Enabling the Audit process tracking category on a server won't shed much light on the applications that execute at users' workstations. However, the category's events can help you track the use of server-side programs, such as Microsoft SQL Server or Microsoft Exchange Server, and any programs that administrators and operators execute while logged on interactively. Be aware that enabling this category on a server can place a load on the server's resources, so carefully monitor effects on performance.
Tracking logons and the utilization of processes and objects can help you monitor a suspected attacker's actions. You should also monitor the attempted use of user rights, which can alert you to suspicious behavior before an attacker can do damage. Win2K's Audit privilege use category keeps tabs on this type of action.
Audit Privilege Use
The Audit privilege use category tracks successful and failed attempts to exercise user rights. (Microsoft articles and Win2K documentation are inconsistent and use the terms privileges and rights interchangeably.) More than 34 rights exist, ranging from powerful rights such as Act as part of the operating system to rather innocuous rights such as Bypass traverse checking. When you enable Audit privilege use, the Security log begins to register three events: event ID 577 (privileged service called), event ID 578 (privileged object operation), and event ID 576 (special privileges assigned to new logon).
When a user attempts to invoke a right, Win2K logs either event ID 577 or event ID 578, depending on the right. (Win2K monitors some internal rights on a service basis and others on an object basis.) In both events, the Privileges field specifies which right the user invoked. Win2K logs the right's short name, which always begins with Se and ends with Privilege. However, Win2K doesn't display these short names when you edit rights assignments in the MMC Group Policy Editor (GPE) snap-in. Instead, the snap-in displays rights' full descriptions. (For example, Figure 2 shows an event ID 577 occurrence that Win2K logged when I changed the time on my computer. The event's SeSystemtimePrivilege right corresponds to the Change the system time right in GPE.)
When Win2K permits a user to invoke a right, the OS logs event ID 577 or event ID 578 as a success. If a user tries to exercise a right that hasn't been assigned to him or her, Win2K logs the event as failed. For some rights, the Primary User Name and Primary Domain fields identify the user who invoked the event. For rights that a server process invokes, however, these fields correspond to the local system's computer account. You can recognize such rights because the Primary User Name field is the same as the Computer field, followed by a dollar sign ($).
In such cases, you must look at the Client User Name and Client Domain fields to determine which user invoked the right. The Primary Logon ID and Client Logon ID fields correspond to the Logon ID field in the event ID 528 or event ID 540 occurrence that Win2K recorded when the user logged on.
Event ID 578's Process ID field identifies the process that directly invoked the event. For example, when you view the Security log, the Services process invokes the SeSecurityPrivilege (i.e., Manage auditing and security log) right on your behalf. The corresponding event ID 578's process ID belongs to the Services process.
Because the Audit logon events category contains specific event IDs for tracking logon activity, Win2K doesn't record successful or failed logon rights by default. (These rights—with the exception of Access this computer from the network and Deny access to this computer from the network—begin with the words Logon as or Deny logon.) Neither does Win2K log a few other rights—such as SeBackupPrivilege (i.e., Backup files and directories) or SeRestorePrivilege (i.e., Restore files and directories)—that are invoked so frequently that they would quickly fill up the Security log. To enable auditing for these rights, you can make a registry change in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa: Set the FullPrivilegeAuditing subkey, which is a REG_DWORD value, by setting the value to 1.
Win2K never logs the use of the SeAuditPrivilege (i.e., Generate security audits), SeCreateTokenPrivilege (i.e., Create a token object), SeDebugPrivilege (i.e., Debug programs), SeChangeNotifyPrivilege (i.e., Bypass traverse checking), or SeAssignPrimaryTokenPrivilege (i.e., Replace a process level token) rights. However, when a user with one or more of these rights logs on, Win2K records event ID 576 (special privileges assigned to new logon—this event usually closely follows a successful logon event ID 528 or event ID 540). To determine which rights a user had at the time the user logged on, look at event ID 576's Logon ID field, which identifies the user, and the Assigned field, which lists the rights' short names.
Audit Policy Change
Whereas the Audit privilege use category lets you audit who is using which rights and when, the Audit policy change category lets you track administrators' changes to rights assignments. The category lets you monitor several types of policy changes.
First, Audit policy change lets you know when rights assignments change. When an administrator grants someone a right, Win2K logs event ID 608 (user right assigned). The event's User Right field lists the short names of the assigned right or rights. The Assigned To field identifies the user or group to which the administrator assigned the right or rights. Figure 3 shows the event ID 608 occurrence that Win2K logged when I assigned the SeCreateTokenPrivilege (i.e., Create a token object) and SeCreatePermanentPrivilege (i.e., Create permanent shared objects) rights to the Administrators group.
Register
