Share via


New Auditing in Vista

Something that is not well known in Vista….this ain't your typical auditing.

There is a HUGE amount of auditing that we added to the OS for system auditing.

Let’s dig in and look at just one of them that previous OS’s never even came close to providing data on…..

First – how to get to the new goodies – no UI here sorry folks.

C:\>auditpol /get /category:*

System audit policy

Category/Subcategory Setting

System

  Security System Extension No Auditing

  System Integrity Success and Failure

  IPsec Driver No Auditing

  Other System Events Success and Failure

  Security State Change Success

Logon/Logoff

  Logon Success

  Logoff Success

  Account Lockout Success

  IPsec Main Mode No Auditing

  IPsec Quick Mode No Auditing

  IPsec Extended Mode No Auditing

  Special Logon Success

  Other Logon/Logoff Events No Auditing

Object Access

  File System No Auditing

  Registry No Auditing

  Kernel Object No Auditing

  SAM No Auditing

  Certification Services No Auditing

  Application Generated No Auditing

  Handle Manipulation No Auditing

  File Share No Auditing

  Filtering Platform Packet Drop No Auditing

  Filtering Platform Connection No Auditing

  Other Object Access Events No Auditing

Privilege Use

  Sensitive Privilege Use No Auditing

  Non Sensitive Privilege Use No Auditing

  Other Privilege Use Events No Auditing

Detailed Tracking

  Process Termination No Auditing

  DPAPI Activity No Auditing

  RPC Events No Auditing

  Process Creation No Auditing

Policy Change

  Audit Policy Change Success

  Authentication Policy Change Success

  Authorization Policy Change No Auditing

  MPSSVC Rule-Level Policy Change No Auditing

  Filtering Platform Policy Change No Auditing

  Other Policy Change Events No Auditing

Account Management

  User Account Management Success

  Computer Account Management No Auditing

  Security Group Management Success

  Distribution Group Management No Auditing

  Application Group Management No Auditing

  Other Account Management Events No Auditing

DS Access

  Directory Service Changes No Auditing

  Directory Service Replication No Auditing

  Detailed Directory Service Replication No Auditing

  Directory Service Access No Auditing

Account Logon

  Kerberos Ticket Events No Auditing

  Other Account Logon Events No Auditing

  Credential Validation No Auditing

We will focus on DPAPI – which historically has had limited exposure. For a primer see https://msdn2.microsoft.com/en-us/library/ms995355.aspx

CryptProtectData etc use this system.

C:\>auditpol /set /subcategory:"DPAPI Activity" /success:enable

The command was successfully executed.

Detailed Tracking

  Process Termination No Auditing

  DPAPI Activity Success

  RPC Events No Auditing

  Process Creation No Auditing

Now we see that the DPAPI subcat will audit for success ( we could have done /failure:enable as well )

We will see this fact reflected in the Event Log:

System audit policy was changed.

Subject:

            Security ID: DOMAINA\Administrator

            Account Name: Administrator

            Account Domain: DOMAINA

            Logon ID: 0xfa76f

Audit Policy Change:

            Category: Detailed Tracking

            Subcategory: DPAPI Activity

            Subcategory GUID: {0CCE922D-69AE-11D9-BED3-505054503030}

            Changes: Success Added

So let’s give it a spin….I used outlook to sign some mail:

Here are the 3 events generated:

A cryptographic self test was performed.

Subject:

            Security ID: SYSTEM

            Account Name: VISTACRISCO$

            Account Domain: DOMAINA

            Logon ID: 0x3e7

Module: ncrypt.dll

Return Code: 0x0

Key file operation.

Subject:

            Security ID: DOMAINA\Administrator

            Account Name: Administrator

            Account Domain: DOMAINA

            Logon ID: 0xfa76f

Cryptographic Parameters:

            Provider Name: Microsoft Software Key Storage Provider

            Algorithm Name: Not Available.

            Key Name: {D9E9DA9C-7F8C-4090-A3E9-56CF76099437}

            Key Type: User key.

Key File Operation Information:

            File Path: C:\Users\Administrator.DOMAINA\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1062893845-71897300-3205605540-500\88f099cd4d91e383a07203de5a8d0a4d_79f3ab01-e697-496e-afe2-672634d9bf6a

            Operation: Read persisted key from file.

            Return Code: 0x0

Cryptographic operation.

Subject:

            Security ID: DOMAINA\Administrator

            Account Name: Administrator

            Account Domain: DOMAINA

            Logon ID: 0xfa76f

Cryptographic Parameters:

            Provider Name: Microsoft Software Key Storage Provider

            Algorithm Name: RSA

            Key Name: {D9E9DA9C-7F8C-4090-A3E9-56CF76099437}

            Key Type: User key.

Cryptographic Operation:

            Operation: Open Key.

            Return Code: 0x0

           

That's just one example -- good heavens , look how long that list of subcategories are!! What fun...

 

 

spatdsg

Comments

  • Anonymous
    August 13, 2007
    Thanks for the post Steve! very helpful.