microsoft.public.security
Affichage de l'article :
RE: Audit Privilege Use - Windows 2003 Security Guide

Date : Le 04 avril 2008
From : Gareth
Sujet : RE: Audit Privilege Use - Windows 2003 Security Guide

Hi,

Actually, my previous post wasn't quite correct, the Security Guide does
state that some privilege uses are not audited, but the shutdown or change
system time privileges aren't in the list of 'not audited events', so my
initial question stands, is this a bug or is there some further documentation
around this ?

Cheers,

Gareth

"Gareth" wrote:

> Hi Miles,
>
> Thanks for your response.
>
> I've checked that the policies are applied correctly and they are. I've also
> tried your suggestion of attempting a reboot using shutdown -r, and this does
> log a failed event. Unfortunately, attempting to shut down the server using
> tsshutdn -reboot does not log an event. On further testing, it would appear
> that shutting down the system successfully using tsshutdn does not generate a
> success event either.
>
> Changing the system time does result in a success event for the user who
> changed the time but a normal user failing to change the system time is not
> recorded (I know that audit setting is working properly because of the test
> you provided using the shutdown command).
>
> It would appear that the auditing for privilege use is not very reliable
> (doesn't pick up some failed attempts at using privileges). Is this
> recognised as a bug ? or are there some guidelines as to what this particular
> type of auditing does and doesn't pick up ? (I've already read the Windows
> 2003 Security Guide and the Threats and Countermeasures Guide, and neither
> document states that some privilege uses are not audited).
>
> Thanks,
>
> Gareth
> "Miles Li [MSFT]" wrote:
>
> >
> > Hello Gareth,
> >
> > Thank you for your post.
> >
> > To answer your question, no, it is not correct. From my test, when using
> > the non-admin user account without necessary privileges, a failure audit
> > will be logged in Security event log.
> >
> > Here is a sample Failure Audit event when a user without system shutdown
> > privilege tries to restart the computer by running 'shutdown -r' in the
> > commend prompt.
> >
> > Failure Audit
> > Event ID: 578
> >
> > Privileged object operation:
> > Object Server: Win32 Registry/SystemShutdown module
> > Object Handle: 0
> > Process ID: 352
> > Primary User Name: Computer_name
> > Primary Domain: Domain_name
> > Primary Logon ID: (0x0,0x3E7)
> > Client User Name: User_name
> > Client Domain: Domain_name
> > Client Logon ID: (0x0,0x4F0BA)
> > Privileges: SeShutdownPrivilege
> >
> > Please confirm whether the related computer has successfully applied the
> > audit group policy and then check whether similar Failure Audit logs are
> > recorded in event log.
> >
> > Hope it helps. Thanks.
> >
> > Sincerely,
> > Miles Li
> >
> > Microsoft Online Partner Support
> > Microsoft Global Technical Support Center
> >
> > Get Secure! - www.microsoft.com/security
> > =====================================================
> > When responding to posts, please "Reply to Group" via your newsreader so
> > that others may learn and benefit from your issue.
> > =====================================================
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> >

Posez vos questions, réponses et remarques sur les forums de AuthSecu