Remember to maintain security and privacy. Do not share sensitive information. Procedimento.com.br may make mistakes. Verify important information. Termo de Responsabilidade

How to Retrieve and Manage Audit Policies Using PowerShell on Windows

Audit policies are critical for maintaining security and compliance within a Windows environment. They define what types of events are logged in the security log of a Windows system. In this article, we'll explore how to retrieve and manage audit policies using PowerShell, specifically focusing on the Get-AuditPolicy cmdlet.

What is Get-AuditPolicy?

Get-AuditPolicy is a PowerShell cmdlet used to retrieve the audit policy settings for a system. Audit policies determine what types of events are logged in the security log, such as logon attempts, access to files, and changes to system settings. These logs are essential for monitoring and investigating security incidents.

Prerequisites

Before you can use Get-AuditPolicy, ensure that you have:

  1. Administrative privileges on the system.
  2. PowerShell installed (version 2.0 or later is recommended).

How to Retrieve Audit Policies

To retrieve the current audit policy settings on a Windows system, you can use the Get-AuditPolicy cmdlet. Below are some practical examples.

Example 1: Retrieve All Audit Policies

To retrieve all audit policies on the system, open PowerShell with administrative privileges and run the following command:

Get-AuditPolicy -Category *

This command will display all the audit policies categorized by different policy areas, such as Account Logon, Object Access, and Privilege Use.

Example 2: Retrieve Specific Audit Policy Category

If you are interested in a specific category, such as "Logon/Logoff," you can use the following command:

Get-AuditPolicy -Category "Logon/Logoff"

This will display the audit policies related to logon and logoff events.

How to Set Audit Policies

While Get-AuditPolicy is used to retrieve audit policies, you might also need to set or modify these policies. For this purpose, you can use the Set-AuditPolicy cmdlet.

Example 3: Set Audit Policy for Logon/Logoff Events

To set the audit policy for logon and logoff events, use the following command:

Set-AuditPolicy -Category "Logon/Logoff" -AuditFlag Success,Failure -User Everyone

This command configures the system to audit both successful and failed logon and logoff events for all users.

Viewing the Security Log

After configuring audit policies, you can view the events logged in the security log using the Event Viewer or PowerShell.

Example 4: View Security Log Using Event Viewer

  1. Open Event Viewer by typing eventvwr in the Run dialog (Win + R).
  2. Navigate to Windows Logs > Security.

Example 5: View Security Log Using PowerShell

To view the latest security events using PowerShell, run the following command:

Get-EventLog -LogName Security -Newest 10

This command retrieves the 10 most recent events from the security log.

Conclusion

Managing audit policies is crucial for maintaining the security and compliance of your Windows systems. Using PowerShell cmdlets like Get-AuditPolicy and Set-AuditPolicy, you can efficiently retrieve and configure these policies to ensure that your system logs the necessary events for monitoring and investigation.

To share Download PDF

Windows PowerShell Get-AuditPolicy Set-AuditPolicy Event Viewer Security Log Audit Policies

Gostou do artigo? Deixe sua avaliação!
Sua opinião é muito importante para nós. Clique em um dos botões abaixo para nos dizer o que achou deste conteúdo.