Windows 10 Kutetezedwa kwa Zochitika Zodula

 

Protected Event Logging ndi chinthu chatsopano mu Windows 10 ndipo amagwiritsa ntchito mulingo wobisika wopangidwa kuti azilemba zochitika kuti aletse deta yodziwika bwino kuti isalowe m'manja mwa achiwembu. Mu ichi Funsani Mtsogoleri, ndiwona momwe izi zimagwiritsidwira ntchito Windows.

Kusonkhanitsa zambiri za zomwe zikuchitika m'makina anu nthawi zambiri ndi chinthu chabwino, ngakhale zingakhale zovuta kukonza zambiri. PowerShell script-block loggging, ikayatsidwa, imalemba code ku Windows Cholemba Chochitika chomwe chimayenda ngakhale wobera atayesa kubisa kudziwika pogwiritsa ntchito encoding. Koma ndi chidziwitso chonsechi chomwe chasungidwa m'zipika, pali chiwopsezo chakuti chidziwitso chodziwika bwino, monga zidziwitso, chikhoza kuwululidwa ngati zipikazo zasokonezedwa.

Kuti mumve zambiri za momwe obera amayesera kupewa kudziwika, onani Kodi Antimalware Scanani Ndondomeko (AMSI) mkati Windows 10? pa Petri IT Chidziwitso.

Kuteteza deta yodziwika bwino yomwe ingalowe mu chipika cha zochitika, Windows 10 Protected Event Logging (PEL) imasunga deta pogwiritsa ntchito muyezo wa IETF Cryptographic Message Syntax (CMS) monga momwe zimalembedwera ku zipika. Mitengoyi imatha kusinthidwa ikasamutsidwa kupita ku seva yapakati yogwiritsa ntchito Windows Kutumiza Zochitika. PEL sichimathandizidwa mwachisawawa ndipo PowerShell ndiye pulogalamu yokhayo yomwe ikutenga nawo gawo Windows 10.

Kusintha kwa CMS

Muyezo wa CMS encryption wogwiritsidwa ntchito ndi PEL ndi mawu ofunikira pagulu. Kiyi yapagulu imayikidwa pamakina onse komwe Windows PEL ndiyoyatsidwa. Kiyi yofananira yachinsinsi imagwiritsidwa ntchito kumasulira zipika pa seva yosonkhanitsa kapena yankho lina la Security Information and Event Management (SIEM).

Windows PEL ikhoza kuyatsidwa pogwiritsa ntchito Yambitsani Kulowetsa Zochitika Zotetezedwa kukhazikitsa mu Group Policy pansi Windows Zigawo -> Ma templates Oyang'anira -> Kudula Zochitika. Mudzafunika kupereka satifiketi mukatsegula izi. Satifiketi iyenera kukhala ndi Document Encryption kugwiritsa ntchito kiyi yowonjezera (1.3.6.1.4.1.311.80.1) komanso mwina Kufotokozera kwa Data or Kufotokozera Mfungulo makiyi ogwiritsa ntchito. Microsoft ikunena kuti satifiketiyo imatha kudziwika pagulu la Policy Policy mu imodzi mwa njira izi:

  • Zomwe zili mu satifiketi ya X.64 yokhala ndi base-509 (mwachitsanzo, yoperekedwa ndi 'Export'" mu Sitifiketi Yoyang'anira)
  • Chizindikiro cha satifiketi yomwe imapezeka mu malo ogulitsira satifiketi ya Local Machine (nthawi zambiri imatumizidwa ndi zomangamanga za PKI)
  • Njira yonse yopita ku satifiketi (itha kukhala yakumaloko, kapena gawo lakutali)
  • Njira yopita ku chikwatu chokhala ndi satifiketi kapena satifiketi (itha kukhala yakumaloko, kapena gawo lakutali)
  • Dzina la chiphaso chomwe chimapezeka m'sitolo ya Local Machine (yomwe nthawi zambiri imatumizidwa ndi PKI)

Ndikofunikira kuti satifiketi yokhazikitsidwa mu Gulu Policy isaphatikizepo kiyi yachinsinsi. Ngati pazifukwa zilizonse chiphaso chomwe mwatchula mu Gulu Policy sichingagwiritsidwe ntchito, chochitika chimalembedwa ku chipika cha zochitika ndikudula mitengo kumapitilira koma osalembetsedwa.

Windows Management Framework v5

Windows PEL ikuphatikizidwa mu PowerShell v5, yomwe ndi gawo la Windows Management Framework (WMF) v5. Windows 10 ndi Windows Server 2016 ndi makina okhawo ogwiritsira ntchito omwe ali ndi makonda a Gulu la Policy kuti athe kuwathandiza Windows PEL. Mtundu uliwonse wa Windows zomwe zakwezedwa ku WMF v5 zitha kugwiritsa ntchito PEL ngati zithandizidwa pamanja pogwiritsa ntchito PowerShell cmdlets, pomwe ProtectedEventLogging.cer ndiye njira yopita ku satifiketi yomwe ili ndi kiyi yapagulu yomwe mukufuna kuyika.

$cert = Pezani-Zokhutira C:tempProtectedEventLogging.cer -Raw Enable-ProtectedEventLogging -Certificate $cert

The Unprotect-CmsMessage PowerShell cmdlet imatha kukonza zipika zosungidwa pogwiritsa ntchito CMS. Kapena gwiritsani ntchito ma cmdlets a PowerShell, monga Get-WinEvent, kuti mutenge zipika zobisika pokhapokha chiphaso chokhala ndi kiyi yachinsinsi chimayikidwa pa chipangizo chomwe cmdlet imayendetsedwa.

Pamene PowerShell script-block logging yayatsidwa pa chipangizo, ganizirani ngati zolembazo ziyenera kusungidwa. Pa maseva omwe ali otetezedwa kale, monga olamulira madomeni, izi sizingakhale zoyenera kuwongolera. Woyang'anira domain akabedwa, ndiye kuti 'masewera atha'. Zambiri zidzadaliranso zolemba zomwe mumayendetsa mu bungwe lanu. Ngati zili ndi zidziwitso, kapena zambiri za zida zomwe zingathandize wowononga kupeza mwayi, ndiye kuti muyenera kuchitapo kanthu kuti muteteze detayi.

Chotsatira Windows 10 Kutetezedwa kwa Zochitika Zodula adawonekera poyamba Petri.