Auditing system time changes

G

Guest

I need to audit failed attempts to change the system time. I'm running XP
Pro (SP2) in a standalone situation. I have failure auditing of system
events and of privilege use. I don't get a 520 event failure or a 577
SeSystemTimePrivilege failure in the Security Log when unprivileged users try
to change the system time.

If I turn on success auditing on these two categories, priveleged users do
generate success audit entries for these two event IDs.

Any help would be greatly appreciated...
 
W

Wesley Vogel

Failed attempts to change the system time may show up as Success 520.

Success 520 shows The system time was changed when you double click the
clock and then close Date and Time Properties without changing anything
whatsoever.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
G

Guest

I have seen that behavior, but my problem here is that non-privileged users
are denied permission from opening the Date and Time Properties. I also
tried using the DOS time command and also wrote a short C++ program that
called SetSystemTime(). None of these attempts to change the time are
successful for non-privileged users, but none of the attempts are logged as
Failures in the Security Log, either.

I'm desperate for an answer (even an "it won't work" if there is some
documentation from MS)...

Thanks
 
W

Wesley Vogel

Local Computer Policy\Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy\
Audit privilege use

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In
 
G

Guest

Wes,

Unfortunately, I'm already auditing privilege use. I've played around a
little with an older Win2k system and have noticed that the pattern of
privilege requests is different. (I realize that Win2k does not have 520
events). Win2k does log failed attempts as 577 failures for
SeIncreaseBasePriority and SeSystemtimePrivilege (and success follow the same
pattern), where WinXP does not have any failures at all in the audit log.
The success pattern for WinXP is 577 SeSystemtimePrivilege, 520 System Time
has changed.

So I'm still stuck...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Audit Privilege Use - Sensible to turn on/off? 0
Audit time change attempt by users and logging in event viewer 1
Object Access Auditing causes security log to fill up 3
How to know from which machine a user logged on to the domain 1
Auditing ? 1
auditing logon failures 1
Auditing file changes does not works 1
How Do We Avoid Auditing Failed SYNCHRONIZE File Access? 10

Top