This way, you don’t bother tracking access when members of this group access sensitive files from within the office, but you do track all access to those sensitive files when members of this group are accessing them from an unusual location. Figure 10-24 shows auditing configured in this way. For example, you might want to configure auditing so that members of the Managers group have access to sensitive files tracked only when they access files from computers that aren’t part of the Managers_Computers group. These policies enable you to put conditions as to when auditing might occur. Specifying that an audit event will be written each time a member of the Managers group accesses a file in a specific folder is a good example.Įxpression- based audit policies enable you to go further. Traditional object audit policies involve specifying a group and configuring the type of activities that will trigger an event to be written to the security log. Implementing expression-based audit policies
They become frustrated with the process because the auditing events that they might be interested in get lost in the vast sea of auditing events that they are not interested in. A mistake that many administrators make is that they aren’t entirely sure what they should be auditing, so they audit everything. Global Object Access Auditing You can configure expression-based audit policies for files and the registry.ĭetermine what you want to audit first and then enable the policies to audit that type of activity.System You can audit changes to the security subsystem.Privilege Use You can audit the use of privileges.Policy Change You can audit changes to audit policy.Object Access You can audit access to objects including files, folders, applications, and the registry.Logon/Logoff You can audit logon, logoff, and other account activity events, including IPsec and Network Policy Server (NPS) events.DS Access You can audit Active Directory access and functionality.Detailed Tracking You can audit encryption events, process creation, process termination, and RPC events.Account Management You can audit account management operations, such as changes to computer accounts, user accounts, and group accounts.Account Logon You can audit credential validation and Kerberos-specific operations.The audit policy groups contain the following settings: There are 10 groups of audit policy settings and 58 individual audit policies available through Advanced Audit Policy Configuration.
0 kommentar(er)
