RE: Audit Privilege Use - Windows 2003 Security Guide
- From: Gareth <gareth@xxxxxxxxxxxxxxxx>
- Date: Fri, 4 Apr 2008 03:20:01 -0700
Hi,
Actually, my previous post wasn't quite correct, the Security Guide does
state that some privilege uses are not audited, but the shutdown or change
system time privileges aren't in the list of 'not audited events', so my
initial question stands, is this a bug or is there some further documentation
around this ?
Cheers,
Gareth
"Gareth" wrote:
Hi Miles,.
Thanks for your response.
I've checked that the policies are applied correctly and they are. I've also
tried your suggestion of attempting a reboot using shutdown -r, and this does
log a failed event. Unfortunately, attempting to shut down the server using
tsshutdn -reboot does not log an event. On further testing, it would appear
that shutting down the system successfully using tsshutdn does not generate a
success event either.
Changing the system time does result in a success event for the user who
changed the time but a normal user failing to change the system time is not
recorded (I know that audit setting is working properly because of the test
you provided using the shutdown command).
It would appear that the auditing for privilege use is not very reliable
(doesn't pick up some failed attempts at using privileges). Is this
recognised as a bug ? or are there some guidelines as to what this particular
type of auditing does and doesn't pick up ? (I've already read the Windows
2003 Security Guide and the Threats and Countermeasures Guide, and neither
document states that some privilege uses are not audited).
Thanks,
Gareth
"Miles Li [MSFT]" wrote:
Hello Gareth,
Thank you for your post.
To answer your question, no, it is not correct. From my test, when using
the non-admin user account without necessary privileges, a failure audit
will be logged in Security event log.
Here is a sample Failure Audit event when a user without system shutdown
privilege tries to restart the computer by running 'shutdown -r' in the
commend prompt.
Failure Audit
Event ID: 578
Privileged object operation:
Object Server: Win32 Registry/SystemShutdown module
Object Handle: 0
Process ID: 352
Primary User Name: Computer_name
Primary Domain: Domain_name
Primary Logon ID: (0x0,0x3E7)
Client User Name: User_name
Client Domain: Domain_name
Client Logon ID: (0x0,0x4F0BA)
Privileges: SeShutdownPrivilege
Please confirm whether the related computer has successfully applied the
audit group policy and then check whether similar Failure Audit logs are
recorded in event log.
Hope it helps. Thanks.
Sincerely,
Miles Li
Microsoft Online Partner Support
Microsoft Global Technical Support Center
Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
- Follow-Ups:
- RE: Audit Privilege Use - Windows 2003 Security Guide
- From: Miles Li [MSFT]
- RE: Audit Privilege Use - Windows 2003 Security Guide
- References:
- Audit Privilege Use - Windows 2003 Security Guide
- From: Gareth
- RE: Audit Privilege Use - Windows 2003 Security Guide
- From: Miles Li [MSFT]
- RE: Audit Privilege Use - Windows 2003 Security Guide
- From: Gareth
- Audit Privilege Use - Windows 2003 Security Guide
- Prev by Date: RE: Audit Privilege Use - Windows 2003 Security Guide
- Next by Date: Re: The Difference Between Adware, Spyware and Anti-virus.(spyware blockers)
- Previous by thread: RE: Audit Privilege Use - Windows 2003 Security Guide
- Next by thread: RE: Audit Privilege Use - Windows 2003 Security Guide
- Index(es):
Relevant Pages
|
