a list of the recommended events to monitor, their criticality ratings, and an event message summary.
