Spat's WebLog (Steve Patrick)

When things go wrong...

New Auditing in Vista

New Auditing in Vista

  • Comments 1

Something that is not well known in Vista….this ain't your typical auditing.

 

There is a HUGE amount of auditing that we added to the OS for system auditing.

Let’s dig in and look at just one of them that previous OS’s never even came close to providing data on…..

 

First – how to get to the new goodies – no UI here sorry  folks.

 

C:\>auditpol /get /category:*

System audit policy

Category/Subcategory                      Setting

System

  Security System Extension               No Auditing

  System Integrity                        Success and Failure

  IPsec Driver                            No Auditing

  Other System Events                     Success and Failure

  Security State Change                   Success

Logon/Logoff

  Logon                                   Success

  Logoff                                  Success

  Account Lockout                         Success

  IPsec Main Mode                         No Auditing

  IPsec Quick Mode                        No Auditing

  IPsec Extended Mode                     No Auditing

  Special Logon                           Success

  Other Logon/Logoff Events               No Auditing

Object Access

  File System                             No Auditing

  Registry                                No Auditing

  Kernel Object                           No Auditing

  SAM                                     No Auditing

  Certification Services                  No Auditing

  Application Generated                   No Auditing

  Handle Manipulation                     No Auditing

  File Share                              No Auditing

  Filtering Platform Packet Drop          No Auditing

  Filtering Platform Connection           No Auditing

  Other Object Access Events              No Auditing

Privilege Use

  Sensitive Privilege Use                 No Auditing

  Non Sensitive Privilege Use             No Auditing

  Other Privilege Use Events              No Auditing

Detailed Tracking

  Process Termination                     No Auditing

  DPAPI Activity                          No Auditing

  RPC Events                              No Auditing

  Process Creation                        No Auditing

Policy Change

  Audit Policy Change                     Success

  Authentication Policy Change            Success

  Authorization Policy Change             No Auditing

  MPSSVC Rule-Level Policy Change         No Auditing

  Filtering Platform Policy Change        No Auditing

  Other Policy Change Events              No Auditing

Account Management

  User Account Management                 Success

  Computer Account Management             No Auditing

  Security Group Management               Success

  Distribution Group Management           No Auditing

  Application Group Management            No Auditing

  Other Account Management Events         No Auditing

DS Access

  Directory Service Changes               No Auditing

  Directory Service Replication           No Auditing

  Detailed Directory Service Replication  No Auditing

  Directory Service Access                No Auditing

Account Logon

  Kerberos Ticket Events                  No Auditing

  Other Account Logon Events              No Auditing

  Credential Validation                   No Auditing

 

 

We will focus on DPAPI – which historically has had limited exposure. For a primer see http://msdn2.microsoft.com/en-us/library/ms995355.aspx

CryptProtectData etc use this system.

 

 

C:\>auditpol /set /subcategory:"DPAPI Activity"  /success:enable

The command was successfully executed.

 

Detailed Tracking

  Process Termination                     No Auditing

  DPAPI Activity                          Success

  RPC Events                              No Auditing

  Process Creation                        No Auditing

 

Now we see that the DPAPI subcat will audit for success ( we could have done /failure:enable as well )

We will see this fact reflected in the Event Log:

 

System audit policy was changed.

 

Subject:

            Security ID:                   DOMAINA\Administrator

            Account Name:             Administrator

            Account Domain:                      DOMAINA

            Logon ID:                     0xfa76f

 

Audit Policy Change:

            Category:                      Detailed Tracking

            Subcategory:                DPAPI Activity

            Subcategory GUID:       {0CCE922D-69AE-11D9-BED3-505054503030}

            Changes:                      Success Added

 

 

 

So let’s give it a  spin….I  used outlook to sign some mail:

Here are the 3 events generated:

 

 

A cryptographic self test was performed.

 

Subject:

            Security ID:                   SYSTEM

            Account Name:             VISTACRISCO$

            Account Domain:                      DOMAINA

            Logon ID:                     0x3e7

 

Module:                        ncrypt.dll

 

Return Code:     0x0

 

 

 

Key file operation.

 

Subject:

            Security ID:                   DOMAINA\Administrator

            Account Name:             Administrator

            Account Domain:                      DOMAINA

            Logon ID:                     0xfa76f

 

Cryptographic Parameters:

            Provider Name: Microsoft Software Key Storage Provider

            Algorithm Name:           Not Available.

            Key Name:        {D9E9DA9C-7F8C-4090-A3E9-56CF76099437}

            Key Type:         User key.

 

Key File Operation Information:

            File Path:            C:\Users\Administrator.DOMAINA\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1062893845-71897300-3205605540-500\88f099cd4d91e383a07203de5a8d0a4d_79f3ab01-e697-496e-afe2-672634d9bf6a

            Operation:         Read persisted key from file.

            Return Code:     0x0

 

 

Cryptographic operation.

 

Subject:

            Security ID:                   DOMAINA\Administrator

            Account Name:             Administrator

            Account Domain:                      DOMAINA

            Logon ID:                     0xfa76f

 

Cryptographic Parameters:

            Provider Name: Microsoft Software Key Storage Provider

            Algorithm Name:           RSA

            Key Name:        {D9E9DA9C-7F8C-4090-A3E9-56CF76099437}

            Key Type:         User key.

 

Cryptographic Operation:

            Operation:         Open Key.

            Return Code:     0x0

 

           

 

 That's just one example -- good heavens , look how long that list of subcategories are!! What fun...

 

 

spatdsg

 

 

 

 

 

 

 

Leave a Comment
  • Please add 7 and 1 and type the answer here:
  • Post
  • Thanks for the post Steve! very helpful.

Page 1 of 1 (1 items)