AD Audit üzerinde yapılan bütün değişiklikler saklanmaktadır. Active Directory üzerinde nesnelerin bütün geçmişini görüntüleyebilir veya kritik nesneler üzerinde yapılan değişiklikleri sürekli olarak izleyebiliriz. AD gibi kritik bir ortamda yapılan tüm işlemleri takip edebilmemiz için Microsoft Best Practices’lerine uygun olarak AD Audit’lerimizi düzenlememiz ve açmamız gerekmektedir.
Group Policy Management üzerinden Domain Controllers OU’su altındaki, Default Domain Controller Policy üzerine gelinerek Edit yapılır.
Computer Configuration/Policies/Windows Settings/Security Settings/Advanced Audit Policy Configuration/Audit Policies/Account Logon alanına gelerek, Microsoft Best Practices’lerine uygun olarak audit politikalarını aşağıda yer alan EK 1 (AD Audit Düzenleme Çalışması)’na göre düzenleyeceğiz.
Örnek olarak ilk iki politika üzerinde gösterilmiş olup, aşağıdaki alanında yer alan tabloya göre tüm Audit’ler üzerinde çalışma gerçekleştirilmelidir.
EK 1 (AD Audit Düzenleme Çalışması)
| Audit Policy Category or Subcategory | Windows Default | Baseline Recommendation | Stronger Recommendation |
| Success Failure | Success Failure | Success Failure | |
| Account Logon | |||
| Audit Credential Validation | No No | Yes Yes | Yes Yes |
| Audit Kerberos Authentication Service | Yes Yes | ||
| Audit Kerberos Service Ticket Operations | Yes Yes | ||
| Audit Other Account Logon Events | Yes Yes | ||
| Account Management | |||
| Audit Application Group Management | |||
| Audit Computer Account Management | Yes DC | Yes Yes | |
| Audit Distribution Group Management | |||
| Audit Other Account Management Events | Yes Yes | Yes Yes | |
| Audit Security Group Management | Yes Yes | Yes Yes | |
| Audit User Account Management | Yes No | Yes Yes | Yes Yes |
| Detailed Tracking | |||
| Audit DPAPI Activity | Yes Yes | ||
| Audit Process Creation | Yes No | Yes Yes | |
| Audit Process Termination | |||
| Audit RPC Events | |||
| DS Access | |||
| Audit Detailed Directory Service Replication | |||
| Audit Directory Service Access | DC DC | DC DC | |
| Audit Directory Service Changes | DC DC | DC DC | |
| Audit Directory Service Replication | |||
| Logon and Logoff | |||
| Audit Account Lockout | Yes No | Yes No | |
| Audit User/Device Claims | |||
| Audit IPsec Extended Mode | |||
| Audit IPsec Main Mode | IF IF | ||
| Audit IPsec Quick Mode | |||
| Audit Logoff | Yes No | Yes No | Yes No |
| Audit Logon | Yes No | Yes Yes | Yes Yes |
| Audit Network Policy Server | Yes Yes | ||
| Audit Other Logon/Logoff Events | Yes Yes | ||
| Audit Special Logon | Yes No | Yes No | Yes Yes |
| Object Access | |||
| Audit Application Generated | |||
| Audit Certification Services | |||
| Audit Detailed File Share | |||
| Audit File Share | |||
| Audit File System | |||
| Audit Filtering Platform Connection | |||
| Audit Filtering Platform Packet Drop | |||
| Audit Handle Manipulation | |||
| Audit Kernel Object | |||
| Audit Other Object Access Events | |||
| Audit Registry | |||
| Audit Removable Storage | |||
| Audit SAM | |||
| Audit Central Access Policy Staging | |||
| Policy Change | |||
| Audit Audit Policy Change | Yes No | Yes Yes | Yes Yes |
| Audit Authentication Policy Change | Yes No | Yes No | Yes Yes |
| Audit Authorization Policy Change | |||
| Audit Filtering Platform Policy Change | |||
| Audit MPSSVC Rule-Level Policy Change | Yes | ||
| Audit Other Policy Change Events | |||
| Privilege Use | |||
| Audit Non Sensitive Privilege Use | |||
| Audit Other Privilege Use Events | |||
| Audit Sensitive Privilege Use | |||
| System | |||
| Audit IPsec Driver | Yes Yes | Yes Yes | |
| Audit Other System Events | Yes Yes | ||
| Audit Security State Change | Yes No | Yes Yes | Yes Yes |
| Audit Security System Extension | Yes Yes | Yes Yes | |
| Audit System Integrity | Yes Yes | Yes Yes | Yes Yes |
| Global Object Access Auditing | |||
| Audit IPsec Driver | |||
| Audit Other System Events | |||
| Audit Security State Change | |||
| Audit Security System Extension | |||
| Audit System Integrity |
Audit Policy Tables Legend
| Notation | Recommendation |
| YES | Enable in general scenarios |
| NO | Do not enable in general scenarios |
| IF | Enable if needed for a specific scenario, or if a role or feature for which auditing is desired is installed on the machine |
| DC | Enable on domain controllers |
| [Blank] | No recommendation |
Azure Security - Cyber Security 