Shulou(Shulou.com)06/03 Report--

Implementation requirements:

1. Enable local policy-> all policies (success and failure) under audit policy, as shown in the figure:

2. Open the connection to the audit and filtering platform, as shown in the figure: (this is a mine, which will be mentioned later in the body)

Summary: this implementation requires access to hundreds of WindowsServer server audit logs, there is no domain, so it can only be manually configured one by one, in order to increase work efficiency, so as to use batch commands to complete the operation.

Step details:

1. Use the secedit command for policy settings

Secedit syntax reference: https://docs.microsoft.com/zh-cn/windows-server/administration/windows-commands/secedit

Echo [version] > 1.infecho signature= "$CHICAGO$" > > 1.infecho [Event Audit] > 1.infecho AuditSystemEvents=3 > > 1.infecho AuditObjectAccess=3 > > 1.infecho AuditPrivilegeUse=3 > > 1.infecho AuditPolicyChange=3 > > 1.infecho AuditAccountManage=3 > > 1.infecho AuditProcessTracking=3 > > 1.infecho AuditDSAccess=3 > > 1.infecho AuditAccountLogon=3 > > 1.infecho AuditLogonEvents=3 > > 1.infsecedit / configure / db 1.sdb / cfg 1.inf / log 1.log / quietdel 1.*

How to execute: copy and paste the above command into the txt text, modify the file name to .bat, and run as an administrator (here you must run as an administrator)

Note: the parameter value in the above command is 3, which indicates the success and failure of the audit. When the parameter value is 0, there is no audit.

After the execution of this command, a 1.sdb will be generated in the current directory. It is an "intermediate product" and you can delete it.

The / quiet parameter indicates "quiet mode" and does not generate logs. But it is also possible to generate logs. Finally, del 1. * deletes all files with the name "1" (that is, files generated by executing the above command).

The text begins.

Just now is all the official content, let's talk about the problems I encountered in the whole process and the solutions. (in fact, I think this is really useful content, and the experience is rare.)

Model1:

When I first got the requirements, I wanted to configure the audit policy on one server, then use the secedit command to export the configured policy, and then import it to other servers.

Problem 1: there are too many servers and the business is different. Hasty introduction of strategy may affect business

The problem 2:secedit command can only import and export local policies and cannot take effect on advanced audit policies

Therefore, the method is abandoned.

Model2:

Use the command line to configure policies that need to be changed. The secedit command operates on the local policy, and the auditpol operates on the advanced audit policy.

Auditpol syntax reference: https://docs.microsoft.com/zh-cn/windows-server/administration/windows-commands/auditpol

Secedit / configure / db 1.sdb / cfg 1.inf / log 1.log / quietAuditPol / set / subcategory: "filter platform connections" / failure:enable / success:enable

Question 1: the Chinese characters in the command are garbled when the batch command is running and cannot be executed (successful if executed alone)

Solution: use the * auditpol / list / subcategory: / r command to view the sid** of object access and filter platform connections.

Please query and change the sid here. As shown below:

Execute the following command:

Auditpol / set / subcategory: {0ccee9210-69ae-11d9-bed3-505054503030}, {0ccee9211-69ae-11d9-bed3-505054503030}, / failure:disable / success:enable

At this time, the problem comes again, after the execution of the above command, it unexpectedly prompts that the parameters are wrong. At this time, ten thousand grass-mud horses flew by, the check-edge forum was fruitless, and the order was copied from the official example of Microsoft. Now I only suspect that this is a metaphysical problem, but friends can have a try, what if?

Question 2: not many, directly above the picture

Prompt that the command is successful, execute the gpupdate / force command to update the policy, open the audit and filtering platform connection and display "not configured". This may be another metaphysical problem!

Solution: enter secpol.msc on the command line, open the configuration window, and manually click on the audit filter platform connection to configure. (you have to check it manually in the end.)

This is a thunder.

When I did this, I was on the verge of collapse. Let me explain why, when I configured the audit policy using the batch command, I manually configured the audit filtering platform connection. Enter gpupdate / force update policy on the command line, and I thought it was done, but this happened:

I wiped my eyes, I didn't look blindly, and neither did you. Previously configured audit policies have all become "no audit". Go through the forum and try it yourself, and finally find out where the problem lies:

When an advanced audit policy is set, the local policy is overwritten

In the advanced policy, I only set the filter platform connection, and the rest was not set, so it was eventually overwritten as unaudited.

Solution 1: manually check all the options in the advanced policy so that even if the local policy is overwritten, you will still get a more detailed log.

Solution 2: do not set advanced policies.

to be continued!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.