快速入门

架构

架构

活动目录（Active Directory）

活动目录审核

概述
配置AD域和DC
- 自动配置
- 手动配置
配置审核策略
- 自动配置
- 手动配置
配置对象级审核
- 自动配置
- 手动配置
配置事件日志设置
故障排除

ADFS审计

组策略对象审核

Azure AD配置

概述
功能比较：Azure App与M365
在ADAudit Plus中配置Azure AD
- 使用Azure AD Premium许可证
- 使用Microsoft 365许可证
ADAudit Plus的报告功能
- ADAudit Plus与Azure门户
- ADAudit Plus与PowerShell cmdlet的比较
跟踪的事件类别
Azure AD中的日志保留设置
故障排除

Azure AD DS审核

AD CS审核

Windows服务器

Windows服务器审核

可移动存储审核

文件完整性监视

PowerShell审核指南

用户会话录制

概述和步骤

文件服务器

Windows文件服务器审核

EMC服务器审核

EMC Isilon审核

症状学审计

华为OceanStor审计

概述
华为OceanStor V5系列
华为OceanStor 9000 V5
华为OceanStor Dorado All-Flash Storage和OceanStor混合闪存（V6系列）
在ADAudit Plus中添加设备
排除配置
故障排除

NetApp文件管理器审核

NetApp群集审核

日立NAS审计

亚马逊FSx审计指南

QNAP NAS审核指南

Windows工作站审核

事件收集疑难解答

概述
错误和解决方案

迁移

安全

安全规范

安全性强化

安全性强化

产品配置

服务帐户配置

SSL配置

安全日志设置

安全日志设置

Agent配置

单一登录

NTLM身份验证
SAML身份验证

端口

产品和系统端口

2FA配置

虚拟IP地址设置

虚拟IP地址设置

高可用性配置

Configure audit polices - Manual Process

1. Configure list of Windows workstations to be audited

Open Active Directory Users and Computers.
Right-click on the domain and select New > Group.
In the New object - Group window that opens, type in “ADAuditPlusWS” as the Group name, check Group scope: Domain Local and Group type: Security. Click OK.
Right-click the newly created group, then select Properties > Members > Add. Add all the Windows workstations that you want to audit as a member of this group. Click OK.
Using domain admin credentials, log in to any computer that has the Group Policy Management Console (GPMC) on it.
Note: The GPMC will not be installed on workstations and/or enabled on member servers by default, so we recommend configuring audit policies on Windows domain controllers. Otherwise follow the steps in this page to install GPMC on your desired member server or workstation.
Go to Start > Windows Administrative Tools > Group Policy Management.
In the GPMC, right-click the domain in which you want to configure the Group Policy. Select Create a GPO and Link it here. In the New GPO window that opens, type in “ADAuditPlusWSPolicy” and click OK.
Select the <domain name>_ADAuditPlusWSPolicy GPO. Under Security Filtering, select Authenticated Users. Click Remove. In the Group Policy Management window that opens, select OK.
Select the <domain name>_ADAuditPlusWSPolicy GPO. Under Security Filtering, click Add and choose the security group ADAuditPlusWS created previously. Click OK.

2. Configure advanced audit policies

Configure the audit policies manually using the steps below:

Using domain admin credentials, log in to any computer that has the GPMC on it.
Go to Start > Windows Administrative Tools > Group Policy Management.
Right-click the GPO <domain name>_ADAuditPlusWSPolicy and select Edit.
In the Group Policy Management Editor, follow the steps below:

Note: Advanced audit policy configuration is only available in Windows Server 2008 or later. If you have an older version of Windows, configure legacy audit policies. It is recommended that you configure advanced audit policies instead of legacy audit policies to prevent storing needless event data logs, as the legacy policies contain more unwanted events.

Choose Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies.
Click, enable, and save the audit policies as shown below:

Advanced audit policy		Audit events
Category	Subcategory
Account Management	Audit Computer Account Management	Success
	Audit Distribution Group Management	Success
	Audit Security Group Management	Success
	Audit User Account Management	Success and failure
Detailed Tracking	Audit PNP Activity	Success and failure
Logon/Logoff	Audit Logoff	Success
	Audit Logon	Success and failure
	Audit Network Policy Server	Success and failure
	Audit Other Logon/Logoff Events	Success and failure
Object Access	Audit File Share	Success and failure
	Audit File System	Success and failure
	Audit Handle Manipulation	Success
	Audit Other Object Access Events	Success
	Audit Removable Storage	Success and failure
Policy Change	Audit Authentication Policy Change	Success
Policy Change	Audit Authorization Policy Change	Success
System	Audit Security State Change	Success

3. Force advanced audit policies

Force the advanced audit policies manually using the steps below:

Right-click the <domain name>_ADAuditPlusWSPolicy from GPMC.
In the Group Policy Management Editor, follow the steps below:
Choose Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options > Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings.
Enable the policy and click OK.

4. Configure legacy audit policies

Configure the legacy audit policies manually using the steps below:

Go to Start > Windows Administrative Tools > Group Policy Management.
Right-click the GPO <domain name>_ADAuditPlusWSPolicy and select Edit.
In the Group Policy Management Editor, follow the steps below:

Note:Advanced audit policy configuration is only available in Windows Server 2008 or later. If you have an older version of Windows, configure legacy audit policies. It is recommended that you configure advanced audit policies instead of legacy audit policies to prevent storing needless event data logs, as the legacy policies contain more unwanted events.

Choose Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policies.
Click, enable, and save the audit policies as shown below:

Local audit policy	Audit Events
Category
Audit account management	Success and failure
Audit logon events	Success
Audit object access	Success and failure
Audit policy change	Success
Audit system events	Success