Active Directory Best Practices Audit Policies GPO
Active Directory Best Practices Audit Policies GPO
Microsoft Best Practices Audit Policies Tablosu: (10 adet)
| Audit Policy Category or Subcategory | Windows Default | Baseline Recommendation | Stronger Recommendation |
| Success Failure | Success Failure | Success Failure | |
| Account Logon | |||
| Audit Credential Validation | No No | Yes Yes | Yes Yes |
| Audit Kerberos Authentication Service | Yes Yes | ||
| Audit Kerberos Service Ticket Operations | Yes Yes | ||
| Audit Other Account Logon Events | Yes Yes | ||
| Account Management | |||
| Audit Application Group Management | |||
| Audit Computer Account Management | Yes DC | Yes Yes | |
| Audit Distribution Group Management | |||
| Audit Other Account Management Events | Yes Yes | Yes Yes | |
| Audit Security Group Management | Yes Yes | Yes Yes | |
| Audit User Account Management | Yes No | Yes Yes | Yes Yes |
| Detailed Tracking | |||
| Audit DPAPI Activity | Yes Yes | ||
| Audit Process Creation | Yes No | Yes Yes | |
| Audit Process Termination | |||
| Audit RPC Events | |||
| DS Access | |||
| Audit Detailed Directory Service Replication | |||
| Audit Directory Service Access | DC DC | DC DC | |
| Audit Directory Service Changes | DC DC | DC DC | |
| Audit Directory Service Replication | |||
| Logon and Logoff | |||
| Audit Account Lockout | Yes No | Yes No | |
| Audit User/Device Claims | |||
| Audit IPsec Extended Mode | |||
| Audit IPsec Main Mode | IF IF | ||
| Audit IPsec Quick Mode | |||
| Audit Logoff | Yes No | Yes No | Yes No |
| Audit Logon | Yes No | Yes Yes | Yes Yes |
| Audit Network Policy Server | Yes Yes | ||
| Audit Other Logon/Logoff Events | Yes Yes | ||
| Audit Special Logon | Yes No | Yes No | Yes Yes |
| Object Access | |||
| Audit Application Generated | |||
| Audit Certification Services | |||
| Audit Detailed File Share | |||
| Audit File Share | |||
| Audit File System | |||
| Audit Filtering Platform Connection | |||
| Audit Filtering Platform Packet Drop | |||
| Audit Handle Manipulation | |||
| Audit Kernel Object | |||
| Audit Other Object Access Events | |||
| Audit Registry | |||
| Audit Removable Storage | |||
| Audit SAM | |||
| Audit Central Access Policy Staging | |||
| Policy Change | |||
| Audit Audit Policy Change | Yes No | Yes Yes | Yes Yes |
| Audit Authentication Policy Change | Yes No | Yes No | Yes Yes |
| Audit Authorization Policy Change | |||
| Audit Filtering Platform Policy Change | |||
| Audit MPSSVC Rule-Level Policy Change | Yes | ||
| Audit Other Policy Change Events | |||
| Privilege Use | |||
| Audit Non Sensitive Privilege Use | |||
| Audit Other Privilege Use Events | |||
| Audit Sensitive Privilege Use | |||
| System | |||
| Audit IPsec Driver | Yes Yes | Yes Yes | |
| Audit Other System Events | Yes Yes | ||
| Audit Security State Change | Yes No | Yes Yes | Yes Yes |
| Audit Security System Extension | Yes Yes | Yes Yes | |
| Audit System Integrity | Yes Yes | Yes Yes | Yes Yes |
| Global Object Access Auditing | |||
| Audit IPsec Driver | |||
| Audit Other System Events | |||
| Audit Security State Change | |||
| Audit Security System Extension | |||
| Audit System Integrity |
Audit Policy Tables Legend
| Notation | Recommendation |
| YES | Enable in general scenarios |
| NO | Do not enable in general scenarios |
| IF | Enable if needed for a specific scenario, or if a role or feature for which auditing is desired is installed on the machine |
| DC | Enable on domain controllers |
| [Blank] | No recommendation |
This post is licensed under CC BY 4.0 by the author.