| Author | Messages | |
jcorey
Posts:2
 | | 07/29/2010 6:18 PM |
| Hmm, I don’t recall seeing that behavior before but the other alternative is to place your audit setting in their own GPOs and use WMI filtering to have the legacy policies apply to Server 2003, startup scripts (or just manually) for Server 2008, and use group policy for your Server 2008 R2 machines. R2/W7 now supports subcategories as long as you’re using R2/W7 to edit the GPO.
-Joe C
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ziots, Edward
Sent: Thursday, July 29, 2010 12:23 PM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting Audit Changes for Windows 2008 R2 system not sticking
I put it at (1) Also. Verified in the registry.
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings. ( Set to enabled, and it shows 0x1 for the value of the registry entry accordingly.
I elevate to an administrators command prompt, and run the following:
C:\Windows\system32>auditpol /get /category:*
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events No Auditing
Kerberos Authentication Service No Auditing
Credential Validation No Auditing
OK we have no events: Also nothing is set in the Local Group Policy GUI.
I run the following settings ( Under account Logon)
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Authentication Service" /success:disable /failure:disable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:disable /failure:disable
auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
The run the auditpol /get /category:*
C:\Windows\system32>auditpol /get /category:*
System audit policy
Category/Subcategory Setting
System
Security System Extension No Auditing
System Integrity No Auditing
IPsec Driver No Auditing
Other System Events No Auditing
Security State Change No Auditing
Logon/Logoff
Logon No Auditing
Logoff No Auditing
Account Lockout No Auditing
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon No Auditing
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use No Auditing
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change No Auditing
Authentication Policy Change No Auditing
Authorization Policy Change No Auditing
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management No Auditing
Computer Account Management No Auditing
Security Group Management No Auditing
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events Success and Failure (Shows it took)
Kerberos Authentication Service No Auditing
Credential Validation Success and Failure (Shows it took)
Now with the setting for the SCENoApplyLegacyAuditPolicy set to 1, when I run a gpudate /force ( to refresh the local group policy User and Computer sections) the settings I put in the subcategories should stay correct?
I run a gpudate logged on with my domain credentials ( I did it with local admin account, no difference) and the following happens.
System audit policy was changed.
Subject:
Security ID: SYSTEM
Account Name: RIFILE04X$
Account Domain: Domain
Logon ID: 0x3e7
Audit Policy Change:
Category: Account Logon
Subcategory: Credential Validation
Subcategory GUID: {0cce923f-69ae-11d9-bed3-505054503030}
Changes: Success removed, Failure removed
(it removes the settings I just explicitly put in the darn policy accordingly)
Looks like a bug to me, or functionality that doesn’t work as advertised…
Any other ideas?
Z
Edward E. Ziots
CISSP, Network +, Security +
Network Engineer
Lifespan Organization
Email:eziots@lifespan.org
Cell:401-639-3505
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of David Loder
Sent: Thursday, July 29, 2010 11:59 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting Audit Changes for Windows 2008 R2 system not sticking
The KB procedure is written backwards from what you want.
SCENoApplyLegacyAuditPolicy needs to be 1.
-- http://dloder.blogspot.com --
--- On Thu, 7/29/10, Ziots, Edward <EZiots@Lifespan.org<mailto:EZiots@Lifespan.org>> wrote:
From: Ziots, Edward <EZiots@Lifespan.org<mailto:EZiots@Lifespan.org>>
Subject: RE: [ActiveDir] Scripting Audit Changes for Windows 2008 R2 system not sticking
To: activedir@mail.activedir.org<mailto:activedir@mail.activedir.org>
Date: Thursday, July 29, 2010, 11:52 AM
I just tried setting the audit setting in the local GPO, it didn’t take (Looked at the RSOP accordingly), and the registry setting accordingly, It took but isn’t working.
C:\Windows\system32>reg query HKLM\SYSTEM\CurrentControlset\Control\LSA
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control\LSA
auditbaseobjects REG_DWORD 0x0
auditbasedirectories REG_DWORD 0x0
crashonauditfail REG_DWORD 0x0
fullprivilegeauditing REG_BINARY 00
Bounds REG_BINARY 0030000000200000
LimitBlankPasswordUse REG_DWORD 0x1
NoLmHash REG_DWORD 0x1
Notification Packages REG_MULTI_SZ scecli\0rassfm
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0ts
pkg\0pku2u
Authentication Packages REG_MULTI_SZ msv1_0
LsaPid REG_DWORD 0x1f4
SecureBoot REG_DWORD 0x1
ProductType REG_DWORD 0x7
disabledomaincreds REG_DWORD 0x0
everyoneincludesanonymous REG_DWORD 0x0
forceguest REG_DWORD 0x0
restrictanonymous REG_DWORD 0x0
restrictanonymoussam REG_DWORD 0x1
SCENoApplyLegacyAuditPolicy REG_DWORD 0x0
I ran the following audit script accordingly.
auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable
auditpol /set /subcategory:"Kerberos Authentication Service" /success:disable /failure:disable
auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:disable /failure:disable
auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable
auditpol /set /subcategory:"Computer Account Management" /success:disable /failure:disable
auditpol /set /subcategory:"Distribution Group Management" /success:disable /failure:disable
auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable
auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable
auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable
auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable
auditpol /set /subcategory:"Directory Service Access" /success:disable /failure:disable
auditpol /set /subcategory:"Directory Service Changes" /success:disable /failure:disable
auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable
auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable
auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable
auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
auditpol /set /subcategory:"Logoff" /success:enable /failure:enable
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable
auditpol /set /subcategory:"File System" /success:enable /failure:enable
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable
auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable
auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable
auditpol /set /subcategory:"Registry" /success:enable /failure:enable
auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable
auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable
auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable
auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:disable
auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:enable
auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:enable
auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable
auditpol /set /subcategory:"Other System Events" /success:enable /failure:enable
auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable
As you can see it took:
System audit policy
Category/Subcategory Setting
System
Security System Extension Success and Failure
System Integrity Success and Failure
IPsec Driver No Auditing
Other System Events Success and Failure
Security State Change Success and Failure
Logon/Logoff
Logon Success and Failure
Logoff Success and Failure
Account Lockout Success and Failure
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success and Failure
Other Logon/Logoff Events Success and Failure
Network Policy Server No Auditing
Object Access
File System Success and Failure
Registry Success and Failure
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share No Auditing
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events No Auditing
Detailed File Share No Auditing
Privilege Use
Sensitive Privilege Use Failure
Non Sensitive Privilege Use Failure
Other Privilege Use Events No Auditing
Detailed Tracking
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Process Creation No Auditing
Policy Change
Audit Policy Change Success and Failure
Authentication Policy Change Success and Failure
Authorization Policy Change Success and Failure
MPSSVC Rule-Level Policy Change No Auditing
Filtering Platform Policy Change No Auditing
Other Policy Change Events No Auditing
Account Management
User Account Management Success and Failure
Computer Account Management No Auditing
Security Group Management Success and Failure
Distribution Group Management No Auditing
Application Group Management No Auditing
Other Account Management Events No Auditing
DS Access
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Directory Service Access No Auditing
Account Logon
Kerberos Service Ticket Operations No Auditing
Other Account Logon Events Success and Failure
Kerberos Authentication Service No Auditing
Credential Validation Success and Failure
Run a gpudate and bam its back to no auditing…
Any other ideas?
EZ
Edward E. Ziots
CISSP, Network +, Security +
Network Engineer
Lifespan Organization
Email:eziots@lifespan.org
Cell:401-639-3505
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Joe Corey
Sent: Thursday, July 29, 2010 11:08 AM
To: activedir@mail.activedir.org
Subject: RE: [ActiveDir] Scripting Audit Changes for Windows 2008 R2 system not sticking
I imagine it’s because of the "Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" GPO option not being set.
http://support.microsoft.com/kb/921468
http://support.microsoft.com/kb/921469
Joe Corey
jcorey@cmu.edu<http://us.mc1104.mail.yahoo.com/mc/compose?to=jcorey@cmu.edu>
Windows Services Team Lead
From: activedir-owner@mail.activedir.org [mailto:activedir-owner@mail.activedir.org] On Behalf Of Ziots, Edward
Sent: Thursday, July 29, 2010 10:51 AM
To: activedir@mail.activedir.org
Subject: [ActiveDir] Scripting Audit Changes for Windows 2008 R2 system not sticking
To the list,
I have a Windows 2003 R2 FFL/DFL domain, and I am adding Windows 2008 R2 systems into the mix.
I have a GPO created in Windows 2003 that sets the server audit policy accordingly, and enables for success/failure the items I want to address. This works just fine for my servers and the audit policy takes, ( its set to no override, and no other policy that applies to this OU, has the audit policy set, therefore the settings are the only ones accordingly to take)
Here is where the weirdness starts.
I wrote a script via auditpol to configure the subcategories accordingly. Tested it and it works fine. ( I do an auditpol /get /category:* and it shows everything I configured) Note when I run secpol.msc and look at the audit-policy settings they are grayed out, and not settable and say not-defined. ( I am assuming because my server-audit policy is overriding them)
When I run a gpupdate /target:Computer /force at the computer, all the settings from the auditpol script are removed. ( which I don’t want)
If I set the settings via the advanced audit policy configuration\system audit policies (Local group Policy Object)\ (Pick any subcategory) and then do a auditpol /get /category:* I see the subcategory and its settings, I run the gpupdate /target:computer /force ( it still shows the subcategories I set via the GUI)
So any ideas on how to make this stick with the auditpol script and showup in the GUI, and not be ripped out via a GPO update accordingly?
Thanks in advance,
EZ
Edward E. Ziots
CISSP, Network +, Security +
Network Engineer
Lifespan Organization
Email:eziots@lifespan.org
Cell:401-639-3505
| | | |
|
|