Hi Jean-Baptiste, We audit certain events regardless of audit policy. For example, event 517 is always generated regardless of audit policy. In addition, in Windows Server 2003, event 576 belongs to (and is governed by) both the Logon/Logoff and Privilege Use audit policy categories. We "re-tasked" event 576 for Windows Server 2003, and then had a bug in the RTM release. Prior to Windows Server 2003, event 576 recorded privileges that were added to a token that were otherwise unaudited. For example, SeDebugPrivilege. This (and several other privileges) are suppressed for Privilege Use auditing. In Windows Server 2003 we changed the privilege list from "otherwise-unaudited" privileges to "administrative" privileges- the privileges that could lead to compromise of the TCB. So in Windows Server 2003 the 576 event means "regardless of group membership, this logon session has enough privilege to compromise the security system", or, in lay terms, "administrator logon". However in the RTM release we accidentally left in SeChangeNotifyPrivilege, AKA "Bypass Traverse Checking", which is not a privilege that can be used to compromise the TCB, and is assigned to Everyone by default. We fixed this in SP1. I hope this explanation is useful to everyone. Thanks, Eric The above information is provided as-is, with no warranty. -----Original Message----- From: loganalysis-bounces+ericf=windows.microsoft.com@private [mailto:loganalysis-bounces+ericf=windows.microsoft.com@private] On Behalf Of Jean-Baptiste Marchand Sent: Wednesday, June 16, 2004 5:06 AM To: loganalysis@private Subject: [logs] [Windows Server 2003] Default security auditing policy Hello, starting with Windows Server 2003, a Windows NT system has a default security auditing policy with the following settings: Audit account logon events: Success Audit account management: No auditing Audit directory service access: No auditing Audit logon events: Success Audit object access: No auditing Audit policy change: No auditing Audit privilege use: No auditing Audit process tracking: No auditing Audit system events: No auditing To sum up, only two auditing categories are enabled: Audit account logon events: Success Audit logon events: Success However, on a default Windows Server 2003 system, you will see, in addition to events related to these two categories (typically, 528, 538, 540, 551, 552, 680), the following security events: - 513 (System Event) : Windows is shutting down. - 576 (Privilege Use) : Special privileges assigned to new logon - 612 (Policy Change) : Audit Policy Change In all Microsoft documents I've seen (particularly, in the Windows Server 2003 Security Guide), these events are supposed to appear only if the aforementionned auditing categories are enabled. Does anybody see the same thing on a default W2K3 system? 576 events seem to be generated when the Audit logon events category is enabled, which seems normal, as this event is logged when some special (from a security point of view) privileges are assigned to a new logon session. 513 and 612 events seem to be generated even when the security auditing policy is set to No auditing for all 9 auditing categories. To conclude, don't be surprised to see these 3 events in a security eventlog on a default W2K3 system, even if only the two default categories are enabled... Jean-Baptiste Marchand -- Jean-Baptiste.Marchand@private HSC - http://www.hsc.fr/ _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysis@private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Jun 21 2004 - 16:48:04 PDT