如果以域用户身份远程登录，PC 速度极慢

Question

JDS

Asked: 2018-11-03 07:27:55 +0800 CST2018-11-03 07:27:55 +0800 CST 2018-11-03 07:27:55 +0800 CST

Windows：如何判断 auditpol 中列出的策略来自何处？

772

我将以此作为开头：我是一名 Linux 管理员。对我来说，窗户就像我开着一辆英国汽车——大部分操作都一样，但方向盘、按钮和操纵杆的位置不对，而且标签的拼写很有趣。

我有一台服务器是域成员。有从域应用的 GPO。够正常的。

当我在此服务器上运行 auditpol 时，我看到未在 secpol.msc 中设置且未在域 GPO 中设置的策略。我还比较了运行 gpresult 中应用的 GPO 列表，发现只有三个 GPO 被应用。（这个 3 GPO 列表是我希望看到的列表，所以这很好）。

例子：

在成员服务器上运行：

PS C:\Windows\system32> .\auditpol.exe /get /category:\*
System audit policy
Category/Subcategory                      Setting
System
  Security System Extension               No Auditing
  System Integrity                        Success and Failure
  IPsec Driver                            No Auditing
  Other System Events                     Success and Failure
  Security State Change                   Success
Logon/Logoff
  Logon                                   Success and Failure
...(truncated)...

和

PS C:\Windows\system32> .\gpresult.exe /v /r /scope computer
...(truncated)...
RSOP data for CORP\fflintstone on MGMTWIN01A : Logging Mode
-----------------------------------------------------------

OS Configuration:            Member Server
OS Version:                  10.0.14393
Site Name:                   XYZ
Roaming Profile:             N/A
Local Profile:               C:\Users\fflintstone
Connected over a slow link?: No


COMPUTER SETTINGS
------------------
    CN=MGMTWIN01A,OU=Windows,OU=Servers,DC=corp,DC=example,DC=com
    Last time Group Policy was applied: 11/2/2018 at 2:13:01 PM
    Group Policy was applied from:      corpdc01a.corp.example.com
    Group Policy slow link threshold:   500 kbps
    Domain Name:                        CORP
    Domain Type:                        Windows 2008 or later
...(truncated)...
    Applied Group Policy Objects
    -----------------------------
        Default Domain Policy (CORP)
        Windows Allow RDP Access
        Windows Startup Script

    The following GPOs were not applied because they were filtered out
    -------------------------------------------------------------------
        Local Group Policy
            Filtering:  Not Applied (Empty)
...(truncated)...

gpreseult 列为“已应用”的三个 GPO 都不包含在我的示例 auditpol 片段中列为“成功”或“成功和失败”的任何设置。

它们在哪里设置？我怎样才能找到这个？

3 个回答

Voted

Harry Johnston · Answer 1 · 2018-11-05T20:05:53+08:00

Windows 2016 的全新安装包括具有以下默认设置的内置审核策略：

System
  Security System Extension               No Auditing   
  System Integrity                        Success and Failure    
  IPsec Driver                            No Auditing    
  Other System Events                     Success and Failure    
  Security State Change                   Success

Logon/Logoff
  Logon                                   Success and Failure    
  Logoff                                  Success    
  Account Lockout                         Success    
  IPsec Main Mode                         No Auditing    
  IPsec Quick Mode                        No Auditing    
  IPsec Extended Mode                     No Auditing    
  Special Logon                           Success    
  Other Logon/Logoff Events               No Auditing    
  Network Policy Server                   Success and Failure    
  User / Device Claims                    No Auditing    
  Group Membership                        No Auditing

Object Access
  File System                             No Auditing    
  Registry                                No Auditing    
  Kernel Object                           No Auditing    
  SAM                                     No Auditing    
  Certification Services                  No Auditing    
  Application Generated                   No Auditing    
  Handle Manipulation                     No Auditing    
  File Share                              No Auditing    
  Filtering Platform Packet Drop          No Auditing    
  Filtering Platform Connection           No Auditing    
  Other Object Access Events              No Auditing    
  Detailed File Share                     No Auditing
  Removable Storage                       No Auditing    
  Central Policy Staging                  No Auditing

Privilege Use
  Non Sensitive Privilege Use             No Auditing    
  Other Privilege Use Events              No Auditing    
  Sensitive Privilege Use                 No Auditing    

Detailed Tracking
  Process Creation                        No Auditing    
  Process Termination                     No Auditing    
  DPAPI Activity                          No Auditing    
  RPC Events                              No Auditing    
  Plug and Play Events                    No Auditing    
  Token Right Adjusted Events             No Auditing    

Policy Change
  Audit Policy Change                     Success    
  Authentication Policy Change            Success          
  Authorization Policy Change             No Auditing
  MPSSVC Rule-Level Policy Change         No Auditing    
  Filtering Platform Policy Change        No Auditing    
  Other Policy Change Events              No Auditing

Account Management
  Computer Account Management             Success    
  Security Group Management               Success    
  Distribution Group Management           No Auditing    
  Application Group Management            No Auditing    
  Other Account Management Events         No Auditing    
  User Account Management                 Success

DS Access
  Directory Service Access                Success    
  Directory Service Changes               No Auditing    
  Directory Service Replication           No Auditing    
  Detailed Directory Service Replication  No Auditing    

Account Logon
  Kerberos Service Ticket Operations      Success    
  Other Account Logon Events              No Auditing    
  Kerberos Authentication Service         Success    
  Credential Validation                   Success

auditpol /set在没有任何高级审核组策略（本地或域）的情况下，您可以使用命令修改内置策略。据我所知，auditpol也是查看内置策略的唯一方法。

当任何高级审核组策略应用于服务器时，内置审核策略将被丢弃，并且所有审核设置都将关闭，除了那些已通过组策略显式启用的设置。[我不清楚在什么情况下，如果有的话，这个过程是可逆的；我仍在调查。] 您仍然可以使用和/或本地旧版审核策略临时修改审核设置auditpol /set，但在下次处理组策略时，任何此类更改都将被丢弃。

从外观上看，您的服务器仍在使用默认审核策略。因此，您看到的策略是内置于全新 Windows 安装中的策略。

longneck · Answer 2 · 2018-11-03T07:48:13+08:00

longneck

2018-11-03T07:48:13+08:002018-11-03T07:48:13+08:00

这些设置也可以在本地策略中设置。在受影响的 PC 上打开gpedit.msc并查找其中的设置。

0

gamelton · Answer 3 · 2022-06-10T06:22:53+08:00

gamelton

2022-06-10T06:22:53+08:002022-06-10T06:22:53+08:00

有这篇 Microsoft 文章说 Local Policy overwriting auditpol

在下一个组策略刷新周期，CSE 应用 .csv 文件
%SYSTEMROOT%\system32\GroupPolicy\Machine\Microsoft\Windows NT\Audit\Audit.csv中存在的修改

https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/auditpol-local-security-policy-results-differ

0

Windows：如何判断 auditpol 中列出的策略来自何处？

新安装后 postgres 的默认超级用户用户名/密码是什么？

SFTP 使用什么端口？

命令行列出 Windows Active Directory 组中的用户？

什么是 Pem 文件，它与其他 OpenSSL 生成的密钥文件格式有何不同？

如何确定bash变量是否为空？

Windows：如何判断 auditpol 中列出的策略来自何处？

3 个回答

相关问题