-
Notifications
You must be signed in to change notification settings - Fork 1
/
configure_audit_policy.ps1
83 lines (72 loc) · 5.27 KB
/
configure_audit_policy.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#
# This script will automatically configure a Windows system's advanced audit policy based on Microsoft's documented best-practices.
# Author: Jeff Starke
#
# System
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:disable > $null
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable > $null
auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable > $null
auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable > $null
auditpol /set /subcategory:"Security State Change" /success:enable /failure:disable > $null
# Logon/Logoff
auditpol /set /subcategory:"Logon" /success:enable /failure:enable > $null
auditpol /set /subcategory:"Logoff" /success:disable /failure:disable > $null
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable > $null
auditpol /set /subcategory:"IPsec Main Mode" /success:enable /failure:enable > $null
auditpol /set /subcategory:"IPsec Quick Mode" /success:enable /failure:enable > $null
auditpol /set /subcategory:"Special Logon" /success:enable /failure:disable > $null
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable > $null
auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:disable > $null
auditpol /set /subcategory:"User / Device Claims" /success:enable /failure:disable > $null
auditpol /set /subcategory:"Group Membership" /success:enable /failure:disable > $null
# Object Access
auditpol /set /subcategory:"File System" /success:disable /failure:enable > $null
auditpol /set /subcategory:"Registry" /success:disable /failure:disable > $null
auditpol /set /subcategory:"Kernel Object" /success:disable /failure:disable > $null
auditpol /set /subcategory:"SAM" /success:disable /failure:disable > $null
auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable > $null
auditpol /set /subcategory:"Application Generated" /success:disable /failure:disable > $null
auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable > $null
auditpol /set /subcategory:"File Share" /success:enable /failure:enable > $null
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable > $null
auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable > $null
auditpol /set /subcategory:"Detailed File Share" /success:disable /failure:enable > $null
auditpol /set /subcategory:"Removable Storage" /success:enable /failure:enable > $null
auditpol /set /subcategory:"Central Policy Staging" /success:disable /failure:disable > $null
# Privilege Use
auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable > $null
auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable > $null
auditpol /set /subcategory:"Sensitive Privilege Use" /success:enable /failure:disable > $null
# Detailed Tracking
auditpol /set /subcategory:"Process Creation" /success:enable /failure:disable > $null
auditpol /set /subcategory:"Process Termination" /success:disable /failure:disable > $null
auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable > $null
auditpol /set /subcategory:"RPC Events" /success:enable /failure:disable > $null
auditpol /set /subcategory:"Plug and Play Events" /success:enable /failure:disable > $null
auditpol /set /subcategory:"Token Right Adjusted Events" /success:disable /failure:disable > $null
# Policy Change
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:disable > $null
auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:disable > $null
auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:disable > $null
auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:enable /failure:enable > $null
auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable > $null
auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable > $null
# Account Management
auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:disable > $null
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:disable > $null
auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:disable > $null
auditpol /set /subcategory:"Application Group Management" /success:enable /failure:disable > $null
auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:disable > $null
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable > $null
# DS Access
auditpol /set /subcategory:"Directory Service Access" /success:disable /failure:enable > $null
auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:disable > $null
auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable > $null
auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable > $null
# Account Logon
auditpol /set /category:"Account Logon" /success:enable /failure:enable > $null
echo ""
echo "The local audit policy has been updated. Please review the new configuration below."
Start-Sleep 3
echo ""
auditpol /get /category:*