Active Directory Advanced Audit Policy GPO Configuration

Posted Aug 3, 2023 Updated Oct 24, 2024

4 min read

Active Directory Advanced Audit Policy, Windows Server işletim sisteminde Active Directory (AD) hizmeti için gelişmiş denetim politikalarını yönetmeyi sağlayan bir özelliktir. Geleneksel denetim politikalarından farklı olarak, gelişmiş denetim politikaları, daha kapsamlı ve esnek denetim olanakları sunar. Bu özellik, özellikle büyük kuruluşlar ve güvenlik gereksinimleri yüksek ortamlar için önemli bir araçtır.

Gelişmiş denetim politikaları, Active Directory'deki nesneler ve kayıtlar üzerindeki değişiklikleri ayrıntılı bir şekilde izlemeye ve denetlemeye olanak tanır. Yöneticiler, belirli olaylarla ilgili ayrıntılı logları etkinleştirerek, izlemek ve olayları raporlamak için daha fazla seçeneğe sahip olurlar.

Gelişmiş denetim politikaları, Olay kimlikleri (event IDs) ile ilişkilendirilir ve olay günlüklerine yazılan belirli eylemleri denetler. Örneğin, kullanıcı hesabı oluşturma, hesap silme, şifre değiştirme veya grup üyeliği değiştirme gibi olayları izlemek ve raporlamak için bu politikaları kullanabilirsiniz.

Policy Location:

"Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Advanced Audit Policy Configuration"

Gelişmiş Denetim Politikası Yapılandırması için önerilen ayarlar şu şekildedir.

Account Logon

Name	Policy Setting	Description
Audit Credential Validation	Failure	This policy setting allows you to audit events generated by validation tests on user account logon credentials.
Audit Kerberos Authentication Services	Failure	This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests.
Audit Kerberos Service Ticket Operations	Success and Failure	This policy setting allows you to audit events generated by Kerberos authentication ticket-granting ticket (TGT) requests submitted for user accounts.

Account Management

Name	Policy Setting	Description
Audit Computer Account Management	Success	This policy setting allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
Audit Other Account Management Events	Success	This policy setting allows you to audit events generated by other user account changes that are not covered in this category, such as the following:
Audit Security Group Management	Success	This policy setting allows you to audit events generated by changes to security groups such as the following:
Audit User Account Management	Success and Failure	This policy setting allows you to audit changes to user accounts

Detailed Tracking

Name	Policy Setting	Description
Audit PNP Activity	Success	This policy setting allows you to audit when plug and play detects an external device.
Audit Process Creation	Success	This policy setting allows you to audit events generated when a process is created or starts. The name of the application or user that created the process is also audited.

DS Access

Name	Policy Setting	Description
Audit Directory Service Access	Failure	This policy setting allows you to audit events generated when an Active Directory Domain Services (AD DS) object is accessed.
Audit Directory Service Changes	Success	This policy setting allows you to audit events generated by changes to objects in Active Directory Domain Services (AD DS). Events are logged when an object is created, deleted, modified, moved, or undeleted.

Logon/Logoff

Name	Policy Setting	Description
Audit Account Lockout	Failure	This policy setting allows you to audit events generated by a failed attempt to log on to an account that is locked out.
Audit Group Membership	Success	This policy allows you to audit the group memberhsip information in the user’s logon token
Audit Logon	Success and Failure	This policy setting allows you to audit events generated by user account logon attempts on the computer.
Audit Other Logon/Logoff Events	Success and Failure	This policy setting allows you to audit other logon/logoff-related events that are not covered in the “Logon/Logoff”.
Audit Special Logon	Success	This policy setting allows you to audit events generated by special logons such as those with administrator equivalent privileges.

Object Access

Name	Policy Setting	Description
Audit Detailed File Share	Failure	This policy setting allows you to audit attempts to access files and folders on a shared folder.
Audit File Share	Success and Failure	This policy setting allows you to audit attempts to access a shared folder.
Audit Other Object Access Events	Success and Failure	This policy setting allows you to audit events generated by the management of task scheduler jobs or COM+ objects.
Audit Removable Storage	Success and Failure	This policy setting allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated only for all objects for all types of access requested.

Policy Change

Name	Policy Setting	Description
Audit Audit Policy Change	Success	This policy setting allows you to audit changes in the security audit policy settings.
Audit Authentication Policy Change	Success	This policy setting allows you to audit events generated by changes to the authentication policy
Audit MPSSVC Rule-Level Policy Change	Success and Failure	This policy setting allows you to audit events generated by changes in policy rules used by the Microsoft Protection Service (MPSSVC)
Audit Other Policy Change Events	Failure	This policy setting allows you to audit events generated by other security policy changes that are not audited in the policy change category

Privilege Use

Name	Policy Setting	Description
Audit Sensitive Privilege Use	Success and Failure	This policy setting allows you to audit events generated when sensitive privileges (user rights) are used.

System

Name	Policy Setting	Description
Audit Other System Events	Success and Failure	This policy setting allows you to audit systems events such as the startup and shutdown of the Windows firewall.
Audit Security State Change	Success	This policy setting allows you to audit systems events such as the startup and shutdown of the Windows firewall.
Audit Security System Extension	Success	This policy setting allows you to audit events related to security system extensions or services
Audit System Integrity	Success and Failure	This policy setting allows you to audit events that violate the integrity of the security subsystem

Global Object Access Auditing

Name	Policy Setting	Description
File System
Registery

Bu Windows denetim politikası ayarlarını etkinleştirdiğinizde, alan denetleyicilerinizde Active Directory Günlükleri oluşturulur. Bu günlükler, Windows olay görüntüleyici kullanılarak görüntülenebilir ancak bunları analiz etmek için 3. Parti vb. bir denetim aracı kullanmanızı öneririm.

Saygılarımla. – Best regards.

Windows Group Policy GPO

This post is licensed under CC BY 4.0 by the author.