Audit Policy

[Guest]

I was taking a look at my event logs and noticed that the security log
contains tons of 576 and 578 events for Priviledge Use. In our group policy
I have it set to overwrite events a sneeded which prsents a problem with some
many events being logged. The maxium log size is set to 1024 kb. Events
overwritwe each other before the end of a day. What is Priviledge Use? My
thought is that I should change our Audit policy to audit only failures. I
went into Group Policy and changed the audit settings for Audit object access
to falure instead of success, failure. I thought this would fix the
problem. What audit policy setting will determine success, failure audit for
priveldge use.

 

[Roger Abell [MVP]]

First, your maximum log size is too large. With W2k3 and prior there
is a hard limit on the usable quantity of a specific heap in the system,
which is shared for a number of purposes. The current Microsoft
recommendation is the the sum of all event logs be no more than
something in the 300 to 400 meg range.

That said, you have too much enabled for logging if you are having
a gig roll off within the day, or you have a very large environment
perhaps with too few DCs.
Object access is for such as NTFS auditing and only cuts a record
if enabled and access is made to an object where an audit SACL
has been set for the type and origin of the access.
Privilege Use triggers a record when a user token is loaded with
user privilege flags that are "above" the normal.
Try getting the security and hardening guides which explain audit
settings and suggests what may work for different environments.
What you need depends on many things, including your compliance
constraints, corp policy, etc.. Keep in mind that there is an impact
from excessive event logging.

 

[Steven L Umbach]

Well said but the size of his log may be too small at 1024 kb. 20MB may be a
good start. To the OP you may want to record successful logging for logon
events and/or account logon events to track user usage. Where you configure
those settings depend on the computer. For domain controllers for instance
you want to configure auditing in Domain Controller Security Policy. For
domain controllers you may want to only audit logon events for failure but
audit success and failure for account logon events. On a domain controller
access to the sysvol share will record an enormous amount of logon
vents. --- Steve

 

[Roger Abell [MVP]]

Doh ! ! ! !
Thanks Steve, I just read right on through the KB as MB, I guess as I only
saw the 1024 and knew it would be megs !!!

 

[Vincent Xu [MSFT]]

Hi George,

Based on my knowledge, If you define this policy setting, you can specify
whether to audit successes, audit failures, or not audit the event type at
all. Success audits generate an audit entry when the exercise of a user
right succeeds. Failure audits generate an audit entry when the exercise of
a user right fails.

May including:

Bypass traverse checking
Debug programs
Create a token object
Replace process level token
Generate security audits
Back up files and directories
Restore files and directories

Thanks.


Best regards,

Vincent Xu
Microsoft Online Partner Support

======================================================
Get Secure! - www.microsoft.com/security
======================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others
may learn and benefit from this issue.
======================================================
This posting is provided "AS IS" with no warranties,and confers no rights.
======================================================



--------------------