RE: [logs] [Windows Server 2003] Default security auditing policy

From: Eric Fitzgerald (ericf@private)
Date: Mon Jun 21 2004 - 10:20:15 PDT

  • Next message: Jim Prewett: "Re: [logs] Swatch stops monitoring after log rotation"

    Hi Jean-Baptiste,
    
    We audit certain events regardless of audit policy.  For example, event
    517 is always generated regardless of audit policy.
    
    In addition, in Windows Server 2003, event 576 belongs to (and is
    governed by) both the Logon/Logoff and Privilege Use audit policy
    categories.
    
    We "re-tasked" event 576 for Windows Server 2003, and then had a bug in
    the RTM release.  Prior to Windows Server 2003, event 576 recorded
    privileges that were added to a token that were otherwise unaudited.
    For example, SeDebugPrivilege.  This (and several other privileges) are
    suppressed for Privilege Use auditing.
    
    In Windows Server 2003 we changed the privilege list from
    "otherwise-unaudited" privileges to "administrative" privileges- the
    privileges that could lead to compromise of the TCB.  So in Windows
    Server 2003 the 576 event means "regardless of group membership, this
    logon session has enough privilege to compromise the security system",
    or, in lay terms, "administrator logon".
    
    However in the RTM release we accidentally left in
    SeChangeNotifyPrivilege, AKA "Bypass Traverse Checking", which is not a
    privilege that can be used to compromise the TCB, and is assigned to
    Everyone by default.  We fixed this in SP1.
    
    I hope this explanation is useful to everyone.
    
    Thanks,
    Eric
    
    The above information is provided as-is, with no warranty.
    
    -----Original Message-----
    From: loganalysis-bounces+ericf=windows.microsoft.com@private
    [mailto:loganalysis-bounces+ericf=windows.microsoft.com@private]
    On Behalf Of Jean-Baptiste Marchand
    Sent: Wednesday, June 16, 2004 5:06 AM
    To: loganalysis@private
    Subject: [logs] [Windows Server 2003] Default security auditing policy
    
    Hello,
    
    starting with Windows Server 2003, a Windows NT system has a default
    security auditing policy with the following settings:
    
    Audit account logon events: Success
    Audit account management: No auditing 
    Audit directory service access: No auditing 
    Audit logon events: Success
    Audit object access: No auditing
    Audit policy change: No auditing
    Audit privilege use: No auditing
    Audit process tracking: No auditing
    Audit system events: No auditing
    
    To sum up, only two auditing categories are enabled:
    
    Audit account logon events: Success
    Audit logon events: Success
    
    
    However, on a default Windows Server 2003 system, you will see, in
    addition to events related to these two categories (typically, 528, 538,
    540, 551, 552, 680), the following security events:
    
    - 513 (System Event) : Windows is shutting down.
    - 576 (Privilege Use) : Special privileges assigned to new logon
    - 612 (Policy Change) : Audit Policy Change 
    
    
    In all Microsoft documents I've seen (particularly, in the Windows
    Server 2003 Security Guide), these events are supposed to appear only if
    the aforementionned auditing categories are enabled.
    
    Does anybody see the same thing on a default W2K3 system?
    
    576 events seem to be generated when the Audit logon events category is
    enabled, which seems normal, as this event is logged when some special
    (from a security point of view) privileges are assigned to a new logon
    session.
    
    513 and 612 events seem to be generated even when the security auditing
    policy is set to No auditing for all 9 auditing categories.
    
    To conclude, don't be surprised to see these 3 events in a security
    eventlog on a default W2K3 system, even if only the two default
    categories are enabled...
    
    
    Jean-Baptiste Marchand
    -- 
    Jean-Baptiste.Marchand@private
    HSC - http://www.hsc.fr/
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    _______________________________________________
    LogAnalysis mailing list
    LogAnalysis@private
    http://lists.shmoo.com/mailman/listinfo/loganalysis
    



    This archive was generated by hypermail 2b30 : Mon Jun 21 2004 - 16:48:04 PDT