Windows Events Audit

If you fall into the category of a highly-secure environment, where you need to track access to some or all of the resources on the network, you also have options to help you track the access to the resources. The feature in Windows that provides this tracking and logging of who is accessing which resource from computers on the network is called auditing. There are numerous auditing options and configurations that you can choose from. We will take a look at each option and go over what each option can provide for you.

This is really useful to create reports, especially when you are running a central syslog server that collect all the information.

Note some of the above events will only be generated on Windows 2000 hosts. The above events will be generated by turning on selected audit categories, on the Windows audit sub-system.

1. Audit Privilege Use (Success and Failure) will generate:

576;Special privileges assigned to new logon
577;Privileged Service Called
578;Privileged object operation

2. Audit Process Tracking (Success and Failure) will generate:

592;A new process has been created
593;A process has exited
594;A handle to an object has been duplicated
595;Indirect access to an object has been obtained

3. Audit System Events (Success and Failure) will generate:

512;Windows NT is starting up
513;Windows NT is shutting down
514;An authentication package has been loaded
515;A trusted logon process has registered
516;Loss of some audits;
517;The audit log was cleared
518;A notification package has been loaded

4. Audit Logon Events (Success and Failure) will generate:

528;A user successfully logged on to a computer
529;The logon attempt was made with an unknown user name or bad password
530;The user account tried to log on outside of the allowed time
531;A logon attempt was made using a disabled account
532;A logon attempt was made using an expired account
533;The user is not allowed to log on at this computer
534;The user attempted to log on with a logon type that is not allowed
535;The password for the specified account has expired
536;The Net Logon service is not active
537;The logon attempt failed for other reasons
538;A user logged off
539;The account was locked out at the time the logon attempt was made
540;Successful Network Logon
541;IPSec security association established
542;IPSec security association ended
543;IPSec security association ended
544;IPSec security association establishment failed
545;IPSec peer authentication failed
546;IPSec security association establishment failed
547;IPSec security association negotiation failed
682;A user has reconnected to a disconnected Terminal Services session
683;A user disconnected a Terminal Services session without logging off

5. Audit Account Logon Events (Success and Failure) will generate:

672;An authentication service (AS) ticket was successfully issued and validated
673;A ticket granting service (TGS) ticket was granted
674;A security principal renewed an AS ticket or TGS ticket
675;Pre-authentication failed
676;Authentication Ticket Request Failed
677;A TGS ticket was not granted
678;An account was successfully mapped to a domain account
680;Identifies the account used for the successful logon attempt
681;A domain account log on was attempted
682;A user has reconnected to a disconnected Terminal Services session
683;A user disconnected a Terminal Services session without logging off

6. Audit Account Management Events (Success and Failure) will generate:

624;User Account Created
625;User Account Type Change
626;User Account Enabled
627;Password Change Attempted
628;User Account Password Set
629;User Account Disabled
630;User Account Deleted
631;Security Enabled Global Group Created
632;Security Enabled Global Group Member Added
633;Security Enabled Global Group Member Removed
634;Security Enabled Global Group Deleted
635;Security Disabled Local Group Created
636;Security Enabled Local Group Member Added
637;Security Enabled Local Group Member Removed
638;Security Enabled Local Group Deleted
639;Security Enabled Local Group Changed
640;General Account Database Change
641;Security Enabled Global Group Changed
642;User Account Changed
643;Domain Policy Changed
644;User Account Locked Out
645;Computer object added
646;Computer object changed
647;Computer object deleted
648;Security Disabled Local Group Created
649;Security Disabled Local Group Changed
650;Security Disabled Local Group Member Added
651;Security Disabled Local Group Member Removed
652;Security Disabled Local Group Deleted
653;Security Disabled Global Group Created
654;Security Disabled Global Group Changed
655;Security Disabled Global Group Member Added
656;Security Disabled Global Group Member Removed
657;Security Disabled Global Group Deleted
658;Security Enabled Universal Group Created
659;Security Enabled Universal Group Changed
660;Security Enabled Universal Group Member Added
661;Security Enabled Universal Group Member Removed
662;Security Enabled Universal Group Deleted
663;Security Disabled Universal Group Created
664;Security Disabled Universal Group Changed
665;Security Disabled Universal Group Member Added
666;Security Disabled Universal Group Member Removed
667;Security Disabled Universal Group Deleted
668;Group Type Changed
669;Add SID History (Success)
670;Add SID History (Failure)

7. Audit Object Access (Success and Failure) will generate:

560;Access was granted to an already existing object
561;A handle to an object was allocated
562;A handle to an object was closed
563;An attempt was made to open an object with the intent to delete it
564;A protected object was deleted
565;Access was granted to an already existing object type
566;Object Operation
608;A user right was assigned

8. Audit Policy Change (Success and Failure) will generate:

609;A user right was removed
610;A trust relationship with another domain was created
611;A trust relationship with another domain was removed
612;An audit policy was changed
613;IPSec policy agent started
614;IPSec policy agent disabled
615;IPSec policy changed
616;IPSec policy agent encountered a potentially serious failure
617;Kerberos policy changed
618;Encrypted data recovery policy changed
620;Trusted domain information modified
768;A collision was detected between a namespace element in two forests

9. Audit Directory Service Access (Success and Failure) will generate:

565;Information about accessed objects in AD

Be the first to comment

Leave a Reply

Your email address will not be published.