내보내기(0) 인쇄
모두 확장
2명 중 2명이 도움이 되는 것으로 평가 - 이 항목 평가

Enable IPsec and Windows Firewall Audit Events

업데이트 날짜: 2009년 1월

적용 대상: Windows Server 2008, Windows Vista

By default, 고급 보안 기능을 가진 Windows 방화벽 does not generate audit events for either the Windows Firewall service or Internet Protocol security (IPsec). To see the events, you must enable event logging. Because the Windows Firewall and IPsec components can potentially generate a large number of events, consider turning logging on only when you need to troubleshoot Windows Firewall and IPsec issues, and then turn the events off again when you are done.

To perform these procedures, you must have membership in the local Administrators group, or you must have been delegated the appropriate authority. If you do not have the required permissions, then the commands fail and display an error message.

To enable Windows Firewall with Advanced Security audit events

  1. Open an administrative command prompt. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. 사용자 계정 컨트롤 대화 상자가 나타나면 대화 상자에서 표시되는 동작이 원하는 동작인지 확인하고 계속을 클릭합니다.

  3. At the command prompt, type the following command. You can copy and paste this command into the Command Prompt window:

    auditpol.exe /set /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection" /success:enable /failure:enable

  4. Restart the Windows Firewall service by typing the following commands, ending each by pressing ENTER:

    net stop MPSSVC

    net start MPSSVC

  5. When you are ready to disable event logging, run the same command as in step 3, but use /success:disable /failure:disable at the end of the command. Then restart the service by performing step 4 again.

To view the current settings for IPsec and Windows Firewall audit events

  1. Open an administrative command prompt. Click Start, click All Programs, click Accessories, right-click Command Prompt, and then click Run as administrator.

  2. 사용자 계정 컨트롤 대화 상자가 나타나면 대화 상자에서 표시되는 동작이 원하는 동작인지 확인하고 계속을 클릭합니다.

  3. At the command prompt, type the following command. You can copy and paste this command into a batch file, then and run it that way if you want:

    auditpol.exe /get /SubCategory:"MPSSVC rule-level Policy Change","Filtering Platform policy change","IPsec Main Mode","IPsec Quick Mode","IPsec Extended Mode","IPsec Driver","Other System Events","Filtering Platform Packet Drop","Filtering Platform Connection"

    The command displays all of the current audit events settings for each category.

To see the new audit events in Event Viewer

  1. Open the Event Viewer. Click Start, type eventvwr in the Start Search box, and then press ENTER.

  2. 사용자 계정 컨트롤 대화 상자가 나타나면 대화 상자에서 표시되는 동작이 원하는 동작인지 확인하고 계속을 클릭합니다.

  3. In the navigation pane, expand the Windows Logs branch.

  4. Right-click Security, and then click Filter Current Log.

  5. In the Includes/Excludes Event IDs box, type 4600-5500, and then click OK.

    Event Viewer displays any events that match the criteria. If you just enabled the audit events, there might be only a few events to view at first.

이 정보가 도움이 되었습니까?
(1500자 남음)
의견을 주셔서 감사합니다.

커뮤니티 추가 항목

추가
표시:
© 2014 Microsoft. All rights reserved.