Update DC Auditing GPO and Add Packer Script for ENA
This commit is contained in:
Chris Long
10
Packer/scripts/install-aws-ena.ps1
Normal file
10
Packer/scripts/install-aws-ena.ps1
Normal file
@@ -0,0 +1,10 @@
|
|||||||
|
# Installs the AWS Enhanced Networking for Windows
|
||||||
|
Write-Host "Installing the AWS Enhanced Networking Driver"
|
||||||
|
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
|
||||||
|
$url="https://s3.amazonaws.com/ec2-windows-drivers-downloads/ENA/Latest/AwsEnaNetworkDriver.zip"
|
||||||
|
(New-Object System.Net.WebClient).DownloadFile($url, "$env:TEMP\AwsEnaNetworkDriver.zip")
|
||||||
|
Expand-Archive -Path $env:TEMP\AwsEnaNetworkDriver.zip -DestinationPath $env:TEMP -Force
|
||||||
|
. $env:TEMP\AwsEnaNetworkDriver\install.ps1
|
||||||
|
|
||||||
|
rm $env:TEMP\AwsEnaNetworkDriver.zip
|
||||||
|
rm -recurse $env:TEMP\AwsEnaNetworkDriver
|
||||||
@@ -154,7 +154,8 @@
|
|||||||
{
|
{
|
||||||
"type": "powershell",
|
"type": "powershell",
|
||||||
"scripts": [
|
"scripts": [
|
||||||
"./scripts/debloat-windows.ps1"
|
"./scripts/debloat-windows.ps1",
|
||||||
|
"./scripts/install-aws-ena.ps1"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -1 +0,0 @@
|
|||||||
<Backups xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" xmlns:mfst="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest" mfst:version="1.0"><BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{DFA9C351-32A5-4F64-8F39-2F8100135C1F}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{bb63303b-70b8-46e7-9f35-76fc60e44c8d}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-11-12T06:13:24]]></BackupTime><ID><![CDATA[{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst></Backups>
|
|
||||||
@@ -1,20 +0,0 @@
|
|||||||
<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation. All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
|
|
||||||
<GroupPolicyObject><SecurityGroups><Group><Sid/><SamAccountName><![CDATA[Event Log Readers]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid><![CDATA[S-1-5-21-2099590610-328841986-2664697228-11659]]></Sid><SamAccountName/><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid/><SamAccountName><![CDATA[NETWORK SERVICE]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-53361171-1213565763-3980624709-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-53361171-1213565763-3980624709-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-53361171-1213565763-3980624709-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{DFA9C351-32A5-4F64-8F39-2F8100135C1F}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 13 3a 2e 03 43 8b 55 48 45 83 43 ed e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 13 3a 2e 03 43 8b 55 48 45 83 43 ed 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 13 3a 2e 03 43 8b 55 48 45 83 43 ed 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[196611]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings>
|
|
||||||
<GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
|
|
||||||
<FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
|
|
||||||
|
|
||||||
<FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Adm\*.*"/>
|
|
||||||
</GroupPolicyExtension>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security">
|
|
||||||
<FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/>
|
|
||||||
</GroupPolicyExtension>
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
<GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Applications" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\Applications" bkp:Location="DomainSysvol\GPO\Machine\Applications"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\microsoft" bkp:Location="DomainSysvol\GPO\Machine\microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\microsoft\windows nt" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\microsoft\windows nt\Audit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit\audit.csv" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\microsoft\windows nt\Audit\audit.csv" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\microsoft\windows nt\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{DFA9C351-32A5-4F64-8F39-2F8100135C1F}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
|
|
||||||
</GroupPolicyBackupScheme>
|
|
||||||
@@ -1 +0,0 @@
|
|||||||
<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{DFA9C351-32A5-4F64-8F39-2F8100135C1F}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{bb63303b-70b8-46e7-9f35-76fc60e44c8d}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2019-11-12T06:13:24]]></BackupTime><ID><![CDATA[{5CCBF08F-6806-4F18-BF5E-AF470F4A6EA3}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst>
|
|
||||||
@@ -0,0 +1,20 @@
|
|||||||
|
<?xml version="1.0" encoding="utf-8"?><!-- Copyright (c) Microsoft Corporation. All rights reserved. --><GroupPolicyBackupScheme bkp:version="2.0" bkp:type="GroupPolicyBackupTemplate" xmlns:bkp="http://www.microsoft.com/GroupPolicy/GPOOperations" xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations">
|
||||||
|
<GroupPolicyObject><SecurityGroups><Group><Sid/><SamAccountName><![CDATA[Event Log Readers]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid/><SamAccountName><![CDATA[NETWORK SERVICE]]></SamAccountName><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group><Sid><![CDATA[S-1-5-21-2099590610-328841986-2664697228-11659]]></Sid><SamAccountName/><Type><![CDATA[Unknown]]></Type><NetBIOSDomainName/><DnsDomainName/><UPN/></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-377594182-1886796131-3376434582-1000]]></Sid><SamAccountName><![CDATA[vagrant]]></SamAccountName><Type><![CDATA[User]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[vagrant@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-377594182-1886796131-3376434582-519]]></Sid><SamAccountName><![CDATA[Enterprise Admins]]></SamAccountName><Type><![CDATA[UniversalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Enterprise Admins@windomain.local]]></UPN></Group><Group bkp:Source="FromDACL"><Sid><![CDATA[S-1-5-21-377594182-1886796131-3376434582-512]]></Sid><SamAccountName><![CDATA[Domain Admins]]></SamAccountName><Type><![CDATA[GlobalGroup]]></Type><NetBIOSDomainName><![CDATA[WINDOMAIN]]></NetBIOSDomainName><DnsDomainName><![CDATA[windomain.local]]></DnsDomainName><UPN><![CDATA[Domain Admins@windomain.local]]></UPN></Group></SecurityGroups><FilePaths/><GroupPolicyCoreSettings><ID><![CDATA[{A201283D-F9F8-4136-AD47-F6241F510BB8}]]></ID><Domain><![CDATA[windomain.local]]></Domain><SecurityDescriptor>01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 46 a1 81 16 63 39 76 70 96 4d 40 c9 e8 03 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 46 a1 81 16 63 39 76 70 96 4d 40 c9 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 46 a1 81 16 63 39 76 70 96 4d 40 c9 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00</SecurityDescriptor><DisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></DisplayName><Options><![CDATA[0]]></Options><UserVersionNumber><![CDATA[65537]]></UserVersionNumber><MachineVersionNumber><![CDATA[327685]]></MachineVersionNumber><MachineExtensionGuids><![CDATA[[{00000000-0000-0000-0000-000000000000}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{B05566AC-FE9C-4368-BE01-7A4CBB6CBA11}{D02B1F72-3407-48AE-BA88-E8213C6761F1}][{827D319E-6EAC-11D2-A4EA-00C04F79F83A}{803E14A0-B4FB-11D0-A0D0-00A0C90F574B}][{B087BE9D-ED37-454F-AF9C-04291E351182}{BEE07A6A-EC9F-4659-B8C9-0B1937907C83}][{F3CCC681-B74C-4060-9F26-CD84525DCA2A}{0F3F3735-573D-9804-99E4-AB2A69BA5FD4}]]]></MachineExtensionGuids><UserExtensionGuids/><WMIFilter/></GroupPolicyCoreSettings>
|
||||||
|
<GroupPolicyExtension bkp:ID="{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" bkp:DescName="Registry">
|
||||||
|
<FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\registry.pol" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\registry.pol" bkp:Location="DomainSysvol\GPO\Machine\registry.pol"/>
|
||||||
|
|
||||||
|
<FSObjectFile bkp:Path="%GPO_FSPATH%\Adm\*.*" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Adm\*.*"/>
|
||||||
|
</GroupPolicyExtension>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<GroupPolicyExtension bkp:ID="{827D319E-6EAC-11D2-A4EA-00C04F79F83A}" bkp:DescName="Security">
|
||||||
|
<FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf" bkp:ReEvaluateFunction="SecurityValidateSettings" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit\GptTmpl.inf"/>
|
||||||
|
</GroupPolicyExtension>
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
<GroupPolicyExtension bkp:ID="{F15C46CD-82A0-4C2D-A210-5D0D3182A418}" bkp:DescName="Unknown Extension"><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Applications" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\Applications" bkp:Location="DomainSysvol\GPO\Machine\Applications"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\comment.cmtx" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\comment.cmtx" bkp:Location="DomainSysvol\GPO\Machine\comment.cmtx"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\microsoft" bkp:Location="DomainSysvol\GPO\Machine\microsoft"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\microsoft\windows nt" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\microsoft\windows nt\Audit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\Audit\audit.csv" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\microsoft\windows nt\Audit\audit.csv" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\microsoft\windows nt\SecEdit" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\microsoft\windows nt\SecEdit" bkp:Location="DomainSysvol\GPO\Machine\microsoft\windows nt\SecEdit"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\Preferences" bkp:Location="DomainSysvol\GPO\Machine\Preferences"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\Preferences\Registry" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry"/><FSObjectFile bkp:Path="%GPO_MACH_FSPATH%\Preferences\Registry\Registry.xml" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\Preferences\Registry\Registry.xml" bkp:Location="DomainSysvol\GPO\Machine\Preferences\Registry\Registry.xml"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\Scripts" bkp:Location="DomainSysvol\GPO\Machine\Scripts"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Shutdown" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\Scripts\Shutdown" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Shutdown"/><FSObjectDir bkp:Path="%GPO_MACH_FSPATH%\Scripts\Startup" bkp:SourceExpandedPath="\\dc.windomain.local\sysvol\windomain.local\Policies\{A201283D-F9F8-4136-AD47-F6241F510BB8}\Machine\Scripts\Startup" bkp:Location="DomainSysvol\GPO\Machine\Scripts\Startup"/></GroupPolicyExtension></GroupPolicyObject>
|
||||||
|
</GroupPolicyBackupScheme>
|
||||||
@@ -28,11 +28,15 @@ Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclus
|
|||||||
,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
,System,Audit File System,{0cce921d-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
||||||
,System,Audit Filtering Platform Connection,{0cce9226-69ae-11d9-bed3-505054503030},Failure,,2
|
,System,Audit Filtering Platform Connection,{0cce9226-69ae-11d9-bed3-505054503030},Failure,,2
|
||||||
,System,Audit Kernel Object,{0cce921f-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
,System,Audit Kernel Object,{0cce921f-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
||||||
|
,System,Audit Registry,{0cce921e-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
||||||
,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success,,1
|
,System,Audit Removable Storage,{0cce9245-69ae-11d9-bed3-505054503030},Success,,1
|
||||||
,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
,System,Audit Audit Policy Change,{0cce922f-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
||||||
,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
,System,Audit Authentication Policy Change,{0cce9230-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
||||||
,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success,,1
|
,System,Audit MPSSVC Rule-Level Policy Change,{0cce9232-69ae-11d9-bed3-505054503030},Success,,1
|
||||||
|
,System,Audit Non Sensitive Privilege Use,{0cce9229-69ae-11d9-bed3-505054503030},Failure,,2
|
||||||
|
,System,Audit Sensitive Privilege Use,{0cce9228-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
||||||
,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
,System,Audit IPsec Driver,{0cce9213-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
||||||
|
,System,Audit Other System Events,{0cce9214-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
||||||
,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
,System,Audit Security State Change,{0cce9210-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
||||||
,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
,System,Audit Security System Extension,{0cce9211-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
||||||
,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
,System,Audit System Integrity,{0cce9212-69ae-11d9-bed3-505054503030},Success and Failure,,3
|
||||||
|
Binary file not shown.
@@ -0,0 +1 @@
|
|||||||
|
<BackupInst xmlns="http://www.microsoft.com/GroupPolicy/GPOOperations/Manifest"><GPOGuid><![CDATA[{A201283D-F9F8-4136-AD47-F6241F510BB8}]]></GPOGuid><GPODomain><![CDATA[windomain.local]]></GPODomain><GPODomainGuid><![CDATA[{6f00afa8-076a-450f-9f16-bca31a97fc68}]]></GPODomainGuid><GPODomainController><![CDATA[dc.windomain.local]]></GPODomainController><BackupTime><![CDATA[2020-05-03T04:09:32]]></BackupTime><ID><![CDATA[{D758182C-84C3-420D-806A-50664169D3B2}]]></ID><Comment><![CDATA[]]></Comment><GPODisplayName><![CDATA[Domain Controllers Enhanced Auditing Policy]]></GPODisplayName></BackupInst>
|
||||||
Binary file not shown.
@@ -24,5 +24,4 @@ TRUNCATE = 0
|
|||||||
TRANSFORMS-null = setnull
|
TRANSFORMS-null = setnull
|
||||||
|
|
||||||
[WinEventLog]
|
[WinEventLog]
|
||||||
TRANSFORMS-null = osqueryd_wineventlog_null
|
|
||||||
TRANSFORMS-null = autoruns_wineventlog_null
|
TRANSFORMS-null = autoruns_wineventlog_null
|
||||||
@@ -19,11 +19,6 @@ REGEX = Error\scasting
|
|||||||
DEST_KEY = queue
|
DEST_KEY = queue
|
||||||
FORMAT = nullQueue
|
FORMAT = nullQueue
|
||||||
|
|
||||||
[osqueryd_wineventlog_null]
|
|
||||||
REGEX = "Process_Name=C:\\Program Files\\osquery\\osqueryd\\osqueryd.exe"
|
|
||||||
DEST_KEY = queue
|
|
||||||
FORMAT = nullQueue
|
|
||||||
|
|
||||||
[autoruns_wineventlog_null]
|
[autoruns_wineventlog_null]
|
||||||
REGEX = "Script\sName\s=\sC\:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1"
|
REGEX = "Script\sName\s=\sC\:\\Program Files\\AutorunsToWinEventLog\\AutorunsToWinEventLog.ps1"
|
||||||
DEST_KEY = queue
|
DEST_KEY = queue
|
||||||
|
|||||||
Reference in New Issue
Block a user