Audit Policy
Establishing audit policy is an important facet of security. Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach.
There are nine different kinds of events you can audit. If you audit any of these kinds of events, Windows® records the events in the Security log, which you can find in Event Viewer.
- Account logon events. Audit this to see each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated in the domain controller's Security log when a domain user account is authenticated on a domain controller. These events are separate from Logon events, which are generated in the local Security log when a local user is authenticated on a local computer. Account logoff events are not tracked on the domain controller.
- Account management. Audit this to see when someone has changed an account name, enabled or disabled an account, created or deleted an account, changed a password, or changed a user group.
- Directory service access. Audit this to see when someone accesses an Active Directory® directory service object that has its own system access control list (SACL).
- Logon events. Audit this to see when someone has logged on or off your computer (either while physically at your computer or by trying to log on over a network).
- Object access. Audit this to see when someone has used a file, folder, printer, or other object. While you can also audit registry keys, we don't recommend that unless you have advanced computer knowledge and know how to use the registry.
- Policy change. Audit this to see attempts to change local security policies and to see if someone has changed user rights assignments, auditing policies, or trust policies.
- Privilege use. Audit this to see when someone performs a user right.
- Process tracking. Audit this to see when events such as program activation or a process exiting occur.
- System events. Audit this to see when someone has shut down or restarted the computer, or when a process or program tries to do something that it does not have permission to do. For example, if malicious software tried to change a setting on your computer without your permission, system event auditing would record it.
When you implement audit policy:
- Specify the categories of events that you want to audit. The event categories that you select constitute your audit policy.
- Set the size and behavior of the Security log. You can view the Security log with Event Viewer.
- If you want to audit directory service access or object access, determine which objects you want to audit access of and what type of access you want to audit. For example, if you want to audit any attempts by users to open a particular file, you can configure auditing policy settings in the object access event category so that both successful and failed attempts to read a file are recorded.
The Security log records an audit event whenever users perform certain specified actions. For example, the modification of a file or a policy can trigger an event that shows the action that was performed, the associated user account, and the date and time of the action. These events can be both successful and failed attempts to perform actions.
Regular security analyses enable administrators to track and determine whether adequate security measures are in effect for each computer as part of an enterprise risk management program. Such analyses focus on highly specific information about all aspects of a computer that relate to security, which administrators can use to adjust the security levels. More important, this information can help detect any security oversights that may occur in the computer over time. For example, security levels may be temporarily changed to enable immediate resolution of an administration or network issue. However, such changes are often forgotten about and never undone. If security levels are not properly reset, a computer may no longer meet the requirements for enterprise security.
Establishing and enabling an auditing policy that records deviations from your enterprise security policy is extremely important for any enterprise network, because audit logs may provide the only indication that a security breach has occurred by recording changes on file permissions, installation of programs, and escalation of privileges. If the breach is discovered some other way, proper audit settings can generate an audit log that may contain important information about the breach, how it occurred, and what systems were affected.
In many cases, failure events are much more informative than success events because failures typically indicate errors. For example, successful logon to a computer by a user would typically be considered normal. However, if someone unsuccessfully tries to log on to a computer multiple times, it may indicate an attacker's attempt to break into the computer with someone else's account credentials. The Event Log item of Group Policy is used to define attributes that relate to the Application, Security, and System logs, such as maximum log size, access rights for each log, and retention settings and methods. Auditing events are stored in the Security event log. For more information about the Event Log, see the Event Log section in this guide.
Before any audit processes are implemented, an organization should determine how they will collect, organize, and analyze the data. There is little value in large volumes of audit data if there is no underlying plan to use it. Also consider that audit settings can affect computer performance. The effect of a given combination of settings may be negligible on an end-user computer but quite noticeable on a busy server. Therefore, you should perform some performance tests before you deploy new audit settings in your production environment. A final consideration is the amount of storage space that you can allocate to storing the data collected during auditing. Depending on the setting you choose, auditing data can accumulate quickly and can fill up available disk space.
You can configure the Audit policy settings in the following location within the Group Policy Object Editor of Windows Server® 2003 or the Group Policy Management Console in Windows Vista with Service Pack 1 (SP1):
Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy
The following sections describe the options and issues for configuring Audit settings for better system management and security.
The vulnerabilities, countermeasures, and potential impacts of all the audit settings are identical. The options for each of the audit settings are also identical:
- Success. An audit event is generated when the requested action succeeds.
- Failure. An audit event is generated when the requested action fails.
- No Auditing. No audit event is generated for the associated action.
If audit settings are not configured, it can be difficult or impossible to determine what occurred during a security incident. However, if audit settings are configured so that events are generated for all activities the Security log will be filled with data and hard to use. Also, you can use a large amount of data storage as well as adversely affect overall computer performance if you configure audit settings for a large number of objects.
If failure auditing is used and the Audit: Shut down system immediately if unable to log security audits setting in the Security Options section of Group Policy is enabled, an attacker could generate millions of failure events such as logon failures in order to fill the Security log and force the computer to shut down, creating a denial of service (DoS). If security logs are allowed to be overwritten, an attacker can overwrite part or all of their activity by generating large numbers of events so that the evidence of their intrusion is overwritten.
Enable Audit policy settings that support the organizational security policy for all the computers in your organization. Identify the components that you need for an audit policy that enables your organization to hold users accountable for their actions while using organizational resources and enables IT departments to detect unauthorized activity efficiently and then track those events in log files.
If no audit settings are configured, or if audit settings are too lax on the computers in your organization, security incidents might not be detected or not enough evidence will be available for network forensic analysis after security incidents occur. However, if audit settings are too detailed, critically important entries in the Security log may be obscured by the large number of log entries created by routine activities and computer performance, and the available amount of data storage may be seriously affected. Companies that operate in certain regulated industries may have legal obligations to log certain events or activities.
This policy setting enables auditing of each instance of user logon or logoff on a different computer than the one that records the event and validates the account. Success audits provide useful information for accounting purposes and for post-incident forensics so that you can determine who successfully logged on to which computer.
Failure audits are useful for intrusion detection. However, this configuration of the policy setting also creates the potential for a DoS attack. When the Audit: Shut down system immediately if unable to log security audits setting in the Security Options section of Group Policy is also enabled, an attacker could generate millions of logon failures in order to fill the Security log, and force the computer to shut down.
If you configure the Audit account logon events setting to Success on a domain controller, an event is logged for each user who is validated against that domain controller, even though the user actually logs on to a workstation or server that is joined to the domain.
By default, Auditaccount logon events is set to Success.
This policy setting enables auditing of each account management event on a computer. Examples of account management events include the following:
- User account or group is created, changed, or deleted.
- User account is renamed, disabled, or enabled.
- Password is set or changed.
Success audits should be enabled on all computers in your enterprise. When an organization responds to security incidents, it is critical that they be able to track who created, changed, or deleted an account. Failure audits generate an event when any account management action fails.
This policy setting enables auditing of user access of an Active Directory object that has an associated SACL. A SACL is list of users and groups for which actions on an object are to be audited on a Windows–based network.
Success audits generate an event when a user successfully accesses an Active Directory object that has a SACL that indicates that the user should be audited for the requested action. Failure audits generate an event for each unsuccessful attempt. (Both types of events are created before the user is notified that the request succeeded or failed.) If you enable this policy setting and configure SACLs on directory objects, a large volume of entries can be generated in the Security logs on domain controllers. You should enable these settings only if you actually intend to use the information that is created.
Note
You can configure a SACL on an Active Directory object through the Security tab in that object's Properties dialog box. This method is analogous to Audit object access, except that it applies only to Active Directory objects and not to file system and registry objects.
This policy setting enables auditing of each instance of user logon, logoff, or network connection to the computer that records the event. If you log successful account logon events on a domain controller, workstation logon attempts do not generate logon events. Only interactive and network logon attempts to the domain controller itself generate logon events on the domain controller. To summarize, "account logon events" are generated where the account exists, either on the domain controller if the account is a domain account or on the local computer if the account is a local computer account, and "logon events" are generated on the computer where the user is logging on or off.
Success audits provide useful information for accounting purposes and for post-incident forensics so that you can determine who successfully logged on to which computer. Failure audits are useful for intrusion detection. However, the configuration of failure events also creates a potential DoS condition. When the Audit: Shut down system immediately if unable to log security audits setting in the Security Options section of Group Policy is also enabled, an attacker could generate millions of logon failures in order to fill the Security log, and force the server to shut down.
This policy setting enables auditing of the event generated by a user who accesses an object—for example, a file, folder, registry key, or printer—that has a SACL that specifies a requirement for auditing.
Success audits generate an event when a user successfully accesses an object that has a SACL. Failure audits generate an event for each unsuccessful attempt (some failure events are to be expected during normal computer operations). For example, many applications (such as Microsoft Word) always attempt to open files with both read and write privileges. If the applications are unable to do so, they then try to open the files with read-only privileges. If you enable failure auditing and the appropriate SACL on the file, a failure event will be recorded when such an event occurs.
In Windows Server 2003 with Service Pack 1 (SP1), you can audit access to objects that are stored in the Internet Information Services (IIS) metabase. To enable metabase object auditing, you must enable Audit object access on the target computer, and then set SACLs on the specific metabase objects whose access you want to audit.
If you configure the Audit object access policy setting and configure SACLs on objects, a large volume of entries can be generated in the Security logs on computers in your organization. Therefore, you should only enable these settings if you actually intend to use the information that is logged.
Note
You must perform a two-step process to enable auditing of an object, such as a file, folder, printer, or registry key, in Windows Server 2003. After you enable the audit object access policy, you must modify the SACLs of the objects whose access you want to audit. For example, to audit any attempts by users to open a particular file, you can configure a Success or Failure audit attribute directly on the file that you want to monitor for that particular event by using either Windows Explorer or Group Policy.
This policy setting enables auditing of every incidence of a change to user rights assignment policies, Windows Firewall policies, Audit policies, or trust policies.
Success audits are useful for accounting purposes and can help you determine who successfully modified policies in the domain or on individual computers. Failure audits generate an event when a change to user rights assignment policies, Audit policies, or trust policies fails.
If you enable the Audit policy change setting in Windows Vista and Windows Server 2003 with SP1, logging of configuration changes for the Windows Firewall component is also enabled.
This policy setting enables auditing of each instance of a user who exercises a user right.
Success audits generate an event when the exercise of a user right succeeds. Failure audits generate an event for an unsuccessful exercise. If you enable this policy setting, the volume of events that is generated can be very large and cumbersome. You should enable this setting only if you plan to use the information that is generated.
Audit events are not generated for the use of the following user rights, even if success audits or failure audits are specified for the Audit privilege use policy setting:
- Bypass traverse checking
- Debug programs
- Create a token object
- Replace process level token
- Generate security audits
- Backup files and directories
- Restore files and directories
This policy setting enables auditing of detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
Success audits generate an event when the process being tracked succeeds. Failure audits generate an event when the process fails.
If you enable Audit process tracking in Windows Vista and Windows Server 2003 with SP1, Windows will also log information about the operating mode and status of the Windows Firewall component.
When enabled, the Audit process tracking setting generates a large number of events. This policy setting is typically configured to No Auditing. However, the information that this policy setting generates can be very beneficial during an incident response because it provides a detailed log of the processes that were started and when they were started.
This policy setting enables auditing of the restart or shutdown of users' computers, or events that affect either computer security or the Security log.
Success audits generate an event when an event runs successfully. Failure audits generate an event when an event is unsuccessful.
Because few additional events are recorded if both failure and success audits are enabled for system events, and because all such events are very significant, you should configure this policy setting to Enabled on all computers in your organization.
After you become familiar with the audit settings in Windows, it may be helpful to consider a specific example. The audits in this example are performed from an individual computer's perspective, rather than from the more holistic perspective that an enterprise administrator might prefer. Because events are recorded on individual computers, you might need to examine the Security logs of multiple computers and correlate the data to determine what occurred.
The following tables show the core events that are written to the event logs of an end-user computer, a file server, and a domain controller, when an authorized user logs on to his or her computer and accesses a file in a shared folder hosted by the file server. Only the core events are documented—other events that are generated by these activities were omitted for the sake of clarity. The names of the accounts and resources involved in this example are:
- Domain = Contoso
- Domain controller = DC1
- File server = FS1
- End-user computer = XP1
- User = John
- Shared folder on FS1 = Share
- Document in the shared folder = document.txt
Events recorded on the end-user computer |
Success Audit for Event ID 528, user Logon/Logoff for user Contoso\John at computer XP1 |
Events recorded on the domain controller |
Success Audit for Event ID 540, user Logon/Logoff for user Contoso\John at computer DC1 |
Events recorded on the file server |
Not applicable |
Events recorded on the end-user computer |
Not applicable |
Events recorded on the domain controller |
Success Audit for Event ID 673, Account logon for user John@contoso.com for service name FS1$ Success Audit for Event ID 673, Account logon for user FS$@contoso.com for service name FS1$ Success Audit for Event ID 673, Account logon for user XP1$@contoso.com for service name FS1$ (These are all Kerberos authentication protocol service ticket requests.) |
Events recorded on the file server |
Success Audit for Event ID 540, user Logon/Logoff for user Contoso\John at computer FS1 Success Audit for Event ID 560, Object Access for user Contoso\John to the object named C:\Share with access types READ_CONTROL, ReadData (or ListDirectory), ReadEA, and ReadAttributes Success Audit for Event ID 560, Object Access for user Contoso\John to the object named C:\Share\document.txt with access types READ_CONTROL, ReadData (or ListDirectory), ReadEA, and ReadAttributes |
Events recorded on the end-user computer |
Not applicable |
Events recorded on the domain controller |
Not applicable |
Events recorded on the file server |
Success Audit for Event ID 560, Object Access for user Contoso\John to the object named C:\Share\document.txt with access types READ_CONTROL, ReadData (or ListDirectory), WriteDate (or AddFile), AppendDate (or AddSubdirectory or CreatePipeInstance), ReadEA, WriteEA, ReadAttributes, and WriteAttributes Success Audit for Event ID 560, Object Access for user Contoso\John to the object named C:\Share\document.txt with access types ReadAttributes Success Audit for Event ID 560, Object Access for user Contoso\John to the object named C:\Share with access types ReadAttributes |
Events recorded on the end-user computer |
Not applicable |
Events recorded on the domain controller |
Not applicable |
Events recorded on the file server |
Success Audit for Event ID 560, Object Access for user Contoso\John to the object named C:\Share\document.txt with access types SYNCHRONIZE, ReadData (or ListDirectory), WriteDate (or AddFile), AppendDate (or AddSubdirectory or CreatePipeInstance), ReadEA, WriteEA, ReadAttributes, and WriteAttributes Success Audit for Event ID 560, Object Access for user Contoso\John to the object named C:\Share\document.txt with access types READ_CONTROL, SYNCHRONIZE and ReadData (or ListDirectory) |
Although this example may look like a complex series of events, it has been greatly simplified. The listed actions would actually generate dozens of logon, logoff, and privilege use events on the domain controller and file server. When the user opens the file, scores of object access events are also generated, and each time the user saves the file many more events are generated.
Available in Windows Vista, Windows Server 2008, Windows Server 2003, and Windows XP with Service Pack 2 (SP2), per-user selective auditing allows for selective audit levels on individual user accounts. For example, audit levels can be set to report only logon and logoff activity for all users while auditing all activity for a specific user. Per-user selective audit can also be used to reduce the volume of events in the Security log by allowing certain accounts to be excluded from audit generation for certain activities. Only user accounts can be audited using this functionality; security and distribution groups cannot be audited. Accounts that belong to the local Administrators group cannot be excluded from auditing by using the per-user selective audit mechanism.
Valid selective auditing categories are:
- Account Logon
- Account Management
- Directory Service Access
- Detailed Tracking
- Logon/Logoff
- Object Access
- Policy Change
- Privilege Use
- System Event
In Windows Vista and Windows Server 2008, the command-line tool used to set per-user auditing policy for selective auditing is Auditpol. In Windows Server 2003 with SP1 and Windows XP with SP2, the command-line tool for selective auditing is Auditusr.
For a command-line reference on the use of Auditpol, see Auditpol (https://go.microsoft.com/fwlink/?LinkID=84473).
For help using the Auditusr command, type auditusr /? at the command prompt of a computer running Windows XP with SP2 or Windows Server 2003 with SP1.
In Windows Vista and Windows Server 2008, auditing has been expanded to support auditing subcategories for each of the categories discussed in the previous section. These subcategories allow you to fine tune your auditing strategy to reduce the number of extraneous entries in the auditing logs and allow each organization to focus their auditing on the events that are important to them.
If you are going to use auditing subcategories, you should not use Group Policy to define and distribute your auditing policies. The Group Policy Management Console configures only the top-level auditing categories and enables all of the subcategories within the category and thus cannot be used to set more targeted audit policy. Instead, auditing policy that uses auditing subcategories must be defined by using the command-line tool auditpol.exe and distributed by means of a script.
The following table identifies the auditing subcategories:
Category-Subcategory | Description | Default Setting |
---|---|---|
System–Security System Extension |
Reports the loading of extension code such as authentication packages by the security subsystem. |
No Auditing |
System–System Integrity |
Reports on violations of integrity of the security subsystem. |
Success and Failure |
System–IPsec Driver |
Reports on the activities of the Internet Protocol security (IPsec) driver. |
No Auditing |
System–Other System Events |
Reports on other system events. |
Success and Failure |
System–Security State Change |
Reports changes in security state of the system, such as when the security subsystem starts and stops. |
Success |
Logon/Logoff–Logon |
Reports when a user attempts to log on to the system. |
Success |
Logon/Logoff–Logoff |
Reports when a user logs off from the system. |
Success |
Logon/Logoff–Account Lockout |
Reports when a user's account is locked out as a result of too many failed logon attempts. |
Success |
Logon/Logoff–IPsec Main Mode |
Reports the results of Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations. |
No Auditing |
Logon/Logoff–IPsec Quick Mode |
Reports the results of IKE protocol and AuthIP during Quick Mode negotiations. |
No Auditing |
Logon/Logoff–IPsec Extended Mode |
Reports the results of AuthIP during Extended Mode negotiations. |
No Auditing |
Logon/Logoff–Special Logon |
Reports when a special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level. |
Success |
Logon/Logoff–Network Policy Server |
Reports events generated by RADIUS (IAS) and Network Access Protection (NAP) user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock. Auditing this setting will result in a medium or high volume of records on NPS and IAS servers. |
No Auditing |
Logon/Logoff–Other Logon/Logoff Events |
Reports other logon/logoff-related events, such as Terminal Services session disconnects and reconnects, using RunAs to run processes under a different account, and locking and unlocking a workstation. |
No Auditing |
Object Access–File System |
Reports when file system objects are accessed. Only file system objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. |
No Auditing |
Object Access–Registry |
Reports when registry objects are accessed. Only registry objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. |
No Auditing |
Object Access–Kernel Object |
Reports when kernel objects such as processes and mutexes are accessed. Only kernel objects with SACLs cause audit events to be generated, and only when they are accessed in a manner matching their SACL. Typically kernel objects are only given SACLs if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled. |
No Auditing |
Object Access–SAM |
Reports when SAM objects are accessed. |
No Auditing |
Object Access–Certification Services |
Reports when Certification Services operations are performed. |
No Auditing |
Object Access–Application Generated |
Reports when applications attempt to generate audit events by using the Windows auditing application programming interfaces (APIs). |
No Auditing |
Object Access–Handle Manipulation |
Reports when a handle to an object is opened or closed. Only objects with SACLs cause these events to be generated, and only if the attempted handle operation matches the SACL. Handle Manipulation events are only generated for object types where the corresponding Object Access subcategory is enabled, for example File System or Registry. |
No Auditing |
Object Access–File Share |
Reports when a file share is accessed. |
No Auditing |
Object Access–Filtering Platform Packet Drop |
Reports when packets are dropped by Windows Filtering Platform (WFP). These events can be very high in volume. |
No Auditing |
Object Access–Filtering Platform Connection |
Reports when connections are allowed or blocked by WFP. These events can be high in volume. |
No Auditing |
Object Access–Other Object Access Events |
Reports other object access-related events such as Task Scheduler jobs and COM+ objects. |
No Auditing |
Detailed Tracking–Process Termination |
Reports when a process terminates. |
No Auditing |
Detailed Tracking–DPAPI Activity |
Reports encrypt or decrypt calls into the data protections application interface (DPAPI). DPAPI is used to protect secret information such as stored password and key information. |
No Auditing |
Detailed Tracking–RPC Events |
Reports remote procedure call (RPC) connection events. |
No Auditing |
Detailed Tracking–Process Creation |
Reports the creation of a process and the name of the program or user that created it. |
No Auditing |
Policy Change–Audit Policy Change |
Reports changes in audit policy including SACL changes. |
Success |
Policy Change–Authentication Policy Change |
Reports changes in authentication policy. |
Success |
Policy Change–Authorization Policy Change |
Reports changes in authorization policy including permissions (DACL) changes. |
No Auditing |
Policy Change–MPSSVC Rule-Level Policy Change |
Reports changes in policy rules used by the Microsoft Protection Service (MPSSVC.exe). This service is used by Windows Firewall and by Microsoft OneCare. |
No Auditing |
Policy Change–Filtering Platform Policy Change |
Reports the addition and removal of objects from WFP, including startup filters. These events can be very high in volume. |
No Auditing |
Policy Change–Other Policy Change Events |
Reports other types of security policy changes such as configuration of the Trusted Platform Module (TPM) or cryptographic providers. |
No Auditing |
Account Management–User Account Management |
Reports each event of user account management, such as when a user account is created, changed, or deleted; a user account is renamed, disabled, or enabled; or a password is set or changed. |
Success |
User Account Management–Computer Account Management |
Reports each event of computer account management, such as when a computer account is created, changed, deleted, renamed, disabled, or enabled. |
No Auditing |
User Account Management–Security Group Management |
Reports each event of security group management, such as when a security group is created, changed, or deleted or when a member is added to or removed from a security group. |
Success |
User Account Management–Distribution Group Management |
Reports each event of distribution group management, such as when a distribution group is created, changed, or deleted or when a member is added to or removed from a distribution group. |
No Auditing |
User Account Management–Application Group Management |
Reports each event of application group management on a computer, such as when an application group is created, changed, or deleted or when a member is added to or removed from an application group. |
No Auditing |
User Account Management–Other Account Management Events |
Reports other account management events. |
No Auditing |
DS Access–Directory Service Changes |
Reports changes to objects in Active Directory Domain Services (AD DS). The types of changes that are reported are create, modify, move, and undelete operations that are performed on an object. DS Change auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema. |
No Auditing |
DS Access–Directory Service Replication |
Reports when replication between two domain controllers begins and ends. |
No Auditing |
DS Access–Detailed Directory Service Replication |
Reports detailed information about the information replicating between domain controllers. These events can be very high in volume. |
No Auditing |
DS Access–Directory Service Access |
Reports when an AD DS object is accessed. Only objects with SACLs cause audit events to be generated, and only when they are accessed in a manner that matches their SACL. These events are similar to the directory service access events in previous versions of Windows Server. |
No Auditing |
Account Logon–Kerberos Ticket Events |
Reports the results of validation tests on Kerberos tickets submitted for a user account logon request. |
No Auditing |
Account Logon–Other Account Logon Events |
Reports the events that occur in response to credentials submitted for a user account logon request that do not relate to credential validation or Kerberos tickets. |
No Auditing |
Account Logon–Credential Validation |
Reports the results of validation tests on credentials submitted for a user account logon request. |
No Auditing |
Privilege Use–Sensitive Privilege Use |
Reports when a user account or service uses a sensitive privilege. A sensitive privilege includes the following user rights: Act as part of the operating system, Back up files and directories, Create a token object, Debug programs, Enable computer and user accounts to be trusted for delegation, Generate security audits, Impersonate a client after authentication, Load and unload device drivers, Manage auditing and security log, Modify firmware environment values, Replace a process-level token, Restore files and directories, and Take ownership of files or other objects. Auditing this subcategory will create a high volume of events. |
No Auditing |
Privilege Use–Non-Sensitive Privilege Use |
Reports when a user account or service uses a non-sensitive privilege. A non-sensitive privilege includes the following user rights: Access Credential Manager as a trusted caller, Access this computer from the network, Add workstations to domain, Adjust memory quotas for a process, Allow log on locally, Allow log on through Terminal Services, Bypass traverse checking, Change the system time, Create a pagefile, Create global objects, Create permanent shared objects, Create symbolic links, Deny access this computer from the network, Deny log on as a batch job, Deny log on as a service, Deny log on locally, Deny log on through Terminal Services, Force shutdown from a remote system, Increase a process working set, Increase scheduling priority, Lock pages in memory, Log on as a batch job, Log on as a service, Modify an object label, Perform volume maintenance tasks, Profile single process, Profile system performance, Remove computer from docking station, Shut down the system, and Synchronize directory service data. Auditing this subcategory will create a very high volume of events. |
No Auditing |
Privilege Use–Other Privilege Use |
This category is reserved for future use. No events are currently mapped to this subcategory. |
No Auditing |
For instruction on how to use auditpol.exe to create detailed audit policies for computers running Windows Vista and how to distribute those setting by using a script, see article 921469, How to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain, in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=82447).
The following links provide additional information about topics that relate to Audit policy settings for computers that run Windows Vista or Windows Server 2003 with SP1:
- For more Audit policy information, see Windows Server 2003 Auditing (https://go.microsoft.com/fwlink/?LinkId=100529).
- Article 324739, How to use Group Policy to audit registry keys in Windows Server 2003, in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=35275).
- Article 921469, How to use Group Policy to configure detailed security auditing settings for Windows Vista client computers in a Windows Server 2003 domain or in a Windows 2000 domain, in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkID=82447) describes a procedure that administrators can use to deploy a custom audit policy that applies detailed security auditing settings for Windows Vista-based client computers.
- Article 299475, Windows 2000 Security Event Descriptions (Part 1 of 2) (https://go.microsoft.com/fwlink/?LinkId=100530), and article 301677, Windows 2000 Security Event Descriptions (Part 2 of 2) (https://go.microsoft.com/fwlink/?LinkId=100531), in the Microsoft Knowledge Base describe the security events logged by Windows 2000 Server. They also apply to Windows Server 2003, Windows Vista, and Windows XP.