Rounding out a series of tips on Windows 7 audit policies, this tip discusses settings for auditing Windows 7 security policies, configure user privileges, and system-level audit changes not permitted in other categories.
Figure 8: This category enables auditing of changes to important security policies on individual systems or a domain controller, where unexpected or unauthorized changes are serious cause for alarm. This falls into the "watching the watchers" category.
The subcategories for Policy Change include:
- Audit Audit Policy Change: Audits changes to the audit policy itself, including permissions and audit settings, changes to the system audit policy, registration or de-registration of security event sources, changes to per-user audit settings, changes to the value of CrashAuditFail and changes to audit setting on objects.
- Audit Authentication Policy Change: Determines whether the OS generates audit events when authentication policy changes are made, such as creation, modification or removal of forest and domain trusts, changes to Kerberos polic. Also grants various rights to users or groups (access computer from network, allow logon locally, allow logon through Remote Desktop, logon as batch job and logon as service) and as namespace collisions occur.
- Audit Authorization Policy Change: Determines whether the OS generates audit events when assigning or removing user rights to the SeCreateTokenPrivilege, and changing the Encrypting File System policy.
- Audit Filtering Platform Policy Change: Determines whether the OS generates audit events for IPsec services status, changes to IPsec settings, status and changes to the Windows Filterting Platform engine and providers and IPsec Policy Agent activities.
- Audit MPSSVC Rule-Level Policy Change: The Microsoft Protection Service setting determines whether the OS generates audit events when changes are applied to policy rules for this service (used by the Windows Firewall). Activities tracked include policies active when the Windows Firewall service starts, changes to Windows Firewall rules, exception list, and settings, rules ignored or not applied and changes to Windows Firewall Group Policy settings.
- Audit Other Policy Change Events: Determines whether the OS generates audit events for items not otherwise covered in the Policy Change category, such as TPM (Trusted Platform Module) configuration changes, kernel-mode cryptographic self-tests, cryptographic provider operations and cryptographic context operations or modifications.
Figure 9: Because privileges are granted to users or computers to complete defined tasks, this category permits use of certain privileges on one or more systems to be audited.
The Privilege Use category includes the following subcategories:
- Audit Non-Sensitive Privilege Use: Determines whether the OS generates audit events when non-sensitive privileges (user rights) are used. These include numerous items documented in the TechNet reference under this specific entry.
- Audit Sensitive Privilege Use: Determines whether the OS generates audit events when sensitive privileges are used. Some examples include: Act as part of the OS, Back up files and directories, Create a token object and Debug programs (for a complete list see the TechNet reference).
- Audit Other Privilege Use Events: This is unused, so it's not documented.
Figure 10: The System category permits system-level changes with potential security implications not covered in other categories to be tracked.
The System category includes the following subcategories:
- Audit IPsec Driver: This audits the IPsec driver to report on startup and shutdown of IPsec services, packets dropped because of integrity or replay check failure, packets dropped because they're in plaintext, packets received with an incorrect Security Parameter Index and failures to process IPsec filters.
- Audit Other System Events: This audits a mixed bag of events, including startup and shutdown of the Windows Firewall service and driver, security policy processing in the Windows Firewall service and cryptography key file and migration operations.
- Audit Security State Change: Determines whether the OS generates audit events when a system's security state changes, including system startup and shutdown, changes to system time and system recovery from CrashOnAuditFail.
- Audit Security System Extension: Tracks activities related to security system extensions that register with the local security authority in Windows, such as when they are installed or loaded. These can indicate serious attempts to breach system security, and must be taken very seriously.
- Audit System Integrity: Determines whether the OS generates audit events when the integrity of the security subsystem may have been violated, including the following events: audited events lost owing to a failure of the auditing system; a process uses an invalid local procedure call to impersonate a client, reply to a client address space, or read from or write to a client address space, an RPC integrity violation is detected, a code violation with an invalid hash for an executable file is detected or when cryptographic tasks are performed.
Global object access auditing
Figure 11: These policy settings enable administrators to define computer system access control lists (SACLs) per object type for the file system and the registry. Any specified system access control list (SACL) is automatically applied to every object of the matching type. This enables auditors to determine that every resource in a system is protecting by an audit policy by viewing these settings.
The Global object access category includes only two subcategories, but they cover a huge majority of what's on any Windows system:
- File System: Enables administrators to configure a global SACL on the file system for an entire computer. If both a file and folder SACL are defined, the effective SACL may be determined by combining the file or folder SACL and the global SACL, where an audit event is generated if an activity matches any of the file, folder or global SACL.
- Registry: Enabled administrators to configure a global SACL on the registry for a computer, where selecting the Configure security checkbox lets admins add a user or a group to the global SACL. Must be used in tandem with the Registry security policy setting under object access.
The revised, expanded and enhanced auditing controls in Windows 7 and Windows Server 2008 R2 permit much tighter granularity of auditing, and much-improved protection for system integrity and security. The time you spend exploring and learning these various settings will be repaid with tighter but less intrusive system security.
Ed Tittel is a full-time freelance writer and consultant who works in many areas of Windows security. Look for the revision of his Computer Forensics JumpStart, 2nd Edition (Sybex, 2011, with Neil Broom, Mike Chappell, K Rudolph, and Diane Barrett) to appear in the first quarter of 2011.
This was first published in January 2011