Audit Keamanan Windows 7 dimatikan - Oleh apa?


0

Ini telah membuatku gila. Saya sudah mencari tinggi dan rendah untuk solusi tetapi belum menemukan apa pun. saya melakukan menemukan ini pertanyaan yang saya pikir memegang solusinya auditpol.exe . Tidak ada dadu.

Saya dapat menetapkan Kebijakan Audit Windows saya menggunakan salah satunya secpol.msc atau gpedit.msc . Masalahnya adalah bahwa setelah beberapa menit, mereka dibersihkan ( semua diatur ke "Tanpa Audit"). Dari log peristiwa, satu-satunya petunjuk yang saya dapatkan adalah:

System audit policy was changed.

Subject:
Security ID:        SYSTEM
Account Name:       MYCOMPUTERNAME$
Account Domain:     WORKGROUP
Logon ID:           0x3e7

Audit Policy Change:
Category:           Account Logon
Subcategory:        Kerberos Authentication Service
Subcategory GUID:   {0cce9242-69ae-11d9-bed3-505054503030}
Changes:            Success removed, Failure removed

Setelah yang terakhir ini, tidak ada entri lebih lanjut dari jenis apa pun akan ditulis ke Security Event Log.

Konfigurasi sistem saya :

OS: Windows 7 Ultimate w/ SP1
Processor: x64
RAM: 12 GB
NOT Domain-joined. In WORKGROUP (so, no Group Policy is being applied).
Windows Firewall enabled
Microsoft Security Essentials

Memperbarui:

Saya juga mencari bantuan di Forum Komunitas Microsoft tentang masalah ini dan jelas dari respons yang saya terima (dari Microsoft) bahwa mereka tidak memahami masalah ini. Untuk itu, saya pikir mungkin tepat untuk menambahkan detail tambahan di sini.

Perintah khusus yang saya gunakan untuk mengonfigurasi audit adalah sebagai berikut:

auditpol.exe /set /category:"Account Logon" /success:enable /failure:enable
auditpol.exe /set /category:"Account Management" /success:enable /failure:enable
auditpol.exe /set /category:"Detailed Tracking" /success:disable /failure:disable
auditpol.exe /set /category:"DS Access" /success:disable /failure:enable
auditpol.exe /set /category:"Logon/Logoff" /success:enable /failure:enable
auditpol.exe /set /category:"Object Access" /success:disable /failure:disable
auditpol.exe /set /category:"Policy Change" /success:disable /failure:enable
auditpol.exe /set /category:"Privilege Use" /success:disable /failure:enable
auditpol.exe /set /category:"System" /success:enable /failure:enable

auditpol.exe /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
auditpol.exe /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:enable

dan output dari auditpol.exe / get / kategori: *

System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               Success and Failure
  System Integrity                        Success and Failure
  IPsec Driver                            Success and Failure
  Other System Events                     Success and Failure
  Security State Change                   Success and Failure
Logon/Logoff
  Logon                                   Success and Failure
  Logoff                                  Success and Failure
  Account Lockout                         Success and Failure
  IPsec Main Mode                         Success and Failure
  IPsec Quick Mode                        Success and Failure
  IPsec Extended Mode                     Success and Failure
  Special Logon                           Success and Failure
  Other Logon/Logoff Events               Success and Failure
  Network Policy Server                   Success and Failure
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
Privilege Use
  Sensitive Privilege Use                 Failure
  Non Sensitive Privilege Use             Failure
  Other Privilege Use Events              Failure
Detailed Tracking
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Process Creation                        No Auditing
Policy Change
  Audit Policy Change                     Success and Failure
  Authentication Policy Change            Success and Failure
  Authorization Policy Change             Success and Failure
  MPSSVC Rule-Level Policy Change         Failure
  Filtering Platform Policy Change        Failure
  Other Policy Change Events              Failure
Account Management
  User Account Management                 Success and Failure
  Computer Account Management             Success and Failure
  Security Group Management               Success and Failure
  Distribution Group Management           Success and Failure
  Application Group Management            Success and Failure
  Other Account Management Events         Success and Failure
DS Access
  Directory Service Changes               Failure
  Directory Service Replication           Failure
  Detailed Directory Service Replication  Failure
  Directory Service Access                Failure
Account Logon
  Kerberos Service Ticket Operations      Success and Failure
  Other Account Logon Events              Success and Failure
  Kerberos Authentication Service         Success and Failure
  Credential Validation                   Success and Failure

Setelah beberapa menit, dan tanpa menyentuh apa pun yang berkaitan dengan audit, hasil berulang:

System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        No Auditing
  IPsec Driver                            No Auditing
  Other System Events                     No Auditing
  Security State Change                   No Auditing
Logon/Logoff
  Logon                                   No Auditing
  Logoff                                  No Auditing
  Account Lockout                         No Auditing
  IPsec Main Mode                         No Auditing
  IPsec Quick Mode                        No Auditing
  IPsec Extended Mode                     No Auditing
  Special Logon                           No Auditing
  Other Logon/Logoff Events               No Auditing
  Network Policy Server                   No Auditing
Object Access
  File System                             No Auditing
  Registry                                No Auditing
  Kernel Object                           No Auditing
  SAM                                     No Auditing
  Certification Services                  No Auditing
  Application Generated                   No Auditing
  Handle Manipulation                     No Auditing
  File Share                              No Auditing
  Filtering Platform Packet Drop          No Auditing
  Filtering Platform Connection           No Auditing
  Other Object Access Events              No Auditing
  Detailed File Share                     No Auditing
Privilege Use
  Sensitive Privilege Use                 No Auditing
  Non Sensitive Privilege Use             No Auditing
  Other Privilege Use Events              No Auditing
Detailed Tracking
  Process Termination                     No Auditing
  DPAPI Activity                          No Auditing
  RPC Events                              No Auditing
  Process Creation                        No Auditing
Policy Change
  Audit Policy Change                     No Auditing
  Authentication Policy Change            No Auditing
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing
  Filtering Platform Policy Change        No Auditing
  Other Policy Change Events              No Auditing
Account Management
  User Account Management                 No Auditing
  Computer Account Management             No Auditing
  Security Group Management               No Auditing
  Distribution Group Management           No Auditing
  Application Group Management            No Auditing
  Other Account Management Events         No Auditing
DS Access
  Directory Service Changes               No Auditing
  Directory Service Replication           No Auditing
  Detailed Directory Service Replication  No Auditing
  Directory Service Access                No Auditing
Account Logon
  Kerberos Service Ticket Operations      No Auditing
  Other Account Logon Events              No Auditing
  Kerberos Authentication Service         No Auditing
  Credential Validation                   No Auditing

Tidak ada indikasi dalam log peristiwa tentang apa yang telah membuat perubahan.


Apa kejadian sebelum ini?
Colyn1337

Jawaban:


Dengan menggunakan situs kami, Anda mengakui telah membaca dan memahami Kebijakan Cookie dan Kebijakan Privasi kami.
Licensed under cc by-sa 3.0 with attribution required.