RE: [logs] [Windows Server 2003] Per-user auditing policy

From: Eric Fitzgerald (ericfat_private)
Date: Tue Sep 09 2003 - 18:17:57 PDT

  • Next message: Tina Bird: "[logs] Strange Pix message"

    Due to a scheduling problem we were not able to ship the per-user
    auditing management utility in the Resource Kit.
    
    Per-user auditing policy will be included in Windows XP SP2, along with
    the management utility.
    
    Direct modification of the per-user auditing policy store (registry) is
    not supported and will change in our Longhorn release; we'll document
    the APIs in the near future but we will not be documenting the format of
    the registry keys.
    
    Eric
     
    
    -----Original Message-----
    From: loganalysis-bounces+ericf=microsoft.comat_private
    [mailto:loganalysis-bounces+ericf=microsoft.comat_private] On
    Behalf Of Jean-Baptiste Marchand
    Sent: Tuesday, September 02, 2003 8:09 AM
    To: loganalysisat_private
    Subject: [logs] [Windows Server 2003] Per-user auditing policy
    
    Hello,
    
    Windows Server 2003 is supposed to contain per-user auditing facilities.
    This feature might be interesting to restrict auditing of security
    events for certain security principals.
    
    As far as I know, the documentation describing how to setup a per-user
    auditing policy has not yet been published. According to the following
    web page, it should be in the Windows Server 2003 Resource Kit:
    
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/
    standard/audit_peruser.asp
    
    It seems that the per-user auditing policuy is stored under the LSA
    registry key:
    
    Key: HKLM\SYSTEM\CCS\Control\Lsa\Audit\PerUserAuditing\
    
    Does anybody has more information about per-user auditing?
    
    
    Also, it seems that the current documentation of security events related
    to per-user auditing is wrong.
    
    According to :
    
    http://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/
    standard/520.asp
    
    the two following security events are related to per-user auditing : 
    
    623 	Per user auditing policy was set for a user.
    625 	Per user audit policy was refreshed.
    
    
    However, the correct security events identifiers seem to be :
    
    806 	Per User Audit Policy was refreshed
    807 	Per user auditing policy set for user
    
    
    Follows an example of a 806 security event :
    
    
    Event Type:	Success Audit
    Event Source:	Security
    Event Category:	Policy Change 
    Event ID:	806
    Date:		xx/xx/2003
    Time:		xx:xx:xx
    User:		NT AUTHORITY\SYSTEM
    Computer:	BLAH
    Description:
    Per User Audit Policy was refreshed.
     	Number of elements:	0
     	Policy ID:	(0x0,0x8D58)
    
    
    I have no example of 807 security event, as the configuration of a
    per-user auditing policy is not known at this time...
    
    
    
    Jean-Baptiste Marchand
    --
    Jean-Baptiste.Marchandat_private
    HSC - http://www.hsc.fr/
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    
    
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysisat_private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Wed Sep 10 2003 - 18:09:37 PDT