microsoft.public.security
Affichage de l'article :
RE: Audit Privilege Use - Windows 2003 Security Guide

Date : Le 04 avril 2008
From : Gareth
Sujet : RE: Audit Privilege Use - Windows 2003 Security Guide

Hi Miles,

Thanks for your response.

I've checked that the policies are applied correctly and they are. I've also
tried your suggestion of attempting a reboot using shutdown -r, and this does
log a failed event. Unfortunately, attempting to shut down the server using
tsshutdn -reboot does not log an event. On further testing, it would appear
that shutting down the system successfully using tsshutdn does not generate a
success event either.

Changing the system time does result in a success event for the user who
changed the time but a normal user failing to change the system time is not
recorded (I know that audit setting is working properly because of the test
you provided using the shutdown command).

It would appear that the auditing for privilege use is not very reliable
(doesn't pick up some failed attempts at using privileges). Is this
recognised as a bug ? or are there some guidelines as to what this particular
type of auditing does and doesn't pick up ? (I've already read the Windows
2003 Security Guide and the Threats and Countermeasures Guide, and neither
document states that some privilege uses are not audited).

Thanks,

Gareth
"Miles Li [MSFT]" wrote:

>
> Hello Gareth,
>
> Thank you for your post.
>
> To answer your question, no, it is not correct. From my test, when using
> the non-admin user account without necessary privileges, a failure audit
> will be logged in Security event log.
>
> Here is a sample Failure Audit event when a user without system shutdown
> privilege tries to restart the computer by running 'shutdown -r' in the
> commend prompt.
>
> Failure Audit
> Event ID: 578
>
> Privileged object operation:
> Object Server: Win32 Registry/SystemShutdown module
> Object Handle: 0
> Process ID: 352
> Primary User Name: Computer_name
> Primary Domain: Domain_name
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: User_name
> Client Domain: Domain_name
> Client Logon ID: (0x0,0x4F0BA)
> Privileges: SeShutdownPrivilege
>
> Please confirm whether the related computer has successfully applied the
> audit group policy and then check whether similar Failure Audit logs are
> recorded in event log.
>
> Hope it helps. Thanks.
>
> Sincerely,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

Posez vos questions, réponses et remarques sur les forums de AuthSecu