windows-server-2008-r2 – 如何在重命名审核日志中确定新文件名?

前端之家收集整理的这篇文章主要介绍了windows-server-2008-r2 – 如何在重命名审核日志中确定新文件名?前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
[ Windows 2008 R2文件系统审核]

当我删除文件时,会出现两条事件日志审核消息:4663表示请求删除文件,4660表示确认删除. Thay可以通过属性Handler加入.

当我重命名文件时,4663表示创建新文件(但只有文件夹路径,没有文件名)

当我将文件从一个文件夹移动到另一个文件夹时,存在与重命名相同的图片(因为移动实际上是重命名,OK)

创建新文件时,不会显示任何事件.

所以,问题:
1.审核文件创建时我缺少什么?
2.审核文件重命名时我缺少什么?

我的AuditPol.EXE导出(DACL和SACL):

Category/Subcategory                      Setting
System
  Security System Extension               Failure
  System Integrity                        Failure  
  IPsec Driver                            Failure    
  Other System Events                     Failure  
  Security State Change                   Failure    
logon/logoff
  logon                                   Success and Failure   
  logoff                                  Success and Failure    
  Account Lockout                         Success and Failure    
  IPsec Main Mode                         Success and Failure    
  IPsec Quick Mode                        Success and Failure    
  IPsec Extended Mode                     Success and Failure    
  Special logon                           Success and Failure    
  Other logon/logoff Events               Success and Failure    
  Network Policy Server                   Success and Failure    
Object Access
  File System                             Success    
  Registry                                No Auditing    
  Kernel Object                           No Auditing    
  SAM                                     No Auditing    
  Certification Services                  No Auditing    
  Application Generated                   No Auditing    
  Handle Manipulation                     No Auditing    
  File Share                              No Auditing    
  Filtering Platform Packet Drop          No Auditing    
  Filtering Platform Connection           No Auditing    
  Other Object Access Events              No Auditing    
  Detailed File Share                     No Auditing    
Privilege Use
  Sensitive Privilege Use                 Failure    
  Non Sensitive Privilege Use             Failure    
  Other Privilege Use Events              Failure    
Detailed Tracking
  Process Termination                     Failure    
  DPAPI Activity                          Failure    
  RPC Events                              Failure    
  Process Creation                        Failure    
Policy Change
  Audit Policy Change                     Failure    
  Authentication Policy Change            Failure    
  Authorization Policy Change             Failure    
  MPSSVC Rule-Level Policy Change         Failure    
  Filtering Platform Policy Change        Failure    
  Other Policy Change Events              Failure    
Account Management
  User Account Management                 Failure    
  Computer Account Management             Failure    
  Security Group Management               Failure    
  Distribution Group Management           Failure    
  Application Group Management            Failure    
  Other Account Management Events         Failure    
DS Access
  Directory Service Changes               No Auditing    
  Directory Service Replication           No Auditing    
  Detailed Directory Service Replication  No Auditing    
  Directory Service Access                Success    
Account logon
  Kerberos Service Ticket Operations      Success and Failure    
  Other Account logon Events              Success and Failure    
  Kerberos Authentication Service         Success and Failure    
  Credential Validation                   Success and Failure

Entry:            1    
Resource Type:    File   
User:             CONTOSO\Domain Users    
Flags:            Success    
Accesses:
    FILE_WRITE_DATA
    FILE_APPEND_DATA
    FILE_DELETE_CHILD
    DELETE    
The command was successfully executed.

`

这是一个复杂的答案.当我收集相关链接(包括在审计系统中很难可靠地完成的原因¹)时,试试这个:

使用SysMon并从EventID 2转出.

相关unanswered question.

¹他们都归结为CreateFile()API的行为,它可以接收的不同参数,从哪里,挂钩,架构以及消费者在获得它之后对句柄做了什么.检测对创建的文件时间的更改应该摆脱所有这些.

原文链接:https://www.f2er.com/windows/367919.html

猜你在找的Windows相关文章