다음을 통해 공유

2003 SP1 - "new" feature... Per User Auditing

  • 아티클

Ill post a few blogs on some new SP1 items which arent detailed in https://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/overview.mspx

 

There is a "new" feature in 2003 SP1 for Per User Auditing. It’s not really new, it’s been in there since RTM but there was no real easy way to get at it via a GUI to configure it. There is now a command line tool called auditusr.exe.

 

Auditusr.exe was included in XPSp2 as well but no one really documented it.

 

It modifies the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System with the specified SID and REG_BINARY mask representing the inclusion \ exclusion.

 

A few ground rules:

 

Administrator can be included but not excluded.

Built in and Security groups can't be included\excluded

If a user is in both the included and excluded group it is included.

 

 

Sample use:

 

C:\WINDOWS\system32>auditusr.exe /es  SpatsDomain\User1:"Object Access"

 

You set the following categories:

 

System Event

Logon/Logoff

Object Access

Privilege Use

Detailed Tracking

Policy Change

Account Management

Directory Service Access

Account Logon

 

You can dump out the current settings via the /e switch

 

Auditusr 1.0

SPATSDOMAIN\User1:exclude:success:Object Access

SPATSDOMAIN\User2:exclude:failure:Object Access

SPATSDOMAIN\Test2:exclude:success:Object Access

 

 

Check  auditusr.exe /? For more info.

 

PS: Since we edit the LSA keys I have found a reboot to be necessary to enforce the new settiungs. I am sure that Eric Fitzgerald can correct me if I am wrong on any points here.

 

Spat

Comments

  • Anonymous
    April 01, 2005
    The POSIX subsystem (from the Microsoft product Windows services for unix, version 3.5) seems to crash when SP1 is installed.<br><br>I should probably report this through proper channel, but just happened to read your blog first :-)<br><br>
  • Anonymous
    December 22, 2005
    Thanks for the information. It would be nice if Microsoft would provide a little more info on these hidden tools.
  • Anonymous
    January 03, 2006
    You mean more info on this specific tool or more info on obscure tools which dont seem to have documentation any where?

    spat
  • Anonymous
    March 13, 2007
    Sure it is documented!!!! Security Monitoring and Attack Detection http://www.microsoft.com/technet/security/midsizebusiness/topics/serversecurity/attackdetection.mspx Oh wait, the documentation misspelled the command. And oh yes, the examples that they posted don't work even if the command is spelled correctly. The joys of running windows