Audit Privilege Use - Windows 2003 Security Guide

  • Thread starter Thread starter Gareth
  • Start date Start date
G

Gareth

Hello,

I'd like some clarification on auditing privilege use on Windows 2003.

I'm currently performing some security testing. On a Windows 2003 Server
within the Local Security Policy > Local Policies > Audit policy I have
enabled both success and failure auditing for 'Audit Privilege Use'. No Group
Policy is in use.

To test the setting, I have logged on to a server as an administrator, reset
the system time and performed a shutdown. The events are logged as expected.
I then log on as a non-administrative user who does not have rights to change
the system time or to shut the system down. Using the non-admin user account,
I attempt to change the system time and also attempt to shut the system down.
Nothing is logged within the security log.

The Windows Server 2003 Security Guide states 'Failed use of a user right is
an indicator of a general network problem, and can often indicate an
attempted security breach'

It would appear that the Audit Privilege Use auditing doesn't actually pick
up on people trying to perform actions for which they do not have rights, is
this correct ? So the failure auditing option would only indicate that a user
who has the required privileges have failed to use them and therefore this is
much more likely to be a configuration (or other technical) problem rather
than an attempted security violation ?

Thanks in advance for any help / thoughts offered.

Cheers,

Gareth
 
Hello Gareth,

Thank you for your post.

To answer your question, no, it is not correct. From my test, when using
the non-admin user account without necessary privileges, a failure audit
will be logged in Security event log.

Here is a sample Failure Audit event when a user without system shutdown
privilege tries to restart the computer by running 'shutdown -r' in the
commend prompt.

Failure Audit
Event ID: 578

Privileged object operation:
Object Server: Win32 Registry/SystemShutdown module
Object Handle: 0
Process ID: 352
Primary User Name: Computer_name
Primary Domain: Domain_name
Primary Logon ID: (0x0,0x3E7)
Client User Name: User_name
Client Domain: Domain_name
Client Logon ID: (0x0,0x4F0BA)
Privileges: SeShutdownPrivilege

Please confirm whether the related computer has successfully applied the
audit group policy and then check whether similar Failure Audit logs are
recorded in event log.

Hope it helps. Thanks.

Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Miles,

Thanks for your response.

I've checked that the policies are applied correctly and they are. I've also
tried your suggestion of attempting a reboot using shutdown -r, and this does
log a failed event. Unfortunately, attempting to shut down the server using
tsshutdn -reboot does not log an event. On further testing, it would appear
that shutting down the system successfully using tsshutdn does not generate a
success event either.

Changing the system time does result in a success event for the user who
changed the time but a normal user failing to change the system time is not
recorded (I know that audit setting is working properly because of the test
you provided using the shutdown command).

It would appear that the auditing for privilege use is not very reliable
(doesn't pick up some failed attempts at using privileges). Is this
recognised as a bug ? or are there some guidelines as to what this particular
type of auditing does and doesn't pick up ? (I've already read the Windows
2003 Security Guide and the Threats and Countermeasures Guide, and neither
document states that some privilege uses are not audited).

Thanks,

Gareth
"Miles Li [MSFT]" wrote:

>
> Hello Gareth,
>
> Thank you for your post.
>
> To answer your question, no, it is not correct. From my test, when using
> the non-admin user account without necessary privileges, a failure audit
> will be logged in Security event log.
>
> Here is a sample Failure Audit event when a user without system shutdown
> privilege tries to restart the computer by running 'shutdown -r' in the
> commend prompt.
>
> Failure Audit
> Event ID: 578
>
> Privileged object operation:
> Object Server: Win32 Registry/SystemShutdown module
> Object Handle: 0
> Process ID: 352
> Primary User Name: Computer_name
> Primary Domain: Domain_name
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: User_name
> Client Domain: Domain_name
> Client Logon ID: (0x0,0x4F0BA)
> Privileges: SeShutdownPrivilege
>
> Please confirm whether the related computer has successfully applied the
> audit group policy and then check whether similar Failure Audit logs are
> recorded in event log.
>
> Hope it helps. Thanks.
>
> Sincerely,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
 
Hi,

Actually, my previous post wasn't quite correct, the Security Guide does
state that some privilege uses are not audited, but the shutdown or change
system time privileges aren't in the list of 'not audited events', so my
initial question stands, is this a bug or is there some further documentation
around this ?

Cheers,

Gareth

"Gareth" wrote:

> Hi Miles,
>
> Thanks for your response.
>
> I've checked that the policies are applied correctly and they are. I've also
> tried your suggestion of attempting a reboot using shutdown -r, and this does
> log a failed event. Unfortunately, attempting to shut down the server using
> tsshutdn -reboot does not log an event. On further testing, it would appear
> that shutting down the system successfully using tsshutdn does not generate a
> success event either.
>
> Changing the system time does result in a success event for the user who
> changed the time but a normal user failing to change the system time is not
> recorded (I know that audit setting is working properly because of the test
> you provided using the shutdown command).
>
> It would appear that the auditing for privilege use is not very reliable
> (doesn't pick up some failed attempts at using privileges). Is this
> recognised as a bug ? or are there some guidelines as to what this particular
> type of auditing does and doesn't pick up ? (I've already read the Windows
> 2003 Security Guide and the Threats and Countermeasures Guide, and neither
> document states that some privilege uses are not audited).
>
> Thanks,
>
> Gareth
> "Miles Li [MSFT]" wrote:
>
> >
> > Hello Gareth,
> >
> > Thank you for your post.
> >
> > To answer your question, no, it is not correct. From my test, when using
> > the non-admin user account without necessary privileges, a failure audit
> > will be logged in Security event log.
> >
> > Here is a sample Failure Audit event when a user without system shutdown
> > privilege tries to restart the computer by running 'shutdown -r' in the
> > commend prompt.
> >
> > Failure Audit
> > Event ID: 578
> >
> > Privileged object operation:
> > Object Server: Win32 Registry/SystemShutdown module
> > Object Handle: 0
> > Process ID: 352
> > Primary User Name: Computer_name
> > Primary Domain: Domain_name
> > Primary Logon ID: (0x0,0x3E7)
> > Client User Name: User_name
> > Client Domain: Domain_name
> > Client Logon ID: (0x0,0x4F0BA)
> > Privileges: SeShutdownPrivilege
> >
> > Please confirm whether the related computer has successfully applied the
> > audit group policy and then check whether similar Failure Audit logs are
> > recorded in event log.
> >
> > Hope it helps. Thanks.
> >
> > Sincerely,
> > Miles Li
> >
> > Microsoft Online Partner Support
> > Microsoft Global Technical Support Center
> >
> > Get Secure! - www.microsoft.com/security
> > =====================================================
> > When responding to posts, please "Reply to Group" via your newsreader so
> > that others may learn and benefit from your issue.
> > =====================================================
> > This posting is provided "AS IS" with no warranties, and confers no rights.
> >
> >
 
Hi Gareth,

Yes, I reproduced the same issue in my test environment. A failure audit
can't be created when a user without 'SeSystemtimePrivilege' privilege
attempts to change system time.

To further investigate this technical issue more efficiently, could you
please provide your valid email address so that we can contact you?


Sincerely,
Miles Li

Microsoft Online Partner Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
Hi Miles,

Thanks for your reply, for this issue you can use gareth.harrison at
ghtech.net.

Cheers,

Gareth

"Miles Li [MSFT]" wrote:

> Hi Gareth,
>
> Yes, I reproduced the same issue in my test environment. A failure audit
> can't be created when a user without 'SeSystemtimePrivilege' privilege
> attempts to change system time.
>
> To further investigate this technical issue more efficiently, could you
> please provide your valid email address so that we can contact you?
>
>
> Sincerely,
> Miles Li
>
> Microsoft Online Partner Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
 
Back
Top