The Windows auditing subsystem was introduced in the earliest Microsoft Windows versions. It provides the ability to report auditing events for kernel- and user-mode applications and components.
In this chapter you will find information about legacy and advanced auditing settings, Windows auditing group policy settings related to auditing, auditing subsystem architecture, and security event structure.
Legacy auditing was the only available security auditing mechanism on pre-Vista Windows systems. It was not as agile as the new advanced auditing introduced in Windows Vista, but still was able to perform its function.
Legacy auditing settings can be configured using Windows group policy settings. No built-in command-line tools, such as
, were available in the pre-Vista systems for configuring local auditing settings. But the auditpol
tool was a part of the Windows 2000, XP, and 2003 resource kits. The auditpol
command-line tool was included in pre-Vista operating systems, but it was a tool for configuring per-user auditing settings only. See Chapter 10 for more information about per-user auditing.auditusr
Group policy settings for legacy auditing categories are located under the
node. You can view and edit local group policy settings using the Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesAudit Policy
management console. Figure 2-1 shows an example of legacy auditing group policy settings.gpedit.msc
Table 2-1 shows available legacy auditing categories and their descriptions.
Table 2-1: Legacy Auditing Categories
CATEGORY NAME | DESCRIPTION |
Audit account logon events | Audit NTLM-family and Kerberos protocols credential validation operations. On domain controllers this category enables Kerberos AS_REQ, TGS_REQ, and AP_REQ requests auditing. |
Audit account management | Audit user, computer, security group, distribution group, and Authorization Manager (AzMan) application group management operations. This category also provides monitoring of password hash import operations during Active Directory account migration and Password Policy Check API calls. |
Audit directory services access | Audit Active Directory object modifications, object access attempts, and replication operations. |
Audit logon events | Audit account logon, logoff, and lockout events. Provides detailed auditing for IPsec modes. Audit logon events for members of special groups (see Chapter 4 for more details) and special privileges owners (Chapter 11). Audit workstation lockouts, terminal session connections, and screensaver operations. Also enables auditing on Network Policy Servers (NPS). |
Audit object access | Audit filesystem, registry, kernel objects, handles, file shares, and filtering platform operations. Also enables auditing for Active Directory Certificate Services role operations. |
Audit policy change | Audit authorization, authentication, filtering platform, audit and Windows firewall policy changes. |
Audit privilege use | Audit use of sensitive and nonsensitive privileges. |
Audit process tracking | Audit process creation, termination, and Data Protection API (DPAPI) operations. |
Audit system events | Audit security-related changes and operations, IPsec driver events, Windows firewall service and driver events, Windows startups, and system time changes. |
Auditing settings are stored in the Local Security Authority (LSA) policy database. The LSA policy database is located in the
registry key. Auditing settings are stored in the HKLMSECURITYPolicy
value of the Default
registry key. These settings can be configured locally or through Active Directory group policy, if the machine is joined to the domain.HKLMSECURITYPolicyPolAdtEv
Events generated in the Windows security event log by legacy auditing categories have ID numbers that are between 500 and 900. Legacy auditing events are available only in pre-Vista Windows operating systems. In more recent Windows versions, legacy events are replaced by new events with event ID numbers between 4000 and 7000.
Legacy auditing policies can be set to one of the following states:
Audit Success
events are generated.Audit Failure
events are generated.Audit Success
and Audit Failure
events are generated.Legacy auditing settings “tattoo” the registry, which means that they are applied directly to auditing subsystem registry keys, not to temporal group policy keys.
This book does not go any deeper into legacy auditing settings and events because modern Windows systems have advanced auditing settings available, which allows for configuring more granular auditing settings using subcategories. There is no real value in using legacy audit settings on modern Windows versions. Later in this book you will find information about relationships between legacy and advanced auditing settings on modern Windows systems and how they affect each other.
Prior to Windows Server 2008 and Windows Vista it was difficult to exclude unneeded events from auditing. This was because auditing included nine categories and, for example, if you enabled Object Access auditing it would start to collect data for registry, file system, file share, and other object operations. However, in most cases you don't need to audit all of those.
Advanced audit introduced subcategories for each of the nine legacy categories, and you can configure them to include or exclude security events. The general category names were also changed in comparison with legacy auditing.
Advanced audit settings can be configured using group policy settings for operating system versions starting from Windows 7 or Windows Server 2008 R2. Auditing settings can also be configured using the built-in
application, which was included in all operating systems by default starting from Windows Vista and Windows Server 2008. The auditpol
tool is the only available option to configure advanced audit settings on the Windows Vista and Windows Server 2008 operating systems. The auditpol
tool is the only method to directly read audit settings from the Local Security Authority database.auditpol
Group policy settings for advanced audit categories were first introduced for Windows 7 and Windows Server 2008 R2 systems. They are located under the
node. Figure 2-2 shows an example of advanced audit group policy settings.Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit Policies
You will find detailed explanations of each advanced audit subcategory and recommendations for workstations, servers, and domain controllers in Chapter 3.
Advanced audit subcategories can be set to one of the following states:
Audit Success
events are generated.Audit Failure
events are generated.Audit Success
and Audit Failure
events are generated.Each advanced audit category and subcategory has its own global unique identifier (GUID). These GUIDs are consistent among all Microsoft Windows versions. All GUIDs have the following format:
XXXXXXXX
-797A-11D9-BED3-505054503030
, where XXXXXXXX
is different for each category.XXXXXXXX
-69AE-11D9-BED3-505054503030
, where XXXXXXXX
is different for each subcategory.To view all GUIDs for categories and subcategories use the following command in the Administrator ➪ Command Prompt window:
. Figure 2-3 shows an example of the auditpol /list /subcategory:* /v
command output.auditpol /list
The Windows group policy editor (
) has the ability to import and export advanced audit policy settings. Import and export menu items are available in the context menu of the gpedit.msc
node.Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit Policies
The following sections cover different methods for configuring advanced audit settings on a machine.
If advanced audit settings are changed in the local group policy, the following file is modified:
%WINDIR%system32grouppolicymachinemicrosoftwindows ntauditaudit.csv
If no advanced audit settings were applied to the system before, the audit.csv file will be created. The
folder is hidden. To view it in the Windows File Explorer, enable the “Show hidden files, folders, and drives” option in the Folder Options.grouppolicy
Figure 2-4 shows an example of the
file content.audit.csv
The
column should always be empty.Machine Name
The
column shows which auditing settings are set for a specific subcategory.Inclusion Settings
The
column was designed for use with per-user auditing policies, but because per-user policies don't have group policy settings to configure them, this column is always empty.Exclusion
The
column shows a numeric value associated with the Setting Value
column value:Inclusion Setting
After the
file is created/modified, it is merged with the local advanced audit settings in the Local Security Authority (LSA) policy database. LSA policy database is located in the audit.csv
registry key. Auditing settings are stored in the HKLMSECURITYPolicy
value of the Default
registry key. The existing setting for the subcategory will be replaced by the settings from the local group policy, except those set to “Not Configured” in group policy.HKLMSECURITYPolicyPolAdtEv
Advanced audit settings modification using domain group policy is similar to the process for local group policy that was explained in the previous section. After domain policy is applied, group policy settings are copied locally to the
folder. Each group policy has its own folder in this directory, named by its group policy GUID. The group policy folder, if any advanced audit settings were enabled, has a %WINDIR%GroupPolicyDataStore sysvolDOMAIN_NAMEPolicies
file in it. Here is an example of the group_policy_foldermachinemicrosoftwindows ntauditaudit.csv
path for one of the group policies applied to the machine in the lab domain:audit.csv
C:WindowsSystem32GroupPolicyDataStore sysvolhqcorp.localPolicies{6AC1786C-016F-11D2-945F-00C04fB984F9}MachineMicrosoftWindows NTAuditaudit.csv
The
file has the same structure as discussed in the “Set Advanced Audit Settings via Local Group Policy” section.audit.csv
After the
file is created/modified, it is also merged with the local advanced audit settings in the Local Security Authority (LSA) policy database. The process is the same as for local group policy.audit.csv
The only way to modify advanced audit settings in the LSA Policy Database using built-in Windows tools is to use
, which directly communicates with it.auditpol
To modify auditing settings for a subcategory, you need to execute the following command:
auditpol /set /subcategory:SUBCATEGORY_GUID_OR_NAME {options}
This command should be executed in an elevated command-line processor, not PowerShell. You already know how to find a GUID for a subcategory. The
section can have two parameters:{options}
/success:
Enable success auditing setting/failure:
Enable failure auditing settingThese two parameters may have one of the following two values assigned:
enable:
Enable settingdisable:
Disable settingFor example, if you need to enable Success auditing and disable Failure auditing (assuming it was enabled) for the Logoff subcategory, you may use one of the following commands:
auditpol /set /subcategory:{0CCE9216-69AE-11D9-BED3-505054503030} /success:enable /failure:disable
auditpol /set /subcategory:"Logoff" /success:enable /failure:disable
It is also possible to change settings for multiple subcategories by listing them one after another, separated by a comma:
. This works only for GUIDs, not for subcategory names./subcategory:{0CCE9216-69AE-11D9-BED3-505054503030},{0CCE9240-69AE-11D9-BED3-505054503030}
The only way to get current advanced audit settings directly from a local LSA Policy Database using built-in Windows tools is to use the
tool, which directly queries information from it.auditpol
You can use the following command to get current settings:
auditpol /get /category:*
The new “Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings” group policy setting was introduced for the Windows Vista and Windows Server 2008 operating systems, which enforce the use of new advanced audit subcategories instead of legacy categories.
This group policy setting is located under the Computer
group policy path. If it is enabled, legacy audit settings do not affect advanced audit subcategories settings. This group policy setting is enabled by default. It modifies the ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options
registry key's HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
value.scenoapplylegacyauditpolicy
Possible values:
Table 2-2 contains a dependency scheme between legacy and advanced audit categories for operating systems starting from Windows Vista and Windows Server 2008.
Table 2-2: Dependency between Legacy Audit and Advanced Audit Categories
LEGACY CATEGORY | ADVANCED CATEGORY |
Audit account logon events | Account Logon |
Audit account management | Account Management |
Audit directory services access | DS Access |
Audit logon events | Logon/Logoff |
Audit object access | Object Access |
Audit policy change | Policy Change |
Audit privilege use | Privilege Use |
Audit process tracking | Detailed Tracking |
Audit system events | System |
For example, if the “Audit policy change” category is enabled for Success in legacy audit settings and some additional requirements (discussed in the following section) are met to permit the use of legacy settings, then all subcategories under the Policy Change advanced category will be enabled for Success auditing.
Two main requirements must be satisfied to switch from advanced audit back to legacy audit:
Audit.csv
file in the local group policy folder (%WINDIR%system32grouppolicymachinemicrosoftwindows ntaudit
).If you need to set a subcategory to the “disabled state”, you can use one of the following options:
auditpol /set /subcategory:SUBCATEGORY_GUID_OR_NAME /failure:disable /success:disable
command to disable success and failure auditing for a specific subcategory.auditpol /clear
command to set all subcategories to the “disabled” state.To switch from legacy audit back to advanced audit, perform the following steps:
Audit.csv
file in the local group policy folder (%WINDIR%system32grouppolicymachinemicrosoftwindows ntaudit
) must exist. It can even be an empty file.Multiple additional group policy settings are related to the Windows auditing subsystem. In this section you will find detailed information about them.
The “Manage auditing and security log” group policy setting controls the
user privilege assignment . If an account or group is added to this group policy setting, the account or group members will have SeSecurityPrivilege
user privilege on the host.SeSecurityPrivilege
allows managing the security event log, which allows viewing the log, changing the size of the log, clearing the log, and so on. It also allows viewing or setting an object's System Access Control List (SACL). SACL is used to store auditing settings for an object. The object in this case is any auditable object, such as registry keys, files or folders, processes, threads, and so on.SeSecurityPrivilege
This group policy setting is located at the following path:
.Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment
See Chapter 11 for more information about user rights and privileges.
The “Generate security audits” group policy setting controls the
user privilege assignment to the accounts on the machine.SeAuditPrivilege
allows adding records to the security event logs. This privilege is required to use the SeAuditPrivilege
function from ReportEvent()
. Event reporting functions are discussed in the “Windows Auditing Event Flow” section later in this chapter.AdvApi32.dll
This group policy setting is located at the following path:
.Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights Assignment
Security auditing policy has its own security descriptor that controls access to it. To view it, use the
command. The security descriptor is stored as a Security Descriptor Definition Language (SDDL) string. It contains only Discretionary Access Control List (DACL) Access Control Entries (ACEs) (auditpol /get /sd
section). DACL contains information about access permissions set on an object. See Chapter 10 for more information about SDDL. Here is an example of an audit policy security descriptor for Windows 10:D:
D:(A;;DCSWRPDTRC;;;BA)(A;;DCSWRPDTRC;;;SY)
A:
Allow access ACE typeDCSWRPDTRC:
DC:
Delete All Child ObjectsSW:
All Validated WritesRP:
Read All PropertiesDT:
Delete SubtreeRC:
Read PermissionsBA:
BUILTINAdministrators groupSY:
Local System accountBy default, the preceding security descriptor is set for the local security auditing policy on all Windows versions starting with Windows Vista.
You can set the security descriptor for the local auditing policy using the auditpol /set /sd:
command.DESCRIPTOR_SDDL_STRING
To view or set the security descriptor for the local auditing policy using the
tool, the account must have the auditpol
.SeSecurityPrivilege
There is no group policy setting you can use to set the local auditing policy security descriptor. It is stored in the following registry key:
, with a value of HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaAuditAuditPolicy
.AuditPolicySD
If this group policy setting is enabled, it causes the system to stop if a security audit event cannot be logged for any reason. It is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log them.
This policy modifies the following registry key:
, with a value of HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
. Possible values are:crashonauditfail
0:
Disabled1:
EnabledIt is also possible to modify the
value using the crashonauditfail
command:auditpol
auditpol /set /option:CrashOnAuditFail /value:disable
auditpol /set /option:CrashOnAuditFail /value:enable
If the
registry key value is modified, the event shown in Listing 2-1 is generated in the security event log.crashonauditfail
The 4906 event shows the new value for the
registry key value.crashonauditfail
If, for example,
is set to crashonauditfail
and the security event log retention method is set to “Do not overwrite events ( Clear logs manually ),” and the event log reaches its maximum size, then the system will stop and the screen shown in Figure 2-5 will appear (Windows Server 2016).1
Stop code 0xc0000244 has the following meaning: {Audit Failed} An attempt to generate a security audit failed.
The group policy setting path is
.Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Options
Protected Event Logging is a new feature that allows Windows components and applications to encrypt their event logs using the Cryptographic Message Syntax (CMS) standard and asymmetric cryptography. For now the only application that supports protected event logging in Windows is PowerShell v5 and higher. Using this feature, PowerShell can write encrypted events in the PowerShell event log.
To enable this feature, you need to provide a certificate with a public key that will be used for encryption. Then you can use the
PowerShell cmdlet to decrypt the event log.Unprotect-CmsMessage
The “Protected Event Logging” group policy setting is supported only by Windows 10 and Windows Server 2016. It is located at the following group policy path:
.Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsEvent Logging
The “Audit: Audit the use of Backup and Restore privilege” group policy setting allows you to enable full privilege use auditing, which includes the
and SeBackupPrivilege
privileges. Enabling it can cause a lot of heavy event logging. This group policy setting is explained in more detail in Chapter 11.SeRestorePrivilege
The associated registry value is
, HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
. Possible values:fullprivilegeauditing
40:
Disabled41:
EnabledThe group policy setting path is
.Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Options
The “Audit: Audit the access of global system objects” group policy setting works in conjunction with the “Audit object access” auditing subcategory setting. It enables default SACL on global system objects.
Global system objects are temporary kernel objects that have had names assigned to them by the application or system component that created them. These objects are most commonly used to synchronize multiple applications or multiple parts of a complex application. Because they have names, these objects are global in scope and, therefore, visible to all processes on the device. These objects all have a security descriptor; but typically, they do not have a SACL assigned. If you enable this policy setting and it takes effect at startup time, the kernel assigns a SACL to these objects when they are created. This policy setting does not affect container objects.
Usually, detailed access monitoring of access requests to global system objects, such as mutexes and semaphores, is not required and also generates a high volume of events.
This group policy setting is located at the following path:
.Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options
The associated registry value is
, HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
. Possible values are:auditbaseobjects
0:
Disabled1:
EnabledThe “Audit: Audit the access of global system objects” policy setting discussed earlier does not enable auditing for global system container objects. Container objects might contain other global system objects. You can modify the
registry key value in order to enable this default SACL on global system container objects. Possible values for this key are:HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa, auditbasedirectories
0:
Disabled1:
EnabledThe Windows Event Log service has its own settings for the security event log. These settings are stored in the local registry under the
registry key. Some of the settings also have group policy settings associated with them and can be configured using event log properties in the Event Viewer application (Figure 2-6).HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogSecurity
The group policy settings are located under the following group policy path:
.Computer Configuration PoliciesAdministrative TemplatesWindows ComponentsEvent Log ServiceSecurity
The following sections discuss the most common security event log settings.
You can use two group policy settings to change the maximum security event log file size:
Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsEvent Log ServiceSecuritySpecify the maximum log file size (KB)
Computer ConfigurationPoliciesWindows SettingsSecurity SettingsEvent LogMaximum security log size
These group policy settings allow you to configure the maximum size of the security event log file. The size is specified in kilobytes and should be between 1,028 kilobytes (1.07 megabyte) and 2,147,483,647 kilobytes (2 terabytes). The group policy interface for the “Specify the maximum log file size (KB)” setting does not allow you to set a value smaller than 20,480 kilobytes for this setting. The group policy interface for the “Maximum security log size” setting allows you to specify the range for the log size from 64 KB to 4,194,240 KB. If you set the size to any value between 64 KB and 1,028 KB, it will be recorded in the registry as 1,028 KB.
If both the “Specify the maximum log file size (KB)” and “Maximum security log size” settings are set in the same group policy, the “Specify the maximum log file size (KB)” setting has higher priority.
The default security event log size for Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, and Windows Server 2008 R2 is 128 MB (131,072 KB).
The default security event log size for Windows Server 10, Windows 8.1, Windows 8, and Windows 7 is 20 MB (20,480 KB).
These defaults are usually not enough to store security events for a long period of time. Your security monitoring policies determine how long the events should be stored on the machine after they are generated. It also depends on whether you are using a centralized event collection and storage solution.
The associated registry value for these policy settings is
, HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogSecurity
. The size specified in bytes.MaxSize
The associated event log properties setting is
(refer to Figure 2-6).Log size
This group policy setting allows you to configure overwrite policy for events in the security event log. By default new events overwrite the oldest events in the log, but you can change this behavior and control it by enabling this policy setting.
The associated registry value is
, HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogSecurity
. Possible values are:Retention
0:
Disabled0xffffffff:
EnabledThe path to this group policy setting is
.Computer ConfigurationPoliciesWindows SettingsSecurity SettingsEvent Log
If this policy is disabled, new security events overwrite the oldest events. This is the default setting for all recent Windows versions.
If this policy is enabled, then depending on the “Back up log automatically when full” group policy setting (
registry key value), the AutoBackupLogFiles
security event log retention method will be configured (refer to Figure 2-6):AutoBackupLogFiles
AutoBackupLogFiles = 1:
After the event log file is full, it is automatically archived and the current security log is cleared.
The associated event log properties setting is “Archive the log when full, do not overwrite events”.
AutoBackupLogFiles = 0:
After the event log file is full, all new events will be lost.
The associated event log properties setting is “Do not overwrite events (Clear logs manually)”.
This group policy setting allows the Windows event log service to back up a security event log file after the current file reaches its maximum size. For this policy setting to take effect, the “Control event log behavior when the log file reaches its maximum size” group policy setting should be enabled.
Archived security event log files are stored at the same location as the original file and named using the following convention:
Archive-
FILENAME
-
YYYY
-
MM
-
DD
-
hh
-
mm
-
ss
-
, where:msec
FILENAME
is the name of the original log file without a file type extension.msec
is the first three digits of the number of milliseconds in the file's creation timestamp.The
expression shows the time when event log file was archived. The time used in the filename is always in UTC+0/GMT time zone. Here is an example of archived log file name: YYYY-MM-DD-hh-mm-ss-msec
.Archive-Security-2017-07-22-10-20-21-127.evtx
Each time the event log is archived, it is cleared and the event shown in Listing 2-2 is recorded in the log right after it was archived.
The 1105 event shows the name of the log that was archived (
) and the full path for the archive file (Log
).File
The associated registry value is
. Possible values are:HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogSecurity, AutoBackupLogFiles
0:
Disabled1:
EnabledThe associated event log properties setting is the
(refer to Figure 2-6).Log path
The path to this group policy setting is
.Computer ConfigurationPoliciesWindows SettingsSecurity SettingsEvent Log
This group policy setting allows you to specify the path and filename for a security log file. If this setting is disabled or not configured, the file is stored in the default location:
.%SystemRoot%System32WinevtLogsSecurity.evtx
It is recommended that you use the standard
extension in the filename, but the file extension can be set to any value—even a file without an extension can be specified..evtx
Only local filesystem paths are allowed; any UNC (
) or \
paths will be ignored and the default path will be used.File:\
The associated registry value is
, HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogSecurity
.File
The associated event log properties setting is “Archive the log when full, do not overwrite events” (refer to Figure 2-6).
The path to this group policy setting is
.Computer ConfigurationPoliciesWindows SettingsSecurity SettingsEvent Log
Security event log security descriptor can be configured using the “Configure log access” group policy setting. But starting from Windows 10 and Windows Server 2016 the new “Configure log access (legacy)” policy setting was introduced. The path to this group policy setting is
.Computer ConfigurationPoliciesWindows SettingsSecurity SettingsEvent Log
Table 2-3 shows differences between operating system versions for security event access control settings.
Table 2-3: Security Event Log Access Control Policies
OPERATING SYSTEM | “CONFIGURE LOG ACCESS” REGISTRY VALUE | “CONFIGURE LOG ACCESS (LEGACY)” REGISTRY VALUE |
Pre-Windows 10 and pre-Windows Server 2016 | ,
|
Group policy setting does not exist |
Windows 10 and Windows Server 2016 | ,
|
,
|
For Windows 10 and Windows Server 2016 it is recommended to set both policies for maximum application compatibility.
The “Configure log access” and “Configure log access (legacy)” group policy settings allow you to modify access rights for the security event log. The value for these group policy settings should be in Security Descriptor Definition Language (SDDL) format. SDDL format is described in Chapter 10.
To view current security event log security descriptor on the machine, use the
command. The parameter that contains the SDDL string for the security descriptor is wevtutil gl security
. Figure 2-7 shows an example of the output for the channelAccess
command on a Windows Server 2016 machine.wevtutil gl security
Let's decode the SDDL string shown in Figure 2-7: O:BAG:SYD:(A;;0xf0005;;;SY)(A;;0x5;;;BA)(A;;0x1;;;S-1-5-32-573)
O:BA:
Owner of the object (security event log) is Built-in Administrators (BA) groupG:SY:
Primary group is Local System (SY)D::
The beginning of DACL section(A;;0xf0005;;;SY)
A:
Allow access ACE type0xf0005:
Full accessSY:
Local System account(A;;0x5;;;BA)
A:
Allow access ACE type0x5:
Read, ClearBA:
BUILTINAdministrators group(A;;0x1;;;S-1-5-32-573)
A:
Allow access ACE type0x1:
ReadS-1-5-32-573:
BUILTINEvent Log Readers groupTable 2-4 contains information about event log access permissions that may help you to understand SDDL ACEs.
Table 2-4: Event Log Access Rights
HEXADECIMAL VALUE | ACCESS RIGHT |
0x1 | Read |
0x2 | Write |
0x4 | Clear |
0xf0000 | Full Access |
The default value for security event log security descriptor depends on the operating system version. For all Windows versions starting from Windows Vista and Windows Server 2008 the default security descriptor is always the same as shown in Figure 2-7:
Any Write (
) access permissions in the security event log security descriptor are ignored, because write access to the security event log is controlled by the 0x2
(“Generate security audits” group policy setting).SeAuditPrivilege
The registry key value
, HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesEventLogSecurity
is used to allow or deny security event log Read access for Guests group members and the ANONYMOUS account. This registry key can be configured using the “Prevent local guests group from accessing security log” group policy setting, which is located in the RestrictGuestAccess
group policy path. This group policy modifies the Computer ConfigurationPoliciesWindows SettingsSecurity SettingsEvent Log
registry key value, but this change has no effect on systems beginning with Windows Vista and Windows Server 2008. The security descriptor for the security event log does not change on these systems when the RestrictGuestAccess
registry key value is modified.RestrictGuestAccess
The Windows auditing subsystem is distributed between Windows kernel-mode and user-mode components. Both modes have components that report auditing events, which is why the auditing subsystem is present in both modes—this prevents switching between modes.
Two main flows in the auditing subsystem involve multiple components to support main auditing functionality:
The following sections discuss the event and policy flow components.
Figure 2-8 shows the policy flow components and interactions between them. The numbers in the figure match the step numbers in the discussions that follow.
An auditing policy management application, such as
, Group Policy Editor (auditpol.exe
), or domain policy processing (Group Policy Client service), invokes auditing-related functions in gpedit.msc
(Advanced API) to set or read auditing policy settings. The following functions might be used to set or get current auditing policy settings:advapi32.dll
LsaSetInformationPolicy (PolicyAuditEventsInformation):
Set auditing settings for the host.LsaQueryInformationPolicy (PolicyAuditEventsInformation):
Get current auditing settings for the host.AuditSetPolicy:
Set auditing settings for the host.AuditQueryPolicy:
Get current auditing settings for the host.Some differences in the process take place prior to Step 1 related to processing of legacy and advanced audit policies involving the
file. These differences are explained later in this section.audit.csv
This route is shown as a dotted line and filled circles in Figure 2-8.
Step 1. The
and LsaSetInformationPolicy
functions interact with the RPC legacy policy interface in the LsaQueryInformationPolicy
process to perform a function call.LSASS.exe
Step 2. Changes or information queries are performed against the LSA policy database through the RPC legacy policy interface. The LSA policy database is located in the
registry key. Auditing settings are stored in the HKLMSECURITYPolicy
value of the Default
registry key.HKLMSECURITYPolicyPolAdtEv
Step 3. Policy changes are then sent to the RPC GAP interface which, as part of Step 4, informs the Format & Policy component about the change.
Step 5. The Format & Policy component acts as an intermediate agent between LSASS (user mode) and another Format & Policy component in the NTOSKRNL process. Communications between them are performed via Asynchronous Local Inter-Process Communication (ALPC) tunnels, which are discussed in Chapter 4. At this step, the LSASS process informs the NTOSKRNL process about policy changes.
, also known as the System process, contains Windows kernel functions. Inside of this process there is a Security Reference Monitor (Se) module, which provides security-related routines, such as NTOSKRNL.exe
and SeAccessCheck
. The SeAudit
routine implements audit and alarm procedures and contains the Format & Policy component.SeAudit
Step 6. Changes are replicated to the kernel mode cached copy of the auditing settings (PolAdtEv key) from the LSA Policy Database.
This route is shown as a solid line and white circles in Figure 2-8.
Step 1. The
and AuditSetPolicy
functions interact with the RPC GAP interface in the AuditQueryPolicy
process to perform a function call.LSASS.exe
Steps 2–3. A change request or information query is sent to the LSA Policy Database through RPC legacy policy interface.
Steps 4–6. These steps are the same as steps 4–6 for the
and LsaSetInformationPolicy
functions.LsaQueryInformationPolicy
Figure 2-9 shows the event flow components and interactions between them.
Multiple components report security events in both kernel and user modes. In Figure 2-9 these reporting methods and components are numbered using white circles and dotted lines:
AuthZ.dll
library to report a security event. LSASS.exe
has the RPC audit interface, which handles requests from these functions.AuthZ.dll
functions, such as the AuthzReportSecurityEvent
or AuthzReportSecurityEventFromParams
functions, to report a security event. LSASS.exe
has the RPC audit interface, which handles requests from these functions.NTDLL.dll
NT*AuditAlarm
functions, such as NtOpenObjectAuditAlarm
or NtPrivilegeObjectAuditAlarm
. These function calls are handled by the Format & Policy component in the Security Reference Monitor's SeAudit
routine.SeReportSecurityEvent
or SeReportSecurityEventWithSubCategory
. These routine calls are handled by the Format & Policy component in the Security Reference Monitor's SeAudit
routine.There are two main event flows: events reported to
and events reported to LSASS.exe
. The following sections discuss both of them.NTOSKRNL.exe
User-mode Windows components and regular applications report security events using
functions. These functions invoke the RPC audit interface in the LSASS process. The steps that occur after RPC audit interface receives a call from one of the AuthZ.dll
functions are shown in Figure 2-9 using dark circles with numbers inside.AutZ.dll
Step 1. The RPC audit interface redirects requests to the Format & Policy module, which was discussed earlier.
Step 2. There are two main methods that LSASS may use to send an event to the Windows Event Log service for further processing:
AdvApi32.dll
uses the ReportEvent()
function.NTDLL.dll
uses Event Tracing for Windows (ETW) user-mode private APIs to send an event to the kernel-mode ETW component for further processing.Step 5. Event Tracing for Windows (ETW) provides a mechanism to trace and log events that are raised by user-mode applications and kernel-mode drivers. ETW is implemented in the Windows operating system and provides developers a fast, reliable, and versatile set of event tracing features. ETW functionality is implemented as a kernel-mode component of the
process. ETW queues events and spools them to the Windows Event Log service as fast as the service will accept them.NTOSKRNL.exe
Step 6. The Windows Event Log service writes events to the security event log.
Step 7. Event monitoring applications, such as Windows Event Viewer, may use public
APIs, such as the AdvApi32.dll
and OpenEventLog
functions, to query the security event log through the Windows Event Log service.ReadEventLog
Kernel-mode security event reporting functionality is implemented in the
process. This section discusses the steps that occur after the Format & Policy kernel component receives a call from one of the functions. These steps are shown in Figure 2-9 using dark circles with letters inside.NTOSKRNL.EXE
Step A. An audit event generation call is sent to the event queue. The event queue is implemented as a separate thread and performs event generation. If the queue is full, the component that sent an event generation call will be blocked until the queue can process new events.
Step B. After an event is processed it goes to the separate dequeuing thread.
Step C. The dequeuing thread sends the event to ETW or LSASS for further processing. Most of the time ETW is used, which does not require switching between kernel and user modes.
Each security event has the following XML structure:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name=" " Guid=""/>
<EventID></EventID>
<Version></Version>
<Level></Level>
<Task></Task>
<Opcode></Opcode>
<Keywords></Keywords>
<TimeCreated SystemTime=""/>
<EventRecordID></EventRecordID>
<Correlation/>
<Execution ProcessID="" ThreadID=""/>
<Channel> </Channel>
<Computer> </Computer>
<Security/>
</System>
<EventData>
<Data Name=""> </Data>
</EventData>
</Event>
The root
section contains all elements of the event schema and the <Event>
parameter that contains the version of the event's schema. All recent Windows operating system versions have the xmlns
schema version.schemas.microsoft.com/win/2004/08/events/event
Within the
section there are two main elements:<Event>
<System>:
Contains a list of elements defined in the event's schema for this section. The elements within the <System>
section are the same for all events with the schemas.microsoft.com/win/2004/08/events/event
schema version. You will find detailed information for each element within this section later in this section.<EventData>:
Contains various <Data></Data>
elements that define event-specific data fields. Each event has its own set of <Data></Data>
elements:<Data></Data>
element defines a data field within an event. The Name
parameter contains a data field name. The value of the parameter is shown within the <Data></Data>
element. For example, Security ID parameter
from Subject section with value S-1-5-18 is defined in the event as <Data Name="SubjectUserSid">S-1-5-18</Data>
.The remainder of this section discusses each event's element.
The
section contains information about the Event Tracing for Windows (ETW) provider that reported this security event. Event providers publish events to event logs. Providers are registered with the ETW subsystem, which handle all events and publishes requests from them. The <Provider />
section has two parameters:<Provider />
Each event Provider has a name and unique identifier (GUID) associated to it. To list all event Providers registered with the ETW subsystem you can use the following command:
. Figure 2-10 shows an example of the output of this command.logman query providers
The default Windows security auditing provider is Microsoft-Windows-Security-Auditing. Its GUID is
.{54849625-5478-4994-A5BA-3E3B0328C30D}
The
section contains the event ID number.<EventID></EventID>
The
section contains a version number of the event. If the schema of the specific event was changed, a new version of the event is created with a new version number. Previous event versions are stored for backward compatibility. The event version number starts with 0. Table 2-5 contains Windows 10 and Windows Server 2016 security events that have more than one version.<Version></Version>
Table 2-5: Security Events with Version 1 and Version 2
EVENT ID | VERSION | NEW VERSION INTRODUCED | CHANGES SINCE PREVIOUS VERSION |
5140 | 1 | Windows Server 2008 R2, Windows 7 |
Added fieldAdded fieldAdded field
|
4656 | 1 | Windows Server 2012, Windows 8 |
Added fieldAdded field
|
4663 | 1 | Windows Server 2012, Windows 8 | Added field |
5156 | 1 | Windows Server 2008 R2, Windows 7 |
Added fieldAdded field
|
5157 | 1 | Windows Server 2008 R2, Windows 7 |
Added fieldAdded field
|
4616 | 1 | Windows Server 2008 R2, Windows 7 | Added section |
6416 | 1 | Windows Server 2016, Windows 10 [Build 1511] |
Added fieldAdded fieldAdded field
|
5632 | 1 | Windows Server 2008 R2, Windows 7 |
Added fieldAdded fieldAdded field
|
4688 | 1 | Windows Server 2012 R2, Windows 8.1 | Added field |
2 | Windows Server 2016, Windows 10 | section renamed to
Added sectionAdded fieldAdded field
|
|
4624 | 1 | Windows Server 2012, Windows 8 | Added field |
2 | Windows Server 2016, Windows 10 |
Added section field moved to sectionAdded fieldAdded fieldAdded fieldAdded fieldAdded fieldAdded field
|
Security events that are not listed in Table 2-5 have only one version: 0.
The
section contains the event priority-level code. Table 2-6 contains a list of available event priority-level codes.<Level></Level>
Table 2-6: Event Priority Level Codes
LEVEL NAME | VALUE | DESCRIPTION |
Verbose | 5 | Identifies a detailed trace event |
Informational | 0 or 4 | Identifies a nonerror event such as dynamic link library loading |
Warning | 3 | Identifies a warning event such as long group policy processing time |
Error | 2 | Identifies a severe error event |
Critical | 1 | Identifies an abnormal exit or termination event |
The
section contains the decimal code of the task category (auditing subcategory) to which the generated event belongs. Table 2-7 contains a list of task codes for all advanced audit subcategories.<Task></Task>
Table 2-7: Advanced Auditing Subcategories Task Category Numbers
CATEGORY | SUBCATEGORY | DECIMAL | HEX |
System | Security State Change | 12288 | 0x3000 |
Security System Extension | 12289 | 0x3001 | |
System Integrity | 12290 | 0x3002 | |
IPsec Driver | 12291 | 0x3003 | |
Other System Events | 12292 | 0x3004 | |
Logon/Logoff | Logon | 12544 | 0x3100 |
Logoff | 12545 | 0x3101 | |
Account Lockout | 12546 | 0x3102 | |
IPsec Main Mode | 12547 | 0x3103 | |
Special Logon | 12548 | 0x3104 | |
IPsec Extended Mode | 12549 | 0x3105 | |
IPsec Quick Mode | 12550 | 0x3106 | |
Other Logon/Logoff Events | 12551 | 0x3107 | |
Network Policy Server | 12552 | 0x3108 | |
User/Device Claims | 12553 | 0x3109 | |
Group Membership | 12554 | 0x310A | |
Object Access | File System | 12800 | 0x3200 |
Registry | 12801 | 0x3201 | |
Kernel Object | 12802 | 0x3202 | |
SAM | 12803 | 0x3203 | |
Other Object Access Events | 12804 | 0x3204 | |
Certification Services | 12805 | 0x3205 | |
Application Generated | 12806 | 0x3206 | |
Handle Manipulation | 12807 | 0x3207 | |
File Share | 12808 | 0x3208 | |
Filtering Platform Packet Drop | 12809 | 0x3209 | |
Filtering Platform Connection | 12810 | 0x320A | |
Detailed File Share | 12811 | 0x320B | |
Removable Storage | 12812 | 0x320C | |
Central Policy Staging | 12813 | 0x320D | |
Privilege Use | Sensitive Privilege Use | 13056 | 0x3300 |
Non Sensitive Privilege Use | 13057 | 0x3301 | |
Other Privilege Use Events | 13058 | 0x3302 | |
Detailed Tracking | Process Creation | 13312 | 0x3400 |
Process Termination | 13313 | 0x3401 | |
DPAPI Activity | 13314 | 0x3402 | |
RPC Events | 13315 | 0x3403 | |
Plug and Play Events | 13316 | 0x3404 | |
Token Right Adjusted Events | 13317 | 0x3405 | |
Policy Change | Audit Policy Change | 13568 | 0x3500 |
Authentication Policy Change | 13569 | 0x3501 | |
Authorization Policy Change | 13570 | 0x3502 | |
MPSSVC Rule-Level Policy Change | 13571 | 0x3503 | |
Filtering Platform Policy Change | 13572 | 0x3504 | |
Other Policy Change Events | 13573 | 0x3505 | |
Account Management | User Account Management | 13824 | 0x3600 |
Computer Account Management | 13825 | 0x3601 | |
Security Group Management | 13826 | 0x3602 | |
Distribution Group Management | 13827 | 0x3603 | |
Application Group Management | 13828 | 0x3604 | |
Other Account Management Events | 13829 | 0x3605 | |
DS Access | Directory Service Access | 14080 | 0x3700 |
Directory Service Changes | 14081 | 0x3701 | |
Directory Service Replication | 14082 | 0x3702 | |
Detailed Directory Service Replication | 14083 | 0x3703 | |
Account Logon | Credential Validation | 14336 | 0x3800 |
Kerberos Service Ticket Operations | 14337 | 0x3801 | |
Other Account Logon Events | 14338 | 0x3802 | |
Kerberos Authentication Service | 14339 | 0x3803 |
The
section contains an opcode decimal code that identifies an operation within the task (<Opcode></Opcode>
) or one of the predefined global opcodes listed in Table 2-8. Advanced audit tasks do not have any opcodes defined within them.<Task>
Table 2-8: Global System Opcodes
VALUE | SYMBOL | DESCRIPTION |
|
|
An informational event |
|
|
An event that represents starting an activity |
|
|
An event that represents stopping an activity |
|
|
An event that represents data collection starting |
|
|
An event that represents data collection stopping |
|
|
An extension event |
|
|
A reply event |
|
|
An event that represents an activity resuming after being suspended |
|
|
An event that represents the activity being suspended pending another activity's completion |
|
|
An event that represents transferring an activity to another component |
|
|
An event that represents receiving an activity transfer from another component |
The
element contains additional keywords for the generated event. For security events this element may have the following values:<Keywords></Keywords>
The
element contains the <TimeCreated />
parameter, which shows the local machine time when the event was generated. The time shows as the UTC+0 time zone (Zulu time). SystemTime
is an example of the 2017-07-26T20:32:31.805159100Z
parameter value.SystemTime
The
element contains a unique identifier (number) of the event within specific event log. Numbering starts from 1 after operating system is installed and increments by 1 for each new event. If the event log is cleared the number continues without resetting to 1. Each event log has its own numbering.<EventRecordID></EventRecordID>
The
element provides information for events correlation if the events are, somehow, connected to each other. For example, they might be part of the same Active Directory operation/transaction or part of the specific account's logon activity. If an event is a part of any transaction, the <Correlation />
element might have the <Correlation />
parameter present with the GUID of the transaction/activity. All members of this transaction/activity will have the same value for the ActivityID
parameter. For example, the following account logon–related events usually have the same ActivityID
GUID for the same account:ActivityID
It is the responsibility of the reporting component to mark events as part of the same transaction. This is not always done, so you may find that some events that look like part of the same transaction don't have any value in the
element.<Correlation />
The
element contains the following two parameters:<Execution />
ProcessID:
PID of the process that reported the event. You already know that a security event can be reported by the lsass.exe
or ntoskrnl.exe
processes (refer to Figure 2-9):
ntoskrnl.exe
(System) process, this parameter's value will be 4.lsass.exe
process, this parameter will have a value of the lsass.exe
process's ID (PID).The
parameter for nonsecurity events may contain PIDs for any process that invoked the event-reporting APIs.ProcessID
ThreadID:
ID of the thread that was used to report the event within the process reported the event (for example, within lsass.exe
or ntoskrnl.exe
(System) process).The
section contains the name of a channel where the event is written. A channel is a pathway that events take between an event publisher and a log file. Usually each channel has a single log file associated with it. There are four primary channels in Windows: System, Application, Setup, and Security. All security events, for example, should be sent to the Security channel to be written in the security event log.<Channel></Channel>
The
element contains the name of the computer on which the event is generated. It may have the following formats:<Computer></Computer>
The
element is not usually used by security event log events, but it might be used by another event log's events to specify additional security information. For example, this element may contain a <Security />
parameter that contains a security identifier (SID) of the account that reported the event or that performed the action. The element will look like this: UserID
.<Security UserID="S-1-5-19" />
18.218.70.93