Part of the Windows 7 audit control settings includes object access and user logon and logoff settings, which can be tweaked for your customer's environments to achieve optimal security.
Figure 6: These policy settings and their related events permit attempts to log on to (or off) a computer interactively across a network, and are useful for tracking user activity and potential attacks on network resources.
The logon/logoff categories include the following subcategories:
- Audit Account Lockout: Determines if the OS generates audit events when a user attempts to log on using a restricted account. Lockout events help admins to understand user activity and account attacks.
- Audit IPsec Extended Mode: Determines whether the OS generates audit events for Internet Key Exchange and Authenticated Internet Protocol activities during Extended Mode negotiations. This is used only when network anomalies suggest an attack may be underway.
- Audit IPsec Main Mode: This mode is the same as above, except auditing occurs during Main Mode negotiations (certificate based).
- Audit IPsec Quick Mode: Again, same as above except auditing occurs during Quick Mode negotiations (security association based).
- Audit Logoff: Determines whether the OS generates audit events when logon sessions are terminated (has no failure selection because failed logoffs do not generate audit records).
- Audit Logon: Determines whether the OS generates audit events when a user attempts to log on to a computer. In addition to logon success and failure, use of explicit credentials (normally from batch operations such as scheduled tasks or the "Runas" command).
- Audit Network Policy Server: Determines whether the OS generates audit events for RADIUS and Network Access Protection activity emerging from user access requests (such as Grant, Deny, Discard, Quarantine, Lock or Unlock). This applies only when RADIUS servers and/or NAP activity are configured and available to network clients.
- Audit Other Logon/Logoff Events: Determines whether the OS generates audit events for logon or logoff events that include remote desktop connect or disconnect, workstation locked or unlocked, screen saver invoked or dismissed, replay attack detected or a user or computer account is granted access to a wireless network or to a wired 802.1x network.
- Audit Special Logon: Determines if the OS generates audit events when a special logon (and account with administrator equivalent privileges that can be used to elevate processes to higher privilege levels) is used, or when a member of a special group logs on (based on admin assignment of the group's SID for tracking).
Audit object access
Figure 7: With lots of different types of objects in the Windows environment there are lots of object access subcategories that may set auditing. This is primarily used to permit object accesses to be audited by enabling the related class of objects to be audited (for example, you must enable File System objects to be able to audit either successful or failed file system access attempts).
The object access subcategories are:
- Audit Application Generated: Determines whether the OS generates audit events when applications seek to use the Windows Auditing APIs, which means creating, deleting, or initializing an application client context or auditing actual application operations. This setting is used primarily to observe the behavior of non-OS auditing activity.
- Audit Certification Services: Determines whether the OS generates audit events when Active Directory Certificate Services activity occurs (see TechNet for more information).
- Audit Detailed File Share: Determines if the OS generates audit events when files or folders within a shared folder are accessed (the File Share setting only audits when a client connects to a share).
- Audit File Share: Determines whether the OS generates audit events when a client connects to a share.
- Audit File System: Determines whether the OS generates audit events when user attempts to access file system objects occur, but covers only objects for which system access control lists (SACLs) have been defined, and if type of access requested matches SACL entries. This is generally used to track activity for sensitive or valuable file objects that require extra monitoring.
- Audit Filtering Platform Connection: Determines whether the OS generates audit events when connections are allowed or blocked by the Windows Filtering Platform or the Windows Firewall service (see TechNet for more information; numerous event codes are documented there).
- Audit Filtering Platform Packet Drop: Determines whether the OS generates audit events when the Windows Filtering Platform drops a packet (a high rate of dropped packets can indicate failed attempts to gain unauthorized access to computers on a network).
- Audit Handle Manipulation: Determines whether the OS generates audit events when an object handle is open or closed; for objects with SACLs where requests match SACL entries.
- Audit Kernel Object: Determines whether the OS generates audit events when any attempt to access the system kernel occurs, including mutexes and semaphores (only kernel objects with SACLs generate audit events).
- Audit Other Object Access Events: Determines if the OS generates audit events as Task Schedule jobs or COM+ objects are accessed (created, updated, deleted and so forth).
- Audit Registry: Determines whether the OS generates audit events when registry objects are accessed (for registry entries with SACLs, where requests match SACL entries).
- Audit SAM: Determines whether the OS generates audit events when Security Account Manager (SAM) objects are accessed (applies primarily but not exclusively to domain controllers).
About the author:
Ed Tittel is a full-time freelance writer and consultant who works in many areas of Windows security. Look for the revision of his Computer Forensics JumpStart, 2nd Edition (Sybex, 2011, with Neil Broom, Mike Chappell, K Rudolph, and Diane Barrett) to appear in the first quarter of 2011.