Audit Privilege Use - Windows 2003 Security Guide

G

Gareth

Guest
Hello,

I'd like some clarification on auditing privilege use on Windows 2003.

I'm currently performing some security testing. On a Windows 2003 Server

within the Local Security Policy > Local Policies > Audit policy I have

enabled both success and failure auditing for 'Audit Privilege Use'. No Group

Policy is in use.

To test the setting, I have logged on to a server as an administrator, reset

the system time and performed a shutdown. The events are logged as expected.

I then log on as a non-administrative user who does not have rights to change

the system time or to shut the system down. Using the non-admin user account,

I attempt to change the system time and also attempt to shut the system down.

Nothing is logged within the security log.

The Windows Server 2003 Security Guide states 'Failed use of a user right is

an indicator of a general network problem, and can often indicate an

attempted security breach'

It would appear that the Audit Privilege Use auditing doesn't actually pick

up on people trying to perform actions for which they do not have rights, is

this correct ? So the failure auditing option would only indicate that a user

who has the required privileges have failed to use them and therefore this is

much more likely to be a configuration (or other technical) problem rather

than an attempted security violation ?

Thanks in advance for any help / thoughts offered.

Cheers,

Gareth

 
M

Miles Li [MSFT]

Guest
Hello Gareth,

Thank you for your post.

To answer your question, no, it is not correct. From my test, when using

the non-admin user account without necessary privileges, a failure audit

will be logged in Security event log.

Here is a sample Failure Audit event when a user without system shutdown

privilege tries to restart the computer by running 'shutdown -r' in the

commend prompt.

Failure Audit

Event ID: 578

Privileged object operation:

Object Server: Win32 Registry/SystemShutdown module

Object Handle: 0

Process ID: 352

Primary User Name: Computer_name

Primary Domain: Domain_name

Primary Logon ID: (0x0,0x3E7)

Client User Name: User_name

Client Domain: Domain_name

Client Logon ID: (0x0,0x4F0BA)

Privileges: SeShutdownPrivilege

Please confirm whether the related computer has successfully applied the

audit group policy and then check whether similar Failure Audit logs are

recorded in event log.

Hope it helps. Thanks.

Sincerely,

Miles Li

Microsoft Online Partner Support

Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 
G

Gareth

Guest
Hi Miles,

Thanks for your response.

I've checked that the policies are applied correctly and they are. I've also

tried your suggestion of attempting a reboot using shutdown -r, and this does

log a failed event. Unfortunately, attempting to shut down the server using

tsshutdn -reboot does not log an event. On further testing, it would appear

that shutting down the system successfully using tsshutdn does not generate a

success event either.

Changing the system time does result in a success event for the user who

changed the time but a normal user failing to change the system time is not

recorded (I know that audit setting is working properly because of the test

you provided using the shutdown command).

It would appear that the auditing for privilege use is not very reliable

(doesn't pick up some failed attempts at using privileges). Is this

recognised as a bug ? or are there some guidelines as to what this particular

type of auditing does and doesn't pick up ? (I've already read the Windows

2003 Security Guide and the Threats and Countermeasures Guide, and neither

document states that some privilege uses are not audited).

Thanks,

Gareth

"Miles Li [MSFT]" wrote:

<span style="color:blue">

>

> Hello Gareth,

>

> Thank you for your post.

>

> To answer your question, no, it is not correct. From my test, when using

> the non-admin user account without necessary privileges, a failure audit

> will be logged in Security event log.

>

> Here is a sample Failure Audit event when a user without system shutdown

> privilege tries to restart the computer by running 'shutdown -r' in the

> commend prompt.

>

> Failure Audit

> Event ID: 578

>

> Privileged object operation:

> Object Server: Win32 Registry/SystemShutdown module

> Object Handle: 0

> Process ID: 352

> Primary User Name: Computer_name

> Primary Domain: Domain_name

> Primary Logon ID: (0x0,0x3E7)

> Client User Name: User_name

> Client Domain: Domain_name

> Client Logon ID: (0x0,0x4F0BA)

> Privileges: SeShutdownPrivilege

>

> Please confirm whether the related computer has successfully applied the

> audit group policy and then check whether similar Failure Audit logs are

> recorded in event log.

>

> Hope it helps. Thanks.

>

> Sincerely,

> Miles Li

>

> Microsoft Online Partner Support

> Microsoft Global Technical Support Center

>

> Get Secure! - www.microsoft.com/security

> =====================================================

> When responding to posts, please "Reply to Group" via your newsreader so

> that others may learn and benefit from your issue.

> =====================================================

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

> </span>

 
G

Gareth

Guest
Hi,

Actually, my previous post wasn't quite correct, the Security Guide does

state that some privilege uses are not audited, but the shutdown or change

system time privileges aren't in the list of 'not audited events', so my

initial question stands, is this a bug or is there some further documentation

around this ?

Cheers,

Gareth

"Gareth" wrote:

<span style="color:blue">

> Hi Miles,

>

> Thanks for your response.

>

> I've checked that the policies are applied correctly and they are. I've also

> tried your suggestion of attempting a reboot using shutdown -r, and this does

> log a failed event. Unfortunately, attempting to shut down the server using

> tsshutdn -reboot does not log an event. On further testing, it would appear

> that shutting down the system successfully using tsshutdn does not generate a

> success event either.

>

> Changing the system time does result in a success event for the user who

> changed the time but a normal user failing to change the system time is not

> recorded (I know that audit setting is working properly because of the test

> you provided using the shutdown command).

>

> It would appear that the auditing for privilege use is not very reliable

> (doesn't pick up some failed attempts at using privileges). Is this

> recognised as a bug ? or are there some guidelines as to what this particular

> type of auditing does and doesn't pick up ? (I've already read the Windows

> 2003 Security Guide and the Threats and Countermeasures Guide, and neither

> document states that some privilege uses are not audited).

>

> Thanks,

>

> Gareth

> "Miles Li [MSFT]" wrote:

> <span style="color:green">

> >

> > Hello Gareth,

> >

> > Thank you for your post.

> >

> > To answer your question, no, it is not correct. From my test, when using

> > the non-admin user account without necessary privileges, a failure audit

> > will be logged in Security event log.

> >

> > Here is a sample Failure Audit event when a user without system shutdown

> > privilege tries to restart the computer by running 'shutdown -r' in the

> > commend prompt.

> >

> > Failure Audit

> > Event ID: 578

> >

> > Privileged object operation:

> > Object Server: Win32 Registry/SystemShutdown module

> > Object Handle: 0

> > Process ID: 352

> > Primary User Name: Computer_name

> > Primary Domain: Domain_name

> > Primary Logon ID: (0x0,0x3E7)

> > Client User Name: User_name

> > Client Domain: Domain_name

> > Client Logon ID: (0x0,0x4F0BA)

> > Privileges: SeShutdownPrivilege

> >

> > Please confirm whether the related computer has successfully applied the

> > audit group policy and then check whether similar Failure Audit logs are

> > recorded in event log.

> >

> > Hope it helps. Thanks.

> >

> > Sincerely,

> > Miles Li

> >

> > Microsoft Online Partner Support

> > Microsoft Global Technical Support Center

> >

> > Get Secure! - www.microsoft.com/security

> > =====================================================

> > When responding to posts, please "Reply to Group" via your newsreader so

> > that others may learn and benefit from your issue.

> > =====================================================

> > This posting is provided "AS IS" with no warranties, and confers no rights.

> >

> > </span></span>

 
M

Miles Li [MSFT]

Guest
Hi Gareth,

Yes, I reproduced the same issue in my test environment. A failure audit

can't be created when a user without 'SeSystemtimePrivilege' privilege

attempts to change system time.

To further investigate this technical issue more efficiently, could you

please provide your valid email address so that we can contact you?

Sincerely,

Miles Li

Microsoft Online Partner Support

Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security

=====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 
G

Gareth

Guest
Hi Miles,

Thanks for your reply, for this issue you can use gareth.harrison at

ghtech.net.

Cheers,

Gareth

"Miles Li [MSFT]" wrote:

<span style="color:blue">

> Hi Gareth,

>

> Yes, I reproduced the same issue in my test environment. A failure audit

> can't be created when a user without 'SeSystemtimePrivilege' privilege

> attempts to change system time.

>

> To further investigate this technical issue more efficiently, could you

> please provide your valid email address so that we can contact you?

>

>

> Sincerely,

> Miles Li

>

> Microsoft Online Partner Support

> Microsoft Global Technical Support Center

>

> Get Secure! - www.microsoft.com/security

> =====================================================

> When responding to posts, please "Reply to Group" via your newsreader so

> that others may learn and benefit from your issue.

> =====================================================

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

> </span>

 
You must log in or register to reply here.
Top Bottom