Hello, starting with Windows Server 2003, a Windows NT system has a default security auditing policy with the following settings: Audit account logon events: Success Audit account management: No auditing Audit directory service access: No auditing Audit logon events: Success Audit object access: No auditing Audit policy change: No auditing Audit privilege use: No auditing Audit process tracking: No auditing Audit system events: No auditing To sum up, only two auditing categories are enabled: Audit account logon events: Success Audit logon events: Success However, on a default Windows Server 2003 system, you will see, in addition to events related to these two categories (typically, 528, 538, 540, 551, 552, 680), the following security events: - 513 (System Event) : Windows is shutting down. - 576 (Privilege Use) : Special privileges assigned to new logon - 612 (Policy Change) : Audit Policy Change In all Microsoft documents I've seen (particularly, in the Windows Server 2003 Security Guide), these events are supposed to appear only if the aforementionned auditing categories are enabled. Does anybody see the same thing on a default W2K3 system? 576 events seem to be generated when the Audit logon events category is enabled, which seems normal, as this event is logged when some special (from a security point of view) privileges are assigned to a new logon session. 513 and 612 events seem to be generated even when the security auditing policy is set to No auditing for all 9 auditing categories. To conclude, don't be surprised to see these 3 events in a security eventlog on a default W2K3 system, even if only the two default categories are enabled... Jean-Baptiste Marchand -- Jean-Baptiste.Marchand@private HSC - http://www.hsc.fr/ _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jun 17 2004 - 07:15:41 PDT