deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

updates, evt 4703, per item 7632971

Browse Source
This commit is contained in:
JanKeller1 2016-06-16 16:29:09 -07:00
parent 769c41474d
commit 2365e11f25
2 changed files with 9 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
windows/keep-secure/audit-authorization-policy-change.md
View File

@ -20,9 +20,9 @@ Audit Authorization Policy Change allows you to audit assignment and removal of
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments | | Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.<br>Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Domain Controller | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.<br>Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Member Server | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.<br>Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. | | Workstation | IF | No | IF | No | IF With Success auditing for this subcategory, you can get information related to changes in user rights policies, or changes of resource attributes or Central Access Policy applied to file system objects.<br>However, if you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, we do not recommend Success auditing because of the high volume of event “[4703](event-4703.md)(S): A user right was adjusted” that may be generated. As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from **svchost.exe**).<br>If one of your applications or services is generating a large number of 4703 events, you might find that your event-management software has filtering logic that can automatically discard the recurring events, which would make it easier to work with Success auditing for this category.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:** **Events List:**
@ -38,5 +38,5 @@ Audit Authorization Policy Change allows you to audit assignment and removal of
- [4913](event-4913.md)(S): Central Access Policy on the object was changed. - [4913](event-4913.md)(S): Central Access Policy on the object was changed.
**Event volume**: Medium. **Event volume**: Medium to High.

7
windows/keep-secure/event-4703.md
View File

@ -21,7 +21,7 @@ author: Mir0sh
***Event Description:*** ***Event Description:***
This event generates when [token privileges](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific accounts token. This event generates when [token privileges](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446619(v=vs.85).aspx) were enabled or disabled for a specific accounts token. As of Windows 10, event 4703 is also logged by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory (Audit Authorization Policy Change), or work with a very high volume of event 4703.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. > **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
@ -180,6 +180,10 @@ Token privileges provide the ability to take certain system-level actions that y
For 4703(S): A user right was adjusted. For 4703(S): A user right was adjusted.
As of Windows 10, event 4703 is generated by applications or services that dynamically adjust token privileges. An example of such an application is System Center Configuration Manager, which makes WMI queries at recurring intervals and quickly generates a large number of 4703 events (with the WMI activity listed as coming from svchost.exe). If you are using an application or system service that makes changes to system privileges through the AdjustPrivilegesToken API, you might need to disable Success auditing for this subcategory, [Audit Authorization Policy Change](audit-authorization-policy-change.md), or work with a very high volume of event 4703.
Otherwise, see the recommendations in the following table.
| **Type of monitoring required** | **Recommendation** | | **Type of monitoring required** | **Recommendation** |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| |-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. | | **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
@ -191,4 +195,3 @@ For 4703(S): A user right was adjusted.
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. <br>Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. | | **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should perform only limited actions, or no actions at all. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. <br>Also check **“Target Account\\Security ID”** to see whether the change in privileges should be made on that computer for that account. |
| **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor. | Monitor this event and compare the **“Enabled Privileges”** to your list of user rights. Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers.<br>For example, you might have **SeDebugPrivilege** on a list of user rights to be restricted. | | **User rights that should be restricted or monitored**: You might have a list of user rights that you want to restrict or monitor. | Monitor this event and compare the **“Enabled Privileges”** to your list of user rights. Trigger an alert for user rights that should not be enabled, especially on high-value servers or other computers.<br>For example, you might have **SeDebugPrivilege** on a list of user rights to be restricted. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that dont comply with naming conventions. | | **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that dont comply with naming conventions. |