deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fixing merge conflicts

Browse Source
This commit is contained in:
Brian Lich
2016-06-02 15:19:58 -07:00
parent 41aa33c7c2 6db675a76f
commit 5e5d121d83
527 changed files with 31450 additions and 1691 deletions
Download Patch File Download Diff File Expand all files Collapse all files

285
windows/keep-secure/TOC.md
View File

@ -162,63 +162,326 @@
###### [Monitor claim types](monitor-claim-types.md)
##### [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
###### [Audit Credential Validation](audit-credential-validation.md)
###### [Audit Kerberos Authentication Service ](audit-kerberos-authentication-service.md)
####### [Event 4774 S: An account was mapped for logon.](event-4774.md)
####### [Event 4775 F: An account could not be mapped for logon.](event-4775.md)
####### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](event-4776.md)
####### [Event 4777 F: The domain controller failed to validate the credentials for an account.](event-4777.md)
###### [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
####### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](event-4768.md)
####### [Event 4771 F: Kerberos pre-authentication failed.](event-4771.md)
####### [Event 4772 F: A Kerberos authentication ticket request failed.](event-4772.md)
###### [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md)
###### [Audit Other Account Logon Events ](audit-other-account-logon-events.md)
####### [Event 4769 S, F: A Kerberos service ticket was requested.](event-4769.md)
####### [Event 4770 S: A Kerberos service ticket was renewed.](event-4770.md)
####### [Event 4773 F: A Kerberos service ticket request failed.](event-4773.md)
###### [Audit Other Account Logon Events](audit-other-account-logon-events.md)
###### [Audit Application Group Management](audit-application-group-management.md)
###### [Audit Computer Account Management](audit-computer-account-management.md)
####### [Event 4741 S: A computer account was created.](event-4741.md)
####### [Event 4742 S: A computer account was changed.](event-4742.md)
####### [Event 4743 S: A computer account was deleted.](event-4743.md)
###### [Audit Distribution Group Management](audit-distribution-group-management.md)
####### [Event 4749 S: A security-disabled global group was created.](event-4749.md)
####### [Event 4750 S: A security-disabled global group was changed.](event-4750.md)
####### [Event 4751 S: A member was added to a security-disabled global group.](event-4751.md)
####### [Event 4752 S: A member was removed from a security-disabled global group.](event-4752.md)
####### [Event 4753 S: A security-disabled global group was deleted.](event-4753.md)
###### [Audit Other Account Management Events](audit-other-account-management-events.md)
####### [Event 4782 S: The password hash an account was accessed.](event-4782.md)
####### [Event 4793 S: The Password Policy Checking API was called.](event-4793.md)
###### [Audit Security Group Management](audit-security-group-management.md)
####### [Event 4731 S: A security-enabled local group was created.](event-4731.md)
####### [Event 4732 S: A member was added to a security-enabled local group.](event-4732.md)
####### [Event 4733 S: A member was removed from a security-enabled local group.](event-4733.md)
####### [Event 4734 S: A security-enabled local group was deleted.](event-4734.md)
####### [Event 4735 S: A security-enabled local group was changed.](event-4735.md)
####### [Event 4764 S: A groups type was changed.](event-4764.md)
####### [Event 4799 S: A security-enabled local group membership was enumerated.](event-4799.md)
###### [Audit User Account Management](audit-user-account-management.md)
####### [Event 4720 S: A user account was created.](event-4720.md)
####### [Event 4722 S: A user account was enabled.](event-4722.md)
####### [Event 4723 S, F: An attempt was made to change an account's password.](event-4723.md)
####### [Event 4724 S, F: An attempt was made to reset an account's password.](event-4724.md)
####### [Event 4725 S: A user account was disabled.](event-4725.md)
####### [Event 4726 S: A user account was deleted.](event-4726.md)
####### [Event 4738 S: A user account was changed.](event-4738.md)
####### [Event 4740 S: A user account was locked out.](event-4740.md)
####### [Event 4765 S: SID History was added to an account.](event-4765.md)
####### [Event 4766 F: An attempt to add SID History to an account failed.](event-4766.md)
####### [Event 4767 S: A user account was unlocked.](event-4767.md)
####### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](event-4780.md)
####### [Event 4781 S: The name of an account was changed.](event-4781.md)
####### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](event-4794.md)
####### [Event 4798 S: A user's local group membership was enumerated.](event-4798.md)
####### [Event 5376 S: Credential Manager credentials were backed up.](event-5376.md)
####### [Event 5377 S: Credential Manager credentials were restored from a backup.](event-5377.md)
###### [Audit DPAPI Activity](audit-dpapi-activity.md)
####### [Event 4692 S, F: Backup of data protection master key was attempted.](event-4692.md)
####### [Event 4693 S, F: Recovery of data protection master key was attempted.](event-4693.md)
####### [Event 4694 S, F: Protection of auditable protected data was attempted.](event-4694.md)
####### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](event-4695.md)
###### [Audit PNP Activity](audit-pnp-activity.md)
####### [Event 6416 S: A new external device was recognized by the System.](event-6416.md)
####### [Event 6419 S: A request was made to disable a device.](event-6419.md)
####### [Event 6420 S: A device was disabled.](event-6420.md)
####### [Event 6421 S: A request was made to enable a device.](event-6421.md)
####### [Event 6422 S: A device was enabled.](event-6422.md)
####### [Event 6423 S: The installation of this device is forbidden by system policy.](event-6423.md)
####### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](event-6424.md)
###### [Audit Process Creation](audit-process-creation.md)
###### [Audit Process Termination ](audit-process-termination.md)
####### [Event 4688 S: A new process has been created.](event-4688.md)
####### [Event 4696 S: A primary token was assigned to process.](event-4696.md)
###### [Audit Process Termination](audit-process-termination.md)
####### [Event 4689 S: A process has exited.](event-4689.md)
###### [Audit RPC Events](audit-rpc-events.md)
####### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](event-5712.md)
###### [Audit Detailed Directory Service Replication](audit-detailed-directory-service-replication.md)
####### [Event 4928 S, F: An Active Directory replica source naming context was established.](event-4928.md)
####### [Event 4929 S, F: An Active Directory replica source naming context was removed.](event-4929.md)
####### [Event 4930 S, F: An Active Directory replica source naming context was modified.](event-4930.md)
####### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](event-4931.md)
####### [Event 4934 S: Attributes of an Active Directory object were replicated.](event-4934.md)
####### [Event 4935 F: Replication failure begins.](event-4935.md)
####### [Event 4936 S: Replication failure ends.](event-4936.md)
####### [Event 4937 S: A lingering object was removed from a replica.](event-4937.md)
###### [Audit Directory Service Access](audit-directory-service-access.md)
####### [Event 4662 S, F: An operation was performed on an object.](event-4662.md)
####### [Event 4661 S, F: A handle to an object was requested.](event-4661.md)
###### [Audit Directory Service Changes](audit-directory-service-changes.md)
####### [Event 5136 S: A directory service object was modified.](event-5136.md)
####### [Event 5137 S: A directory service object was created.](event-5137.md)
####### [Event 5138 S: A directory service object was undeleted.](event-5138.md)
####### [Event 5139 S: A directory service object was moved.](event-5139.md)
####### [Event 5141 S: A directory service object was deleted.](event-5141.md)
###### [Audit Directory Service Replication](audit-directory-service-replication.md)
###### [Audit Account Lockout ](audit-account-lockout.md)
####### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](event-4932.md)
####### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](event-4933.md)
###### [Audit Account Lockout](audit-account-lockout.md)
####### [Event 4625 F: An account failed to log on.](event-4625.md)
###### [Audit User/Device Claims](audit-user-device-claims.md)
####### [Event 4626 S: User/Device claims information.](event-4626.md)
###### [Audit Group Membership](audit-group-membership.md)
####### [Event 4627 S: Group membership information.](event-4627.md)
###### [Audit IPsec Extended Mode](audit-ipsec-extended-mode.md)
###### [Audit IPsec Main Mode](audit-ipsec-main-mode.md)
###### [Audit IPsec Quick Mode](audit-ipsec-quick-mode.md)
###### [Audit Logoff](audit-logoff.md)
####### [Event 4634 S: An account was logged off.](event-4634.md)
####### [Event 4647 S: User initiated logoff.](event-4647.md)
###### [Audit Logon](audit-logon.md)
####### [Event 4624 S: An account was successfully logged on.](event-4624.md)
####### [Event 4625 F: An account failed to log on.](event-4625.md)
####### [Event 4648 S: A logon was attempted using explicit credentials.](event-4648.md)
####### [Event 4675 S: SIDs were filtered.](event-4675.md)
###### [Audit Network Policy Server](audit-network-policy-server.md)
###### [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
####### [Event 4649 S: A replay attack was detected.](event-4649.md)
####### [Event 4778 S: A session was reconnected to a Window Station.](event-4778.md)
####### [Event 4779 S: A session was disconnected from a Window Station.](event-4779.md)
####### [Event 4800 S: The workstation was locked.](event-4800.md)
####### [Event 4801 S: The workstation was unlocked.](event-4801.md)
####### [Event 4802 S: The screen saver was invoked.](event-4802.md)
####### [Event 4803 S: The screen saver was dismissed.](event-4803.md)
####### [Event 5378 F: The requested credentials delegation was disallowed by policy.](event-5378.md)
####### [Event 5632 S, F: A request was made to authenticate to a wireless network.](event-5632.md)
####### [Event 5633 S, F: A request was made to authenticate to a wired network.](event-5633.md)
###### [Audit Special Logon](audit-special-logon.md)
####### [Event 4964 S: Special groups have been assigned to a new logon.](event-4964.md)
####### [Event 4672 S: Special privileges assigned to new logon.](event-4672.md)
###### [Audit Application Generated](audit-application-generated.md)
###### [Audit Certification Services](audit-certification-services.md)
###### [Audit Detailed File Share ](audit-detailed-file-share.md)
###### [Audit Detailed File Share](audit-detailed-file-share.md)
####### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](event-5145.md)
###### [Audit File Share](audit-file-share.md)
####### [Event 5140 S, F: A network share object was accessed.](event-5140.md)
####### [Event 5142 S: A network share object was added.](event-5142.md)
####### [Event 5143 S: A network share object was modified.](event-5143.md)
####### [Event 5144 S: A network share object was deleted.](event-5144.md)
####### [Event 5168 F: SPN check for SMB/SMB2 failed.](event-5168.md)
###### [Audit File System](audit-file-system.md)
####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
####### [Event 4660 S: An object was deleted.](event-4660.md)
####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
####### [Event 4664 S: An attempt was made to create a hard link.](event-4664.md)
####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
####### [Event 5051: A file was virtualized.](event-5051.md)
####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
###### [Audit Filtering Platform Connection](audit-filtering-platform-connection.md)
###### [Audit Filtering Platform Packet Drop ](audit-filtering-platform-packet-drop.md)
####### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](event-5031.md)
####### [Event 5150: The Windows Filtering Platform blocked a packet.](event-5150.md)
####### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](event-5151.md)
####### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](event-5154.md)
####### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](event-5155.md)
####### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](event-5156.md)
####### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](event-5157.md)
####### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](event-5158.md)
####### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](event-5159.md)
###### [Audit Filtering Platform Packet Drop](audit-filtering-platform-packet-drop.md)
####### [Event 5152 F: The Windows Filtering Platform blocked a packet.](event-5152.md)
####### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](event-5153.md)
###### [Audit Handle Manipulation](audit-handle-manipulation.md)
###### [Audit Kernel Object ](audit-kernel-object.md)
####### [Event 4690 S: An attempt was made to duplicate a handle to an object.](event-4690.md)
###### [Audit Kernel Object](audit-kernel-object.md)
####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
####### [Event 4660 S: An object was deleted.](event-4660.md)
####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
###### [Audit Other Object Access Events](audit-other-object-access-events.md)
####### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](event-4671.md)
####### [Event 4691 S: Indirect access to an object was requested.](event-4691.md)
####### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](event-5148.md)
####### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](event-5149.md)
####### [Event 4698 S: A scheduled task was created.](event-4698.md)
####### [Event 4699 S: A scheduled task was deleted.](event-4699.md)
####### [Event 4700 S: A scheduled task was enabled.](event-4700.md)
####### [Event 4701 S: A scheduled task was disabled.](event-4701.md)
####### [Event 4702 S: A scheduled task was updated.](event-4702.md)
####### [Event 5888 S: An object in the COM+ Catalog was modified.](event-5888.md)
####### [Event 5889 S: An object was deleted from the COM+ Catalog.](event-5889.md)
####### [Event 5890 S: An object was added to the COM+ Catalog.](event-5890.md)
###### [Audit Registry](audit-registry.md)
####### [Event 4663 S: An attempt was made to access an object.](event-4663.md)
####### [Event 4656 S, F: A handle to an object was requested.](event-4656.md)
####### [Event 4658 S: The handle to an object was closed.](event-4658.md)
####### [Event 4660 S: An object was deleted.](event-4660.md)
####### [Event 4657 S: A registry value was modified.](event-4657.md)
####### [Event 5039: A registry key was virtualized.](event-5039.md)
####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
###### [Audit Removable Storage](audit-removable-storage.md)
###### [Audit SAM ](audit-sam.md)
###### [Audit SAM](audit-sam.md)
####### [Event 4661 S, F: A handle to an object was requested.](event-4661.md)
###### [Audit Central Access Policy Staging](audit-central-access-policy-staging.md)
####### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](event-4818.md)
###### [Audit Audit Policy Change](audit-audit-policy-change.md)
####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
####### [Event 4715 S: The audit policy, SACL, on an object was changed.](event-4715.md)
####### [Event 4719 S: System audit policy was changed.](event-4719.md)
####### [Event 4817 S: Auditing settings on object were changed.](event-4817.md)
####### [Event 4902 S: The Per-user audit policy table was created.](event-4902.md)
####### [Event 4906 S: The CrashOnAuditFail value has changed.](event-4906.md)
####### [Event 4907 S: Auditing settings on object were changed.](event-4907.md)
####### [Event 4908 S: Special Groups Logon table modified.](event-4908.md)
####### [Event 4912 S: Per User Audit Policy was changed.](event-4912.md)
####### [Event 4904 S: An attempt was made to register a security event source.](event-4904.md)
####### [Event 4905 S: An attempt was made to unregister a security event source.](event-4905.md)
###### [Audit Authentication Policy Change](audit-authentication-policy-change.md)
####### [Event 4706 S: A new trust was created to a domain.](event-4706.md)
####### [Event 4707 S: A trust to a domain was removed.](event-4707.md)
####### [Event 4716 S: Trusted domain information was modified.](event-4716.md)
####### [Event 4713 S: Kerberos policy was changed.](event-4713.md)
####### [Event 4717 S: System security access was granted to an account.](event-4717.md)
####### [Event 4718 S: System security access was removed from an account.](event-4718.md)
####### [Event 4739 S: Domain Policy was changed.](event-4739.md)
####### [Event 4864 S: A namespace collision was detected.](event-4864.md)
####### [Event 4865 S: A trusted forest information entry was added.](event-4865.md)
####### [Event 4866 S: A trusted forest information entry was removed.](event-4866.md)
####### [Event 4867 S: A trusted forest information entry was modified.](event-4867.md)
###### [Audit Authorization Policy Change](audit-authorization-policy-change.md)
####### [Event 4703 S: A user right was adjusted.](event-4703.md)
####### [Event 4704 S: A user right was assigned.](event-4704.md)
####### [Event 4705 S: A user right was removed.](event-4705.md)
####### [Event 4670 S: Permissions on an object were changed.](event-4670.md)
####### [Event 4911 S: Resource attributes of the object were changed.](event-4911.md)
####### [Event 4913 S: Central Access Policy on the object was changed.](event-4913.md)
###### [Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)
###### [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)
####### [Event 4944 S: The following policy was active when the Windows Firewall started.](event-4944.md)
####### [Event 4945 S: A rule was listed when the Windows Firewall started.](event-4945.md)
####### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](event-4946.md)
####### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](event-4947.md)
####### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](event-4948.md)
####### [Event 4949 S: Windows Firewall settings were restored to the default values.](event-4949.md)
####### [Event 4950 S: A Windows Firewall setting has changed.](event-4950.md)
####### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](event-4951.md)
####### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](event-4952.md)
####### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](event-4953.md)
####### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](event-4954.md)
####### [Event 4956 S: Windows Firewall has changed the active profile.](event-4956.md)
####### [Event 4957 F: Windows Firewall did not apply the following rule.](event-4957.md)
####### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](event-4958.md)
###### [Audit Other Policy Change Events](audit-other-policy-change-events.md)
###### [Audit Sensitive Privilege Use ](audit-sensitive-privilege-use.md)
###### [Audit Non-Sensitive Privilege Use ](audit-non-sensitive-privilege-use.md)
###### [Audit Other Privilege Use Events ](audit-other-privilege-use-events.md)
####### [Event 4714 S: Encrypted data recovery policy was changed.](event-4714.md)
####### [Event 4819 S: Central Access Policies on the machine have been changed.](event-4819.md)
####### [Event 4826 S: Boot Configuration Data loaded.](event-4826.md)
####### [Event 4909: The local policy settings for the TBS were changed.](event-4909.md)
####### [Event 4910: The group policy settings for the TBS were changed.](event-4910.md)
####### [Event 5063 S, F: A cryptographic provider operation was attempted.](event-5063.md)
####### [Event 5064 S, F: A cryptographic context operation was attempted.](event-5064.md)
####### [Event 5065 S, F: A cryptographic context modification was attempted.](event-5065.md)
####### [Event 5066 S, F: A cryptographic function operation was attempted.](event-5066.md)
####### [Event 5067 S, F: A cryptographic function modification was attempted.](event-5067.md)
####### [Event 5068 S, F: A cryptographic function provider operation was attempted.](event-5068.md)
####### [Event 5069 S, F: A cryptographic function property operation was attempted.](event-5069.md)
####### [Event 5070 S, F: A cryptographic function property modification was attempted.](event-5070.md)
####### [Event 5447 S: A Windows Filtering Platform filter has been changed.](event-5447.md)
####### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](event-6144.md)
####### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](event-6145.md)
###### [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md)
####### [Event 4673 S, F: A privileged service was called.](event-4673.md)
####### [Event 4674 S, F: An operation was attempted on a privileged object.](event-4674.md)
####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
###### [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
####### [Event 4673 S, F: A privileged service was called.](event-4673.md)
####### [Event 4674 S, F: An operation was attempted on a privileged object.](event-4674.md)
####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
###### [Audit Other Privilege Use Events](audit-other-privilege-use-events.md)
####### [Event 4985 S: The state of a transaction has changed.](event-4985.md)
###### [Audit IPsec Driver](audit-ipsec-driver.md)
###### [Audit Other System Events](audit-other-system-events.md)
####### [Event 5024 S: The Windows Firewall Service has started successfully.](event-5024.md)
####### [Event 5025 S: The Windows Firewall Service has been stopped.](event-5025.md)
####### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](event-5027.md)
####### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](event-5028.md)
####### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](event-5029.md)
####### [Event 5030 F: The Windows Firewall Service failed to start.](event-5030.md)
####### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](event-5032.md)
####### [Event 5033 S: The Windows Firewall Driver has started successfully.](event-5033.md)
####### [Event 5034 S: The Windows Firewall Driver was stopped.](event-5034.md)
####### [Event 5035 F: The Windows Firewall Driver failed to start.](event-5035.md)
####### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](event-5037.md)
####### [Event 5058 S, F: Key file operation.](event-5058.md)
####### [Event 5059 S, F: Key migration operation.](event-5059.md)
####### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](event-6400.md)
####### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](event-6401.md)
####### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](event-6402.md)
####### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](event-6403.md)
####### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](event-6404.md)
####### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](event-6405.md)
####### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](event-6406.md)
####### [Event 6407: 1%.](event-6407.md)
####### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](event-6408.md)
####### [Event 6409: BranchCache: A service connection point object could not be parsed.](event-6409.md)
###### [Audit Security State Change](audit-security-state-change.md)
####### [Event 4608 S: Windows is starting up.](event-4608.md)
####### [Event 4616 S: The system time was changed.](event-4616.md)
####### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](event-4621.md)
###### [Audit Security System Extension](audit-security-system-extension.md)
####### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](event-4610.md)
####### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](event-4611.md)
####### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](event-4614.md)
####### [Event 4622 S: A security package has been loaded by the Local Security Authority.](event-4622.md)
####### [Event 4697 S: A service was installed in the system.](event-4697.md)
###### [Audit System Integrity](audit-system-integrity.md)
####### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](event-4612.md)
####### [Event 4615 S: Invalid use of LPC port.](event-4615.md)
####### [Event 4618 S: A monitored security event pattern has occurred.](event-4618.md)
####### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](event-4816.md)
####### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](event-5038.md)
####### [Event 5056 S: A cryptographic self-test was performed.](event-5056.md)
####### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](event-5062.md)
####### [Event 5057 F: A cryptographic primitive operation failed.](event-5057.md)
####### [Event 5060 F: Verification operation failed.](event-5060.md)
####### [Event 5061 S, F: Cryptographic operation.](event-5061.md)
####### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](event-6281.md)
####### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](event-6410.md)
###### [Other Events](other-events.md)
####### [Event 1100 S: The event logging service has shut down.](event-1100.md)
####### [Event 1102 S: The audit log was cleared.](event-1102.md)
####### [Event 1104 S: The security log is now full.](event-1104.md)
####### [Event 1105 S: Event log automatic backup.](event-1105.md)
####### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](event-1108.md)
###### [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
###### [Registry (Global Object Access Auditing) ](registry-global-object-access-auditing.md)
###### [File System (Global Object Access Auditing) ](file-system-global-object-access-auditing.md)
### [Security policy settings](security-policy-settings.md)

29
windows/keep-secure/appendix-a-security-monitoring-recommendations-for-many-audit-events.md Normal file
View File

@ -0,0 +1,29 @@
---
title: Appendix A, Security monitoring recommendations for many audit events (Windows 10)
description: Appendix A, Security monitoring recommendations for many audit events
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# Appendix A: Security monitoring recommendations for many audit events
**Applies to**
- Windows 10
- Windows Server 2016
This document, the [Advanced security audit policy settings](advanced-security-audit-policy-settings.md) reference, provides information about individual audit events, and lists them within audit categories and subcategories. However, there are many events for which the following overall recommendations apply. There are links throughout this document from the “Recommendations” sections of the relevant events to this appendix.
| **Type of monitoring required** | **Recommendation** |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor relevant events for the **“Subject\\Security ID”** that corresponds to the accounts that should never be used. |
| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | Monitor the relevant events for **“Subject\\Security ID”** accounts that are outside the whitelist of accounts. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | Identify events that correspond to the actions you want to monitor, and for those events, review the **“Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** that you are concerned about. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that dont comply with naming conventions. |

36
windows/keep-secure/audit-account-lockout.md
View File

@ -2,35 +2,41 @@
title: Audit Account Lockout (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Account Lockout, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
ms.assetid: da68624b-a174-482c-9bc5-ddddab38e589
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Account Lockout
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit Account Lockout**, which enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
Audit Account Lockout enables you to audit security events that are generated by a failed attempt to log on to an account that is locked out.
If you configure this policy setting, an audit event is generated when an account cannot log on to a computer because the account is locked out. Success audits record successful attempts and failure audits record unsuccessful attempts.
Account lockout events are essential for understanding user activity and detecting potential attacks.
Event volume: Low
**Event volume**: Low.
Default setting: Success
This subcategory failure logon attempts, when account was already locked out.
| Event ID | Event message |
| - | - |
| 4625 | An account failed to log on. |
 
## Related topics
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesnt have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
| Member Server | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesnt have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
| Workstation | No | Yes | No | Yes | We recommend tracking account lockouts, especially for high value domain or local accounts (database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts, and so on).<br>This subcategory doesnt have Success events, so there is no recommendation to enable Success auditing for this subcategory. |
**Events List:**
- [4625](event-4625.md)(F): An account failed to log on.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

42
windows/keep-secure/audit-application-generated.md
View File

@ -2,39 +2,41 @@
title: Audit Application Generated (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Application Generated, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs).
ms.assetid: 6c58a365-b25b-42b8-98ab-819002e31871
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Application Generated
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Application Generated**, which determines whether the operating system generates audit events when applications attempt to use the Windows Auditing application programming interfaces (APIs).
The following events can generate audit activity:
Audit Application Generated generates events for actions related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx).
- Creation, deletion, or initialization of an application client context
- Application operations
Audit Application Generated subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012.
Applications that are designed to use the Windows Auditing APIs can use this subcategory to log auditing events that are related to those APIs. The level, volume, relevance, and importance of these audit events depend on the application that generates them. The operating system logs the events as they are generated by the application.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. |
| Member Server | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. |
| Workstation | IF | IF | IF | IF | IF if you use [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) in your environment and you need to monitor events related to Authorization Manager [applications](https://technet.microsoft.com/en-us/library/cc770563.aspx), enable this subcategory. |
Event volume: Depends on the installed app's use of the Windows Auditing APIs
**Events List:**
Default: Not configured
## 4665: An attempt was made to create an application client context.
| Event ID | Event message |
| - | - |
| 4665 | An attempt was made to create an application client context. |
| 4666 | An application attempted an operation: |
| 4667 | An application client context was deleted. |
 
## Related topics
## 4666: An application attempted an operation.
## 4667: An application client context was deleted.
## 4668: An application was initialized.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

59
windows/keep-secure/audit-application-group-management.md
View File

@ -2,42 +2,53 @@
title: Audit Application Group Management (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Application Group Management, which determines whether the operating system generates audit events when application group management tasks are performed.
ms.assetid: 1bcaa41e-5027-4a86-96b7-f04eaf1c0606
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Application Group Management
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit Application Group Management**, which determines whether the operating system generates audit events when application group management tasks are performed.
Application group management tasks include:
Audit Application Group Management generates events for actions related to [application groups](https://technet.microsoft.com/en-us/library/cc771579.aspx), such as group creation, modification, addition or removal of group member and some other actions.
- An application group is created, changed, or deleted.
- A member is added to or removed from an application group.
[Application groups](https://technet.microsoft.com/en-us/library/cc771579.aspx) are used by [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx).
Event volume: Low
Audit Application Group Management subcategory is out of scope of this document, because [Authorization Manager](https://technet.microsoft.com/en-us/library/cc726036.aspx) is very rarely in use and it is deprecated starting from Windows Server 2012.
Default: Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------|
| Domain Controller | - | - | - | - | This subcategory is outside the scope of this document. |
| Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
| Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
| Event ID | Event message |
| - | - |
| 4783 | A basic application group was created. |
| 4784 | A basic application group was changed. |
| 4785 | A member was added to a basic application group. |
| 4786 | A member was removed from a basic application group. |
| 4787 | A non-member was added to a basic application group. |
| 4788 | A non-member was removed from a basic application group. |
| 4789 | A basic application group was deleted. |
| 4790 | An LDAP query group was created. |
 
## Related topics
## 4783(S): A basic application group was created.
## 4784(S): A basic application group was changed.
## 4785(S): A member was added to a basic application group.
## 4786(S): A member was removed from a basic application group.
## 4787(S): A non-member was added to a basic application group.
## 4788(S): A non-member was removed from a basic application group.
## 4789(S): A basic application group was deleted.
## 4790(S): An LDAP query group was created.
## 4791(S): An LDAP query group was changed.
## 4792(S): An LDAP query group was deleted.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

95
windows/keep-secure/audit-audit-policy-change.md
View File

@ -2,54 +2,83 @@
title: Audit Audit Policy Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Audit Policy Change, which determines whether the operating system generates audit events when changes are made to audit policy.
ms.assetid: 7153bf75-6978-4d7e-a821-59a699efb8a9
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Audit Policy Change
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Audit Policy Change**, which determines whether the operating system generates audit events when changes are made to audit policy.
Audit Audit Policy Change determines whether the operating system generates audit events when changes are made to audit policy.
**Event volume**: Low.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | Almost all events in this subcategory have security relevance and should be monitored. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
Changes to audit policy that are audited include:
- Changing permissions and audit settings on the audit policy object (by using **auditpol /set /sd**).
- Changing the system audit policy.
- Registering and unregistering security event sources.
- Changing per-user audit settings.
- Changing the value of **CrashOnAuditFail**.
- Changing audit settings on an object (for example, modifying the system access control list (SACL) for a file or registry key).
- Changing permissions and audit settings on the audit policy object (by using auditpol /set /sd” command).
- Changing the system audit policy.
- Registering and unregistering security event sources.
- Changing per-user audit settings.
- Changing the value of CrashOnAuditFail.
- Changing audit settings on an object (for example, modifying the system access control list ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)) for a file or registry key).
> **Note**&nbsp;&nbsp;[SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.
> **Note:** SACL change auditing is performed when a SACL for an object has changed and the Policy Change category is configured. Discretionary access control list (DACL) and owner change auditing are performed when Object Access auditing is configured and the object's SACL is set for auditing of the DACL or owner change.
 
- Changing anything in the Special Groups list.
> **Important:**  Changes to the audit policy are critical security events.
 
Event volume: Low
The following events will be enabled with Success auditing in this subcategory:
Default: Success
- 4902(S): The Per-user audit policy table was created.
| Event ID | Event message |
| - | - |
| 4715 | The audit policy (SACL) on an object was changed. |
| 4719 | System audit policy was changed. |
| 4817 | Auditing settings on an object were changed. <br> **Note: ** This event is logged only on computers running the supported versions of the Windows operating system. |
| 4902 | The Per-user audit policy table was created. |
| 4904 | An attempt was made to register a security event source. |
| 4905 | An attempt was made to unregister a security event source. |
| 4906 | The CrashOnAuditFail value has changed. |
| 4907 | Auditing settings on object were changed. |
| 4908 | Special Groups Logon table modified. |
| 4912 | Per User Audit Policy was changed. |
 
## Related topics
- 4907(S): Auditing settings on object were changed.
- 4904(S): An attempt was made to register a security event source.
- 4905(S): An attempt was made to unregister a security event source.
All other events in this subcategory will be logged regardless of the "Audit Policy Change" setting.
**Events List:**
- [4715](event-4715.md)(S): The audit policy (SACL) on an object was changed.
- [4719](event-4719.md)(S): System audit policy was changed.
- [4817](event-4817.md)(S): Auditing settings on object were changed.
- [4902](event-4902.md)(S): The Per-user audit policy table was created.
- [4906](event-4906.md)(S): The CrashOnAuditFail value has changed.
- [4907](event-4907.md)(S): Auditing settings on object were changed.
- [4908](event-4908.md)(S): Special Groups Logon table modified.
- [4912](event-4912.md)(S): Per User Audit Policy was changed.
- [4904](event-4904.md)(S): An attempt was made to register a security event source.
- [4905](event-4905.md)(S): An attempt was made to unregister a security event source.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

86
windows/keep-secure/audit-authentication-policy-change.md
View File

@ -2,55 +2,79 @@
title: Audit Authentication Policy Change (Windows 10)
description: This topic for the IT professional describes this Advanced Security Audit policy setting, Audit Authentication Policy Change, which determines whether the operating system generates audit events when changes are made to authentication policy.
ms.assetid: aa9cea7a-aadf-47b7-b704-ac253b8e79be
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Authentication Policy Change
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes this Advanced Security Audit policy setting, **Audit Authentication Policy Change**, which determines whether the operating system generates audit events when changes are made to authentication policy.
Audit Authentication Policy Change determines whether the operating system generates audit events when changes are made to authentication policy.
Changes made to authentication policy include:
- Creation, modification, and removal of forest and domain trusts.
- Changes to Kerberos policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**.
> **Note:**  The audit event is logged when the policy is applied, not when settings are modified by the administrator.
 
- When any of the following user rights is granted to a user or group:
- **Access this computer from the network**
- **Allow logon locally**
- **Allow logon through Remote Desktop**
- **Logon as a batch job**
- **Logon as a service**
- Changes to Kerberos policy under Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy.
- When any of the following user logon rights is granted to a user or group:
- Access this computer from the network
- Allow logon locally
- Allow logon through Remote Desktop
- Logon as a batch job
- Logon as a service
- Namespace collision, such as when an added trust collides with an existing namespace name.
This setting is useful for tracking changes in domain-level and forest-level trust and privileges that are granted to user accounts or groups.
Event volume: Low
**Event volume**: Low.
Default: Success
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | On domain controllers, it is important to enable Success audit for this subcategory to be able to get information related to operations with domain and forest trusts, changes in Kerberos policy and some other events included in this subcategory.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | On member servers it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | On workstations it is important to enable Success audit for this subcategory to be able to get information related to changes in user logon rights policies and password policy changes.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Event ID | Event message |
| - | - |
| 4713 | Kerberos policy was changed. |
| 4716 | Trusted domain information was modified. |
| 4717 | System security access was granted to an account. |
| 4718 | System security access was removed from an account. |
| 4739 | Domain Policy was changed. |
| 4864 | A namespace collision was detected. |
| 4865 | A trusted forest information entry was added. |
| 4866 | A trusted forest information entry was removed. |
| 4867 | A trusted forest information entry was modified. |
 
## Related topics
**Events List:**
- [4670](event-4670.md)(S): Permissions on an object were changed
- [4706](event-4706.md)(S): A new trust was created to a domain.
- [4707](event-4707.md)(S): A trust to a domain was removed.
- [4716](event-4716.md)(S): Trusted domain information was modified.
- [4713](event-4713.md)(S): Kerberos policy was changed.
- [4717](event-4717.md)(S): System security access was granted to an account.
- [4718](event-4718.md)(S): System security access was removed from an account.
- [4739](event-4739.md)(S): Domain Policy was changed.
- [4864](event-4864.md)(S): A namespace collision was detected.
- [4865](event-4865.md)(S): A trusted forest information entry was added.
- [4866](event-4866.md)(S): A trusted forest information entry was removed.
- [4867](event-4867.md)(S): A trusted forest information entry was modified.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

48
windows/keep-secure/audit-authorization-policy-change.md
View File

@ -2,39 +2,45 @@
title: Audit Authorization Policy Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Authorization Policy Change, which determines whether the operating system generates audit events when specific changes are made to the authorization policy.
ms.assetid: ca0587a2-a2b3-4300-aa5d-48b4553c3b36
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Authorization Policy Change
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Authorization Policy Change**, which determines whether the operating system generates audit events when specific changes are made to the authorization policy.
Authorization policy changes that can be audited include:
Audit Authorization Policy Change allows you to audit assignment and removal of user rights in user right policies, changes in security token object permission, resource attributes changes and Central Access Policy changes for file system objects.
- Assigning or removing user rights (privileges) such as **SeCreateTokenPrivilege**, except for the system access rights that are audited by using the [Audit Authentication Policy Change](audit-authentication-policy-change.md) subcategory.
- Changing the Encrypting File System (EFS) policy.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.<br>Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.<br>Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | It is important to enable Success audit for this subcategory to be able to get information related to changes in user rights policies.<br>Enable Success audit for this subcategory also if you need to monitor changes of resource attributes or Central Access Policy applied to file system objects.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
Event volume: Very high
**Events List:**
Default: Not configured
- [4703](event-4703.md)(S): A user right was adjusted.
| Event ID | Event message |
| - | - |
| 4704 | A user right was assigned. |
| 4705 | A user right was removed. |
| 4706 | A new trust was created to a domain. |
| 4707 | A trust to a domain was removed. |
| 4714 | Encrypted data recovery policy was changed. |
 
## Related topics
- [4704](event-4704.md)(S): A user right was assigned.
- [4705](event-4705.md)(S): A user right was removed.
- [4670](event-4670.md)(S): Permissions on an object were changed.
- [4911](event-4911.md)(S): Resource attributes of the object were changed.
- [4913](event-4913.md)(S): Central Access Policy on the object was changed.
**Event volume**: Medium.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

41
windows/keep-secure/audit-central-access-policy-staging.md
View File

@ -2,30 +2,43 @@
title: Audit Central Access Policy Staging (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Central Access Policy Staging, which determines permissions on a Central Access Policy.
ms.assetid: D9BB11CE-949A-4B48-82BF-30DC5E6FC67D
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Central Access Policy Staging
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Central Access Policy Staging**, which determines permissions on a Central Access Policy.
Event volume: Medium
Audit Central Access Policy Staging allows you to audit access requests where a permission granted or denied by a proposed policy differs from the current central access policy on an object.
Default: Not configured
If you configure this policy setting, an audit event is generated each time a user accesses an object and the permission granted by the current central access policy on the object differs from that granted by the proposed policy. The resulting audit event is generated as follows:
| Event ID | Event message |
| - | - |
| 4818 | Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy |
 
## Related topics
- Success audits, when configured, record access attempts when the current central access policy grants access, but the proposed policy denies access.
- Failure audits, when configured, record access attempts when:
- The current central access policy does not grant access, but the proposed policy grants access.
- A principal requests the maximum access rights they are allowed and the access rights granted by the current central access policy are different than the access rights granted by the proposed policy.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | IF | No | IF | No | IF - Enable this subcategory if you need to test or troubleshoot Dynamic Access Control Proposed [Central Access Policies](https://technet.microsoft.com/en-us/library/hh831425.aspx).<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4818](event-4818.md)(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

143
windows/keep-secure/audit-certification-services.md
View File

@ -1,77 +1,122 @@
---
title: Audit Certification Services (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Certification Services, which determines whether the operating system generates events when Active Directory Certificate Services (ADÂ CS) operations are performed.
ms.assetid: cdefc34e-fb1f-4eff-b766-17713c5a1b03
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Certification Services
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Certification Services**, which determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
Examples of AD CS operations include:
Audit Certification Services determines whether the operating system generates events when Active Directory Certificate Services (AD CS) operations are performed.
Examples of AD CS operations include:
- AD CS starts, shuts down, is backed up, or is restored.
- AD CS starts, shuts down, is backed up, or is restored.
- Certificate revocation list (CRL)-related tasks are performed.
- Certificates are requested, issued, or revoked.
- Certificate manager settings for AD CS are changed.
- Certificate manager settings for AD CS are changed.
- The configuration and properties of the certification authority (CA) are changed.
- AD CS templates are modified.
- AD CS templates are modified.
- Certificates are imported.
- A CA certificate is published to Active Directory Domain Services.
- Security permissions for AD CS role services are modified.
- Keys are archived, imported, or retrieved.
- The OCSP Responder Service is started or stopped.
Monitoring these operational events is important to ensure that AD CS role services are functioning properly.
Event volume: Low to medium on servers that host AD CS role services
**Event volume: Low to medium on servers that provide AD CS role services.**
Default: Not configured
Role-specific subcategories are outside the scope of this document.
| Event ID | Event message |
| - | - |
| 4868 | The certificate manager denied a pending certificate request. |
| 4869 | Certificate Services received a resubmitted certificate request. |
| 4870 | Certificate Services revoked a certificate. |
| 4871 | Certificate Services received a request to publish the certificate revocation list (CRL). |
| 4872 | Certificate Services published the certificate revocation list (CRL). |
| 4873 | A certificate request extension changed. |
| 4874 | One or more certificate request attributes changed. |
| 4875 | Certificate Services received a request to shut down. |
| 4876 | Certificate Services backup started. |
| 4877 | Certificate Services backup completed. |
| 4878 | Certificate Services restore started. |
| 4879 | Certificate Services restore completed. |
| 4880 | Certificate Services started. |
| 4881 | Certificate Services stopped. |
| 4882 | The security permissions for Certificate Services changed. |
| 4883 | Certificate Services retrieved an archived key. |
| 4884 | Certificate Services imported a certificate into its database. |
| 4885 | The audit filter for Certificate Services changed. |
| 4886 | Certificate Services received a certificate request. |
| 4887 | Certificate Services approved a certificate request and issued a certificate. |
| 4888 | Certificate Services denied a certificate request. |
| 4889 | Certificate Services set the status of a certificate request to pending. |
| 4890 | The certificate manager settings for Certificate Services changed. |
| 4891 | A configuration entry changed in Certificate Services. |
| 4892 | A property of Certificate Services changed. |
| 4893 | Certificate Services archived a key. |
| 4894 | Certificate Services imported and archived a key. |
| 4895 | Certificate Services published the CA certificate to Active Directory Domain Services. |
| 4896 | One or more rows have been deleted from the certificate database. |
| 4897 | Role separation enabled: |
| 4898 | Certificate Services loaded a template. |
 
## Related topics
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | IF | IF | IF | IF if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
| Member Server | IF | IF | IF | IF | IF if a server has the [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role installed and you need to monitor AD CS related events, enable this subcategory. |
| Workstation | No | No | No | No | [Active Directory Certificate Services](https://technet.microsoft.com/en-us/windowsserver/dd448615.aspx) (AD CS) role cannot be installed on client OS. |
## 4868: The certificate manager denied a pending certificate request.
## 4869: Certificate Services received a resubmitted certificate request.
## 4870: Certificate Services revoked a certificate.
## 4871: Certificate Services received a request to publish the certificate revocation list (CRL).
## 4872: Certificate Services published the certificate revocation list (CRL).
## 4873: A certificate request extension changed.
## 4874: One or more certificate request attributes changed.
## 4875: Certificate Services received a request to shut down.
## 4876: Certificate Services backup started.
## 4877: Certificate Services backup completed.
## 4878: Certificate Services restore started.
## 4879: Certificate Services restore completed.
## 4880: Certificate Services started.
## 4881: Certificate Services stopped.
## 4882: The security permissions for Certificate Services changed.
## 4883: Certificate Services retrieved an archived key.
## 4884: Certificate Services imported a certificate into its database.
## 4885: The audit filter for Certificate Services changed.
## 4886: Certificate Services received a certificate request.
## 4887: Certificate Services approved a certificate request and issued a certificate.
## 4888: Certificate Services denied a certificate request.
## 4889: Certificate Services set the status of a certificate request to pending.
## 4890: The certificate manager settings for Certificate Services changed.
## 4891: A configuration entry changed in Certificate Services.
## 4892: A property of Certificate Services changed.
## 4893: Certificate Services archived a key.
## 4894: Certificate Services imported and archived a key.
## 4895: Certificate Services published the CA certificate to Active Directory Domain Services.
## 4896: One or more rows have been deleted from the certificate database.
## 4897: Role separation enabled.
## 4898: Certificate Services loaded a template.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

41
windows/keep-secure/audit-computer-account-management.md
View File

@ -2,34 +2,43 @@
title: Audit Computer Account Management (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Computer Account Management, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
ms.assetid: 6c406693-57bf-4411-bb6c-ff83ce548991
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Computer Account Management
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit Computer Account Management**, which determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
Audit Computer Account Management determines whether the operating system generates audit events when a computer account is created, changed, or deleted.
This policy setting is useful for tracking account-related changes to computers that are members of a domain.
Event volume: Low
**Event volume**: Low on domain controllers.
Default: Not configured
This subcategory allows you to audit events generated by changes to computer accounts such as when a computer account is created, changed, or deleted.
| Event ID | Event message |
| - | - |
| 4741 | A computer account was created. |
| 4742 | A computer account was changed. |
| 4743 | A computer account was deleted. |
 
## Related topics
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | We recommend monitoring changes to critical computer objects in Active Directory, such as domain controllers, administrative workstations, and critical servers. It's especially important to be informed if any critical computer account objects are deleted.<br>Additionally, events in this subcategory will give you information about who deleted, created, or modified a computer object, and when the action was taken.<br>Typically volume of these events is low on domain controllers.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
**Events List:**
- [4741](event-4741.md)(S): A computer account was created.
- [4742](event-4742.md)(S): A computer account was changed.
- [4743](event-4743.md)(S): A computer account was deleted.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

53
windows/keep-secure/audit-credential-validation.md
View File

@ -2,42 +2,55 @@
title: Audit Credential Validation (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Credential Validation, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
ms.assetid: 6654b33a-922e-4a43-8223-ec5086dfc926
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Credential Validation
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit Credential Validation**, which determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
Audit Credential Validation determines whether the operating system generates audit events on credentials that are submitted for a user account logon request.
These events occur on the computer that is authoritative for the credentials as follows:
- For domain accounts, the domain controller is authoritative.
- For local accounts, the local computer is authoritative.
Event volume: High on domain controllers
**Event volume**:
Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they
may occur in conjunction with or on separate computers from Logon and Logoff events.
- High on domain controllers.
Default: Not configured
- Low on member servers and workstations.
| Event ID | Event message |
| - | - |
| 4774 | An account was mapped for logon. |
| 4775 | An account could not be mapped for logon. |
| 4776 | The domain controller attempted to validate the credentials for an account. |
| 4777 | The domain controller failed to validate the credentials for an account. |
 
## Related topics
Because domain accounts are used much more frequently than local accounts in enterprise environments, most of the Account Logon events in a domain environment occur on the domain controllers that are authoritative for the domain accounts. However, these events can occur on any computer, and they may occur in conjunction with or on separate computers from Logon and Logoff events.
The main reason to enable this auditing subcategory is to handle local accounts authentication attempts and, for domain accounts, NTLM authentication in the domain. It is especially useful for monitoring unsuccessful attempts, to find brute-force attacks, account enumeration, and potential account compromise events on domain controllers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | Yes | Yes | Yes | Expected volume of events is high for domain controllers, because this subcategory will generate events when an authentication attempt is made using any domain account and NTLM authentication. <br>IF We recommend Success auditing to keep track of domain-account authentication events using the NTLM protocol. Expect a high volume of events. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Just collecting Success auditing events in this subcategory for future use in case of a security incident is not very useful, because events in this subcategory are not always informative.<br>We recommend Failure auditing, to collect information about failed authentication attempts using domain accounts and the NTLM authentication protocol. |
| Member Server | Yes | Yes | Yes | Yes | Expected volume of events is low for member servers, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.<br>We recommend Success auditing, to keep track of authentication events by local accounts.<br>We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. |
| Workstation | Yes | Yes | Yes | Yes | Expected volume of events is low for workstations, because this subcategory will generate events when an authentication attempt is made using a local account, which should not happen too often.<br>We recommend Success auditing, to keep track of authentication events by local accounts.<br>We recommend Failure auditing, to collect information about failed authentication attempts by local accounts. |
**Events List:**
- [4774](event-4774.md)(S): An account was mapped for logon.
- [4775](event-4775.md)(F): An account could not be mapped for logon.
- [4776](event-4776.md)(S, F): The computer attempted to validate the credentials for an account.
- [4777](event-4777.md)(F): The domain controller failed to validate the credentials for an account.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

48
windows/keep-secure/audit-detailed-directory-service-replication.md
View File

@ -6,35 +6,43 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
author: brianlic-msft
author: Mir0sh
---
# Audit Detailed Directory Service Replication
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit Detailed Directory Service Replication**, which determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
Audit Detailed Directory Service Replication determines whether the operating system generates audit events that contain detailed tracking information about data that is replicated between domain controllers.
This audit subcategory can be useful to diagnose replication issues.
Event volume: These events can create a very high volume of event data.
**Event volume**: These events can create a very high volume of event data on domain controllers.
Default: Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | IF | IF | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. Its mainly used for Active Directory replication troubleshooting. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Event ID | Event message |
| - | - |
| 4928 | An Active Directory replica source naming context was established. |
| 4929 | An Active Directory replica source naming context was removed. |
| 4930 | An Active Directory replica source naming context was modified. |
| 4931 | An Active Directory replica destination naming context was modified. |
| 4934 | Attributes of an Active Directory object were replicated. |
| 4935 | Replication failure begins. |
| 4936 | Replication failure ends. |
| 4937 | A lingering object was removed from a replica. |
 
## Related topics
**Events List:**
- [4928](event-4928.md)(S, F): An Active Directory replica source naming context was established.
- [4929](event-4929.md)(S, F): An Active Directory replica source naming context was removed.
- [4930](event-4930.md)(S, F): An Active Directory replica source naming context was modified.
- [4931](event-4931.md)(S, F): An Active Directory replica destination naming context was modified.
- [4934](event-4934.md)(S): Attributes of an Active Directory object were replicated.
- [4935](event-4935.md)(F): Replication failure begins.
- [4936](event-4936.md)(S): Replication failure ends.
- [4937](event-4937.md)(S): A lingering object was removed from a replica.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

46
windows/keep-secure/audit-detailed-file-share.md
View File

@ -2,33 +2,45 @@
title: Audit Detailed File Share (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Detailed File Share, which allows you to audit attempts to access files and folders on a shared folder.
ms.assetid: 60310104-b820-4033-a1cb-022a34f064ae
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Detailed File Share
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Detailed File Share**, which allows you to audit attempts to access files and folders on a shared folder.
The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client computer and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
> **Note:**  There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited.
 
Event volume: High on a file server or domain controller because of SYSVOL network access required by Group Policy
Audit Detailed File Share allows you to audit attempts to access files and folders on a shared folder.
Default: Not configured
The Detailed File Share setting logs an event every time a file or folder is accessed, whereas the File Share setting only records one event for any connection established between a client and file share. Detailed File Share audit events include detailed information about the permissions or other criteria used to grant or deny access.
| Event ID | Event message |
| - | - |
| 5145 | A network share object was checked to see whether the client can be granted desired access. |
 
## Related topics
There are no system access control lists (SACLs) for shared folders. If this policy setting is enabled, access to all shared files and folders on the system is audited.
**Event volume**:
- High on file servers.
- High on domain controllers because of SYSVOL network access required by Group Policy.
- Low on member servers and workstations.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | Yes | No | Yes | Audit Success for this subcategory on domain controllers typically will lead to very high volume of events, especially for SYSVOL share.<br>We recommend monitoring Failure access attempts: the volume should not be very high. You will be able to see who was not able to get access to a file or folder on a network share on a computer. |
| Member Server | IF | Yes | IF | Yes | IF If a server has shared network folders which typically get many access requests (File Server, for example), the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use the [Audit File System](audit-file-system.md) subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the clients IP address.<br>The volume of Failure events for member servers should not be very high (if they are not File Servers). With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. |
| Workstation | IF | Yes | IF | Yes | IF If a workstation has shared network folders which typically get many access requests, the volume of events might be very high. If you really need to track all successful access events for every file or folder located on a shared folder, enable Success auditing or use Audit File System subcategory, although that subcategory excludes some information in Audit Detailed File Share, for example, the clients IP address.<br>The volume of Failure events for workstations should not be very high. With Failure auditing, you will be able to see who was not able to get access to a file or folder on a network share on this computer. |
**Events List:**
- [5145](event-5145.md)(S, F): A network share object was checked to see whether client can be granted desired access.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

42
windows/keep-secure/audit-directory-service-access.md
View File

@ -1,34 +1,40 @@
---
title: Audit Directory Service Access (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Access, which determines whether the operating system generates audit events when an Active Directory Domain Services (ADÂ DS) object is accessed.
ms.assetid: ba2562ba-4282-4588-b87c-a3fcb771c7d0
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Directory Service Access
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Access**, which determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
These events are similar to the Directory Service Access events in previous versions of the Windows Server operating systems.
> **Important:**  Audit events are generated only on objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches the SACL settings.
 
Event volume: High on servers running AD DS role services; none on client computers
Audit Directory Service Access determines whether the operating system generates audit events when an Active Directory Domain Services (AD DS) object is accessed.
Default: Not configured
**Event volume**: High on servers running AD DS role services.
| Event ID | Event message |
| - | - |
| 4662 | An operation was performed on an object. |
 
## Related topics
This subcategory allows you to audit when an Active Directory Domain Services (AD DS) object is accessed. It also generates Failure events if access was not granted.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | Yes | No | Yes | It is better to track changes to Active Directory objects through the [Audit Directory Service Changes](audit-directory-service-changes.md) subcategory. However, [Audit Directory Service Changes](audit-directory-service-changes.md) doesnt give you information about failed access attempts, so we recommend Failure auditing in this subcategory to track failed access attempts to Active Directory objects.<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
**Events List:**
- [4662](event-4662.md)(S, F): An operation was performed on an object.
- [4661](event-4661.md)(S, F): A handle to an object was requested.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

61
windows/keep-secure/audit-directory-service-changes.md
View File

@ -1,49 +1,52 @@
---
title: Audit Directory Service Changes (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Changes, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (ADÂ DS).
ms.assetid: 9f7c0dd4-3977-47dd-a0fb-ec2f17cad05e
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Directory Service Changes
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Changes**, which determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
The types of changes that are reported are:
Audit Directory Service Changes determines whether the operating system generates audit events when changes are made to objects in Active Directory Domain Services (AD DS).
- Create
- Delete
- Modify
- Move
- Undelete
Auditing of directory service objects can provide information about the old and new properties of the objects that were changed.
Directory Service Changes auditing, where appropriate, indicates the old and new values of the changed properties of the objects that were changed.
Audit events are generated only for objects with configured system access control lists ([SACLs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)), and only when they are accessed in a manner that matches their [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
> **Important:**  Audit events are generated only for objects with configured system access control lists (SACLs), and only when they are accessed in a manner that matches their SACL settings. Some objects and properties do not cause audit events to be generated due to settings on the object class in the schema.
 
This subcategory only logs events on domain controllers. Changes to Active Directory objects are important events to track in order to understand the state of the network policy.
This subcategory only logs events on domain controllers.
Event volume: High on domain controllers; none on client computers
**Event volume**: High on domain controllers.
Default: Not configured
This subcategory triggers events when an Active Directory object was modified, created, undeleted, moved, or deleted.
| Event ID | Event message |
| - | - |
| 5136 | A directory service object was modified. |
| 5137 | A directory service object was created. |
| 5138 | A directory service object was undeleted. |
| 5139 | A directory service object was moved. |
| 5141 | A directory service object was deleted. |
 
## Related topics
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | It is important to track actions related to high value or critical Active Directory objects, for example, changes to [AdminSDHolder](https://technet.microsoft.com/en-us/magazine/2009.09.sdadminholder.aspx) container or Domain Admins group objects. <br>This subcategory shows you what actions were performed. If you want to track failed access attempts for Active Directory objects you need to take a look at [Audit Directory Service Access](audit-directory-service-access.md) subcategory.<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections. Also, develop an Active Directory auditing policy ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) design for specific classes, operation types which need to be monitored for specific Organizational Units, and so on) so you can audit only the access attempts that are made to specific important objects.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
**Events List:**
- [5136](event-5136.md)(S): A directory service object was modified.
- [5137](event-5137.md)(S): A directory service object was created.
- [5138](event-5138.md)(S): A directory service object was undeleted.
- [5139](event-5139.md)(S): A directory service object was moved.
- [5141](event-5141.md)(S): A directory service object was deleted.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

36
windows/keep-secure/audit-directory-service-replication.md
View File

@ -2,31 +2,37 @@
title: Audit Directory Service Replication (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Directory Service Replication, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
ms.assetid: b95d296c-7993-4e8d-8064-a8bbe284bd56
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Directory Service Replication
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit Directory Service Replication**, which determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
Event volume: Medium on domain controllers; none on client computers
Audit Directory Service Replication determines whether the operating system generates audit events when replication between two domain controllers begins and ends.
Default: Not configured
**Event volume**: Medium on domain controllers.
| Event ID | Event Message |
| - | - |
| 4932 | Synchronization of a replica of an Active Directory naming context has begun. |
| 4933 | Synchronization of a replica of an Active Directory naming context has ended. |
 
## Related topics
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | IF | IF | IF - Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. Its mainly used for Active Directory replication troubleshooting. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
**Events List:**
- [4932](event-4932.md)(S): Synchronization of a replica of an Active Directory naming context has begun.
- [4933](event-4933.md)(S, F): Synchronization of a replica of an Active Directory naming context has ended.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

86
windows/keep-secure/audit-distribution-group-management.md
View File

@ -2,51 +2,73 @@
title: Audit Distribution Group Management (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Distribution Group Management, which determines whether the operating system generates audit events for specific distribution-group management tasks.
ms.assetid: d46693a4-5887-4a58-85db-2f6cba224a66
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Distribution Group Management
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Distribution Group Management**, which determines whether the operating system generates audit events for specific distribution-group management tasks.
Tasks for distribution-group management that can be audited include:
Audit Distribution Group Management determines whether the operating system generates audit events for specific distribution-group management tasks.
- A distribution group is created, changed, or deleted.
- A member is added to or removed from a distribution group.
This subcategory generates events only on domain controllers.
This subcategory to which this policy belongs is logged only on domain controllers.
> **Note:**  Distribution groups cannot be used to manage access control permissions.
 
Event volume: Low
**Event volume**: Low on domain controllers.
Default: Not configured
This subcategory allows you to audit events generated by changes to distribution groups such as the following:
| Event ID | Event message |
| - | - |
| 4744 | A security-disabled local group was created. |
| 4745 | A security-disabled local group was changed. |
| 4746 | A member was added to a security-disabled local group. |
| 4747 | A member was removed from a security-disabled local group. |
| 4748 | A security-disabled local group was deleted. |
| 4749 | A security-disabled global group was created. |
| 4750 | A security-disabled global group was changed. |
| 4751 | A member was added to a security-disabled global group. |
| 4752 | A member was removed from a security-disabled global group. |
| 4753 | A security-disabled global group was deleted. |
| 4759 | A security-disabled universal group was created. |
| 4760 | A security-disabled universal group was changed. |
| 4761 | A member was added to a security-disabled universal group. |
| 4762 | A member was removed from a security-disabled universal group. |
- Distribution group is created, changed, or deleted.
 ## Related topics
- Member is added or removed from a distribution group.
If you need to monitor for group type changes, you need to monitor for “[4764](event-4764.md): A groups type was changed.” “Audit Security Group Management” subcategory success auditing must be enabled.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF - Typically actions related to distribution groups have low security relevance, much more important to monitor Security Group changes. But if you want to monitor for critical distribution groups changes, such as member was added to internal critical distribution group (executives, administrative group, for example), you need to enable this subcategory for Success auditing.<br>Typically volume of these events is low on domain controllers.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | This subcategory generates events only on domain controllers. |
| Workstation | No | No | No | No | This subcategory generates events only on domain controllers. |
**Events List:**
- [4749](event-4749.md)(S): A security-disabled global group was created.
- [4750](event-4750.md)(S): A security-disabled global group was changed.
- [4751](event-4751.md)(S): A member was added to a security-disabled global group.
- [4752](event-4752.md)(S): A member was removed from a security-disabled global group.
- [4753](event-4753.md)(S): A security-disabled global group was deleted.
**4759(S): A security-disabled universal group was created.** See event “[4749](event-4749.md): A security-disabled global group was created.” Event 4759 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4760(S): A security-disabled universal group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed.” Event 4760 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4761(S): A member was added to a security-disabled universal group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group.” Event 4761 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4762(S): A member was removed from a security-disabled universal group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group.” Event 4762 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4763(S): A security-disabled universal group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4763 is the same, but it is generated for a **universal** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4744(S): A security-disabled local group was created.** See event “[4749](event-4749.md): A security-disabled global group was created.” Event 4744 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4745(S): A security-disabled local group was changed.** See event “[4750](event-4750.md): A security-disabled global group was changed.” Event 4745 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4746(S): A member was added to a security-disabled local group.** See event “[4751](event-4751.md): A member was added to a security-disabled global group.” Event 4746 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4747(S): A member was removed from a security-disabled local group.** See event “[4752](event-4752.md): A member was removed from a security-disabled global group.” Event 4747 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**4748(S): A security-disabled local group was deleted.** See event “[4753](event-4753.md): A security-disabled global group was deleted.” Event 4748 is the same, but it is generated for a **local** distribution group instead of a **global** distribution group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

44
windows/keep-secure/audit-dpapi-activity.md
View File

@ -2,37 +2,41 @@
title: Audit DPAPI Activity (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit DPAPI Activity, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).
ms.assetid: be4d4c83-c857-4e3d-a84e-8bcc3f2c99cd
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit DPAPI Activity
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit DPAPI Activity**, which determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface (DPAPI).
DPAPI is used to protect secret information such as stored passwords and key information. For more information about DPAPI, see [Windows Data Protection](http://go.microsoft.com/fwlink/p/?linkid=121720) (http://go.microsoft.com/fwlink/p/?linkid=121720).
Event volume: Low
Audit [DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx) Activity determines whether the operating system generates audit events when encryption or decryption calls are made into the data protection application interface ([DPAPI](https://msdn.microsoft.com/en-us/library/ms995355.aspx)).
Default: Not configured
**Event volume**: Low.
If this policy setting is configured, the following events appear on computers running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic, in addition to Windows Server 2008 and Windows Vista.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | IF | IF | IF | IF Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. Its mainly used for DPAPI troubleshooting. |
| Member Server | IF | IF | IF | IF | IF Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. Its mainly used for DPAPI troubleshooting. |
| Workstation | IF | IF | IF | IF | IF Events in this subcategory typically have an informational purpose and it is difficult to detect any malicious activity using these events. Its mainly used for DPAPI troubleshooting. |
| Event ID | Event message |
| - | - |
| 4692 | Backup of data protection master key was attempted. |
| 4693 | Recovery of data protection master key was attempted. |
| 4694 | Protection of auditable protected data was attempted. |
| 4695 | Unprotection of auditable protected data was attempted. |
 
## Related resource
**Events List:**
- [4692](event-4692.md)(S, F): Backup of data protection master key was attempted.
- [4693](event-4693.md)(S, F): Recovery of data protection master key was attempted.
- [4694](event-4694.md)(S, F): Protection of auditable protected data was attempted.
- [4695](event-4695.md)(S, F): Unprotection of auditable protected data was attempted.
- [Advanced Security Audit Policy Settings](advanced-security-audit-policy-settings.md)
 
 

56
windows/keep-secure/audit-file-share.md
View File

@ -2,39 +2,53 @@
title: Audit File Share (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File Share, which determines whether the operating system generates audit events when a file share is accessed.
ms.assetid: 9ea985f8-8936-4b79-abdb-35cbb7138f78
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit File Share
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File Share**, which determines whether the operating system generates audit events when a file share is accessed.
Audit events are not generated when shares are created, deleted, or when share permissions change.
> **Note:**  There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited.
 
Audit File Share allows you to audit events related to file shares: creation, deletion, modification, and access attempts. Also, it shows failed SMB SPN checks.
There are no system access control lists (SACLs) for shares; therefore, after this setting is enabled, access to all shares on the system will be audited.
Combined with File System auditing, File Share auditing enables you to track what content was accessed, the source (IP address and port) of the request, and the user account that was used for the access.
Event volume: High on a file server or domain controller (due to SYSVOL access by client computers for policy processing)
**Event volume**:
Default: Not configured
- High on file servers.
| Event ID | Event message |
| - |- |
| 5140 | A network share object was accessed.<br>**Note:** This event is logged on computers running Windows 10, Windows Server 2016 Technical Preview, Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista. |
| 5142 | A network share object was added. |
| 5143 | A network share object was modified. |
| 5144 | A network share object was deleted. |
| 5168 | SPN check for SMB/SMB2 failed. |
 
## Related topics
- High on domain controllers because of SYSVOL network access required by Group Policy.
- Low on member servers and workstations.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing for domain controllers, because its important to track deletion, creation, and modification events for network shares.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. |
| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing to track deletion, creation, modification, and access attempts to network share objects.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. |
| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing to track deletion, creation, modification and access attempts to network share objects.<br>We recommend Failure auditing to track failed SMB SPN checks and failed access attempts to network shares. |
**Events List:**
- [5140](event-5140.md)(S, F): A network share object was accessed.
- [5142](event-5142.md)(S): A network share object was added.
- [5143](event-5143.md)(S): A network share object was modified.
- [5144](event-5144.md)(S): A network share object was deleted.
- [5168](event-5168.md)(F): SPN check for SMB/SMB2 failed.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

60
windows/keep-secure/audit-file-system.md
View File

@ -2,39 +2,61 @@
title: Audit File System (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit File System, which determines whether the operating system generates audit events when users attempt to access file system objects.
ms.assetid: 6a71f283-b8e5-41ac-b348-0b7ec6ea0b1f
<<<<<<< HEAD
ms.prod: w10
ms.mktglfcycl: deploy
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
author: brianlic-msft
author: Mir0sh
---
# Audit File System
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.
Audit events are generated only for objects that have configured system access control lists ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit File System**, which determines whether the operating system generates audit events when users attempt to access file system objects.
Audit events are generated only for objects that have configured system access control lists (SACLs), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL.
These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring.
Event volume: Varies, depending on how file system SACLs are configured
**Event volume**: Varies, depending on how file system [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s are configured.
No audit events are generated for the default file system SACLs.
No audit events are generated for the default file system [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s.
Default: Not configured
This subcategory allows you to audit user attempts to access file system objects, file system object deletion and permissions change operations and hard link creation actions.
| Event ID | Event message |
| - | - |
| 4664 | An attempt was made to create a hard link. |
| 4985 | The state of a transaction has changed. |
| 5051 | A file was virtualized. |
 
## Related topics
Only one event, “[4658](event-4658.md): The handle to an object was closed,” depends on the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory (Success auditing must be enabled). All other events generate without any additional configuration.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a File System Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s for file system objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information.<br>Failure events can show you unsuccessful attempts to access specific file system objects.<br>Consider enabling this subcategory for critical computers first, after you develop a File System Security Monitoring policy for them. |
| Member Server | IF | IF | IF | IF | |
| Workstation | IF | IF | IF | IF | |
**Events List:**
- [4656](event-4656.md)(S, F): A handle to an object was requested.
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4660](event-4660.md)(S): An object was deleted.
- [4663](event-4663.md)(S): An attempt was made to access an object.
- [4664](event-4664.md)(S): An attempt was made to create a hard link.
- [4985](event-4985.md)(S): The state of a transaction has changed.
- [5051](event-5051.md)(-): A file was virtualized.
- [4670](event-4670.md)(S): Permissions on an object were changed.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

63
windows/keep-secure/audit-filtering-platform-connection.md
View File

@ -2,48 +2,55 @@
title: Audit Filtering Platform Connection (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Connection, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
ms.assetid: d72936e9-ff01-4d18-b864-a4958815df59
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Filtering Platform Connection
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Connection**, which determines whether the operating system generates audit events when connections are allowed or blocked by the Windows Filtering Platform.
Audit Filtering Platform Connection determines whether the operating system generates audit events when connections are allowed or blocked by the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx).
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
This security policy enables you to audit the following types of actions:
This subcategory contains Windows Filtering Platform events about blocked and allowed connections, blocked and allowed port bindings, blocked and allowed port listening actions, and blocked to accept incoming connections applications.
- The Windows Firewall service blocks an application from accepting incoming connections on the network.
- The Windows Filtering Platform allows or blocks a connection.
- The Windows Filtering Platform permits or blocks a bind to a local port.
- The Windows Filtering Platform permits or blocks an application or service from listening for incoming connections on a port.
**Event volume**: High.
Event volume: High
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
| Member Server | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
| Workstation | No | Yes | IF | Yes | Success auditing for this subcategory typically generates a very high volume of events, for example, one event for every connection that was made to the system. It is much more important to audit Failure events (blocked connections, for example). For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>IF - Enable Success audit in case you need to monitor successful outbound or inbound connections to and from untrusted IP addresses on high value computers or devices. |
Default: Not configured
**Events List:**
| Event ID | Event message |
| - | - |
| 5031 | The Windows Firewall Service blocked an application from accepting incoming connections on the network. |
| 5140 | A network share object was accessed. |
| 5150 | The Windows Filtering Platform blocked a packet. |
| 5151 | A more restrictive Windows Filtering Platform filter has blocked a packet. |
| 5154 | The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections. |
| 5155 | The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections. |
| 5156 | The Windows Filtering Platform has allowed a connection. |
| 5157 | The Windows Filtering Platform has blocked a connection. |
| 5158 | The Windows Filtering Platform has permitted a bind to a local port. |
| 5159 | The Windows Filtering Platform has blocked a bind to a local port. |
 
## Related topics
- [5031](event-5031.md)(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
- [5150](event-5150.md)(-): The Windows Filtering Platform blocked a packet.
- [5151](event-5151.md)(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
- [5154](event-5154.md)(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
- [5155](event-5155.md)(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
- [5156](event-5156.md)(S): The Windows Filtering Platform has permitted a connection.
- [5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection.
- [5158](event-5158.md)(S): The Windows Filtering Platform has permitted a bind to a local port.
- [5159](event-5159.md)(F): The Windows Filtering Platform has blocked a bind to a local port.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

38
windows/keep-secure/audit-filtering-platform-packet-drop.md
View File

@ -2,35 +2,41 @@
title: Audit Filtering Platform Packet Drop (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Packet Drop, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform.
ms.assetid: 95457601-68d1-4385-af20-87916ddab906
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Filtering Platform Packet Drop
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Packet Drop**, which determines whether the operating system generates audit events when packets are dropped by the Windows Filtering Platform.
Audit Filtering Platform Packet Drop determines whether the operating system generates audit events when packets are dropped by the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx).
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
A high rate of dropped packets may indicate that there have been attempts to gain unauthorized access to computers on your network.
A high rate of dropped packets *may* indicate that there have been attempts to gain unauthorized access to computers on your network.
Event volume: High
**Event volume**: High.
Default setting: Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
| Member Server | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
| Workstation | No | No | No | No | Failure events volume typically is very high for this subcategory and typically used for troubleshooting. If you need to monitor blocked connections, it is better to use “[5157](event-5157.md)(F): The Windows Filtering Platform has blocked a connection,” because it contains almost the same information and generates per-connection, not per-packet.<br>There is no recommendation to enable Success auditing, because Success events in this subcategory rarely occur. |
| Event ID | Event message |
| - | - |
| 5152 | The Windows Filtering Platform blocked a packet. |
| 5153 | A more restrictive Windows Filtering Platform filter has blocked a packet. |
 
## Related topics
**Events List:**
- [5152](event-5152.md)(F): The Windows Filtering Platform blocked a packet.
- [5153](event-5153.md)(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

305
windows/keep-secure/audit-filtering-platform-policy-change.md
View File

@ -2,224 +2,121 @@
title: Audit Filtering Platform Policy Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Filtering Platform Policy Change, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions.
ms.assetid: 0eaf1c56-672b-4ea9-825a-22dc03eb4041
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Filtering Platform Policy Change
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Filtering Platform Policy Change**, which determines whether the operating system generates audit events for certain IPsec and Windows Filtering Platform actions.
Audit Filtering Platform Policy Change allows you to audit events generated by changes to the [Windows Filtering Platform](https://msdn.microsoft.com/en-us/library/windows/desktop/aa366510(v=vs.85).aspx) (WFP), such as the following:
- IPsec services status.
- Changes to IPsec policy settings.
- Changes to Windows Filtering Platform Base Filtering Engine policy settings.
- Changes to WFP providers and engine.
Windows Filtering Platform (WFP) enables independent software vendors (ISVs) to filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).
This security policy setting determines whether the operating system generates audit events for:
This subcategory is outside the scope of this document.
- IPsec services status.
- Changes to IPsec settings.
- Status and changes to the Windows Filtering Platform engine and providers.
- IPsec Policy Agent service activities.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------|
| Domain Controller | - | - | - | - | This subcategory is outside the scope of this document. |
| Member Server | - | - | - | - | This subcategory is outside the scope of this document. |
| Workstation | - | - | - | - | This subcategory is outside the scope of this document. |
Event volume: Low
## 4709(S): IPsec Services was started.
Default: Not configured
## 4710(S): IPsec Services was disabled.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4709</p></td>
<td align="left"><p>IPsec Services was started.</p></td>
</tr>
<tr class="even">
<td align="left"><p>4710</p></td>
<td align="left"><p>IPsec Services was disabled.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4711</p></td>
<td align="left"><p>May contain any one of the following:</p>
<ul>
<li><p>PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.</p></li>
<li><p>PAStore Engine applied Active Directory storage IPsec policy on the computer.</p></li>
<li><p>PAStore Engine applied local registry storage IPsec policy on the computer.</p></li>
<li><p>PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.</p></li>
<li><p>PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.</p></li>
<li><p>PAStore Engine failed to apply local registry storage IPsec policy on the computer.</p></li>
<li><p>PAStore Engine failed to apply some rules of the active IPsec policy on the computer.</p></li>
<li><p>PAStore Engine failed to load directory storage IPsec policy on the computer.</p></li>
<li><p>PAStore Engine loaded directory storage IPsec policy on the computer.</p></li>
<li><p>PAStore Engine failed to load local storage IPsec policy on the computer.</p></li>
<li><p>PAStore Engine loaded local storage IPsec policy on the computer.</p></li>
<li><p>PAStore Engine polled for changes to the active IPsec policy and detected no changes.</p></li>
</ul></td>
</tr>
<tr class="even">
<td align="left"><p>4712</p></td>
<td align="left"><p>IPsec Services encountered a potentially serious failure.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5040</p></td>
<td align="left"><p>A change has been made to IPsec settings. An Authentication Set was added.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5041</p></td>
<td align="left"><p>A change has been made to IPsec settings. An Authentication Set was modified.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5042</p></td>
<td align="left"><p>A change has been made to IPsec settings. An Authentication Set was deleted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5043</p></td>
<td align="left"><p>A change has been made to IPsec settings. A Connection Security Rule was added.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5044</p></td>
<td align="left"><p>A change has been made to IPsec settings. A Connection Security Rule was modified.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5045</p></td>
<td align="left"><p>A change has been made to IPsec settings. A Connection Security Rule was deleted.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5046</p></td>
<td align="left"><p>A change has been made to IPsec settings. A Crypto Set was added.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5047</p></td>
<td align="left"><p>A change has been made to IPsec settings. A Crypto Set was modified.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5048</p></td>
<td align="left"><p>A change has been made to IPsec settings. A Crypto Set was deleted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5440</p></td>
<td align="left"><p>The following callout was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5441</p></td>
<td align="left"><p>The following filter was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5442</p></td>
<td align="left"><p>The following provider was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5443</p></td>
<td align="left"><p>The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5444</p></td>
<td align="left"><p>The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5446</p></td>
<td align="left"><p>A Windows Filtering Platform callout has been changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5448</p></td>
<td align="left"><p>A Windows Filtering Platform provider has been changed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5449</p></td>
<td align="left"><p>A Windows Filtering Platform provider context has been changed.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5450</p></td>
<td align="left"><p>A Windows Filtering Platform sub-layer has been changed.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5456</p></td>
<td align="left"><p>PAStore Engine applied Active Directory storage IPsec policy on the computer.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5457</p></td>
<td align="left"><p>PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5458</p></td>
<td align="left"><p>PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5459</p></td>
<td align="left"><p>PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5460</p></td>
<td align="left"><p>PAStore Engine applied local registry storage IPsec policy on the computer.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5461</p></td>
<td align="left"><p>PAStore Engine failed to apply local registry storage IPsec policy on the computer.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5462</p></td>
<td align="left"><p>PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5463</p></td>
<td align="left"><p>PAStore Engine polled for changes to the active IPsec policy and detected no changes.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5464</p></td>
<td align="left"><p>PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5465</p></td>
<td align="left"><p>PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5466</p></td>
<td align="left"><p>PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5467</p></td>
<td align="left"><p>PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5468</p></td>
<td align="left"><p>PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5471</p></td>
<td align="left"><p>PAStore Engine loaded local storage IPsec policy on the computer.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5472</p></td>
<td align="left"><p>PAStore Engine failed to load local storage IPsec policy on the computer.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5473</p></td>
<td align="left"><p>PAStore Engine loaded directory storage IPsec policy on the computer.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>5474</p></td>
<td align="left"><p>PAStore Engine failed to load directory storage IPsec policy on the computer.</p></td>
</tr>
<tr class="even">
<td align="left"><p>5477</p></td>
<td align="left"><p>PAStore Engine failed to add quick mode filter.</p></td>
</tr>
</tbody>
</table>
 
## Related topics
## 4711(S): May contain any one of the following:
## 4712(F): IPsec Services encountered a potentially serious failure.
## 5040(S): A change has been made to IPsec settings. An Authentication Set was added.
## 5041(S): A change has been made to IPsec settings. An Authentication Set was modified.
## 5042(S): A change has been made to IPsec settings. An Authentication Set was deleted.
## 5043(S): A change has been made to IPsec settings. A Connection Security Rule was added.
## 5044(S): A change has been made to IPsec settings. A Connection Security Rule was modified.
## 5045(S): A change has been made to IPsec settings. A Connection Security Rule was deleted.
## 5046(S): A change has been made to IPsec settings. A Crypto Set was added.
## 5047(S): A change has been made to IPsec settings. A Crypto Set was modified.
## 5048(S): A change has been made to IPsec settings. A Crypto Set was deleted.
## 5440(S): The following callout was present when the Windows Filtering Platform Base Filtering Engine started.
## 5441(S): The following filter was present when the Windows Filtering Platform Base Filtering Engine started.
## 5442(S): The following provider was present when the Windows Filtering Platform Base Filtering Engine started.
## 5443(S): The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.
## 5444(S): The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.
## 5446(S): A Windows Filtering Platform callout has been changed.
## 5448(S): A Windows Filtering Platform provider has been changed.
## 5449(S): A Windows Filtering Platform provider context has been changed.
## 5450(S): A Windows Filtering Platform sub-layer has been changed.
## 5456(S): PAStore Engine applied Active Directory storage IPsec policy on the computer.
## 5457(F): PAStore Engine failed to apply Active Directory storage IPsec policy on the computer.
## 5458(S): PAStore Engine applied locally cached copy of Active Directory storage IPsec policy on the computer.
## 5459(F): PAStore Engine failed to apply locally cached copy of Active Directory storage IPsec policy on the computer.
## 5460(S): PAStore Engine applied local registry storage IPsec policy on the computer.
## 5461(F): PAStore Engine failed to apply local registry storage IPsec policy on the computer.
## 5462(F): PAStore Engine failed to apply some rules of the active IPsec policy on the computer. Use the IP Security Monitor snap-in to diagnose the problem.
## 5463(S): PAStore Engine polled for changes to the active IPsec policy and detected no changes.
## 5464(S): PAStore Engine polled for changes to the active IPsec policy, detected changes, and applied them to IPsec Services.
## 5465(S): PAStore Engine received a control for forced reloading of IPsec policy and processed the control successfully.
## 5466(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory cannot be reached, and will use the cached copy of the Active Directory IPsec policy instead. Any changes made to the Active Directory IPsec policy since the last poll could not be applied.
## 5467(F): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, and found no changes to the policy. The cached copy of the Active Directory IPsec policy is no longer being used.
## 5468(S): PAStore Engine polled for changes to the Active Directory IPsec policy, determined that Active Directory can be reached, found changes to the policy, and applied those changes. The cached copy of the Active Directory IPsec policy is no longer being used.
## 5471(S): PAStore Engine loaded local storage IPsec policy on the computer.
## 5472(F): PAStore Engine failed to load local storage IPsec policy on the computer.
## 5473(S): PAStore Engine loaded directory storage IPsec policy on the computer.
## 5474(F): PAStore Engine failed to load directory storage IPsec policy on the computer.
## 5477(F): PAStore Engine failed to add quick mode filter.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

42
windows/keep-secure/audit-group-membership.md
View File

@ -2,37 +2,47 @@
title: Audit Group Membership (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Group Membership, which enables you to audit group memberships when they are enumerated on the client PC.
ms.assetid: 1CD7B014-FBD9-44B9-9274-CC5715DE58B9
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Group Membership
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit Group Membership**, which enables you to audit group memberships when they are enumerated on the client PC.
Audit Group Membership enables you to audit group memberships when they are enumerated on the client computer.
This policy allows you to audit the group membership information in the user's logon token. Events in this subcategory are generated on the computer on which a logon session is created.
For an interactive logon, the security audit event is generated on the computer that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
> **Note:**  You must also enable the **Audit Logon** setting under **Advanced Audit Policy Configuration\\System Audit Policies\\Logon/Logoff**.
 
You must also enable the [Audit Logon](audit-logon.md) subcategory.
Multiple events are generated if the group membership information cannot fit in a single security audit event
Event volume: High
**Event volume**:
Default: Not configured
- Low on a client computer.
| Event ID | Event message |
| - | - |
| 4627 | Group membership information. |
 
## Related topics
- Medium on a domain controller or network servers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | Group membership information for logged in user can help to detect that member of specific domain or local group logged in to the machine (for example, member of database administrators, built-in local administrators, domain administrators, service accounts group or other high value groups).<br>For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4627](event-4627.md)(S): Group membership information.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

42
windows/keep-secure/audit-handle-manipulation.md
View File

@ -2,37 +2,41 @@
title: Audit Handle Manipulation (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Handle Manipulation, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
ms.assetid: 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Handle Manipulation
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Handle Manipulation**, which determines whether the operating system generates audit events when a handle to an object is opened or closed.
Only objects with configured system access control lists (SACLs) generate these events, and only if the attempted handle operation matches the SACL.
Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) and [Audit SAM](audit-sam.md) subcategories, and shows objects handle duplication and close actions.
> **Important:**  Handle Manipulation events are generated only for object types where the corresponding File System or Registry Object Access subcategory is enabled. For more information, see [Audit File System](audit-file-system.md) or [Audit Registry](audit-registry.md).
 
**Event volume**: High.
Event volume: High, depending on how SACLs are configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
| Member Server | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
| Workstation | No | No | No | No | Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.<br>There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level. |
Default: Not configured
**Events List:**
| Event ID | Event message |
| - | - |
| 4656 | A handle to an object was requested. |
| 4658 | The handle to an object was closed. |
| 4690 | An attempt was made to duplicate a handle to an object. |
 
## Related topics
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4690](event-4690.md)(S): An attempt was made to duplicate a handle to an object.
## 4658(S): The handle to an object was closed.
This event doesnt generate in this subcategory, but you can use this subcategory to enable it. For a description of the event, see “[4658](event-4658.md)(S): The handle to an object was closed” in the Audit File System subcategory.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

78
windows/keep-secure/audit-ipsec-driver.md
View File

@ -2,53 +2,69 @@
title: Audit IPsec Driver (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit IPsec Driver, which determines whether the operating system generates audit events for the activities of the IPsec driver.
ms.assetid: c8b8c02f-5ad0-4ee5-9123-ea8cdae356a5
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit IPsec Driver
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit IPsec Driver**, which determines whether the operating system generates audit events for the activities of the IPsec driver.
The IPsec driver, using the IP Filter List from the active IPsec policy, watches for outbound IP packets that must be secured and inbound IP packets that must be verified and decrypted. This security policy setting reports on the following activities of the IPsec driver:
Audit IPsec Driver allows you to audit events generated by IPSec driver such as the following:
- Startup and shutdown of IPsec services.
- Packets dropped due to integrity-check failure.
- Packets dropped due to replay-check failure.
- Packets dropped due to being in plaintext.
- Packets received with an incorrect Security Parameter Index (SPI). (This can indicate malfunctioning hardware or interoperability problems.)
- Failure to process IPsec filters.
- Startup and shutdown of the IPsec services.
- Network packets dropped due to integrity check failure.
- Network packets dropped due to replay check failure.
- Network packets dropped due to being in plaintext.
- Network packets received with incorrect Security Parameter Index (SPI). This may indicate that either the network card is not working correctly or the driver needs to be updated.
- Inability to process IPsec filters.
A high rate of packet drops by the IPsec filter driver may indicate attempts to gain access to the network by unauthorized systems.
Failure to process IPsec filters poses a potential security risk because some network interfaces may not get the protection that is provided by the IPsec filter.
Event volume: Medium
This subcategory is outside the scope of this document.
Default: Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at IPsec Driver level. |
| Event ID | Event message |
| - | - |
| 4960 | IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations. |
| 4961 | IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer. |
| 4962 | IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay. |
| 4963 | IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt. |
| 4965 | IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored. |
| 5478 | IPsec Services has started successfully. |
| 5479 | IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. |
| 5480 | IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. |
| 5483 | IPsec Services failed to initialize RPC server. IPsec Services could not be started. |
| 5484 | IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks. |
| 5485 | IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem. |
 
## Related topics
## 4960(S): IPsec dropped an inbound packet that failed an integrity check. If this problem persists, it could indicate a network issue or that packets are being modified in transit to this computer. Verify that the packets sent from the remote computer are the same as those received by this computer. This error might also indicate interoperability problems with other IPsec implementations.
## 4961(S): IPsec dropped an inbound packet that failed a replay check. If this problem persists, it could indicate a replay attack against this computer.
## 4962(S): IPsec dropped an inbound packet that failed a replay check. The inbound packet had too low a sequence number to ensure it was not a replay.
## 4963(S): IPsec dropped an inbound clear text packet that should have been secured. This is usually due to the remote computer changing its IPsec policy without informing this computer. This could also be a spoofing attack attempt.
## 4965(S): IPsec received a packet from a remote computer with an incorrect Security Parameter Index (SPI). This is usually caused by malfunctioning hardware that is corrupting packets. If these errors persist, verify that the packets sent from the remote computer are the same as those received by this computer. This error may also indicate interoperability problems with other IPsec implementations. In that case, if connectivity is not impeded, then these events can be ignored.
## 5478(S): IPsec Services has started successfully.
## 5479(): IPsec Services has been shut down successfully. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
## 5480(F): IPsec Services failed to get the complete list of network interfaces on the computer. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
## 5483(F): IPsec Services failed to initialize RPC server. IPsec Services could not be started.
## 5484(F): IPsec Services has experienced a critical failure and has been shut down. The shutdown of IPsec Services can put the computer at greater risk of network attack or expose the computer to potential security risks.
## 5485(F): IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces. This poses a potential security risk because some of the network interfaces may not get the protection provided by the applied IPsec filters. Use the IP Security Monitor snap-in to diagnose the problem.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

50
windows/keep-secure/audit-ipsec-extended-mode.md
View File

@ -2,41 +2,45 @@
title: Audit IPsec Extended Mode (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Extended Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
ms.assetid: 2b4fee9e-482a-4181-88a8-6a79d8fc8049
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit IPsec Extended Mode
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Extended Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
Audit IPsec Extended Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Extended Mode negotiations.
AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports main-mode and quick-mode negotiation.
AuthIP also supports Extended Mode, a part of IPsec peer negotiation during which a second round of authentication can be performed. Extended Mode, which is optional, can be used for multiple authentications. For example, with extended mode you can perform separate computer-based and user-based authentications.
Audit IPsec Extended Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Extended Mode troubleshooting.
Event volume: High
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Extended Mode troubleshooting, or for tracing or monitoring IPsec Extended Mode operations. |
Default: Not configured
## 4978: During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
| Event ID | Event message |
| - | - |
| 4978 | During Extended Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. |
| 4979 | IPsec Main Mode and Extended Mode security associations were established.<br>**Note:** This event provides event data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint, Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, and Extended Mode Information. |
| 4980 | IPsec Main Mode and Extended Mode security associations were established.<br>**Note:** This event provides event audit data in the following categories: Main Mode Local Endpoint, Main Mode Remote Endpoint. Main Mode Cryptographic Information, Main Mode Security Association, Main Mode Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information: |
| 4981 | IPsec Main Mode and Extended Mode security associations were established.<br>**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, and Extended Mode Information. |
| 4982 | IPsec Main Mode and Extended Mode security associations were established.<br>**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Cryptographic Information, Security Association Information, Additional Information, Extended Mode Local Endpoint, Extended Mode Remote Endpoint, and Extended Mode Additional Information. |
| 4983 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.<br>**Note:** This event provides event audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, and Failure Information. |
| 4984 | An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.<br>**Note:** This event provides event audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. |
 
## Related topics
## 4979: IPsec Main Mode and Extended Mode security associations were established.
## 4980: IPsec Main Mode and Extended Mode security associations were established.
## 4981: IPsec Main Mode and Extended Mode security associations were established.
## 4982: IPsec Main Mode and Extended Mode security associations were established.
## 4983: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
## 4984: An IPsec Extended Mode negotiation failed. The corresponding Main Mode security association has been deleted.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

57
windows/keep-secure/audit-ipsec-main-mode.md
View File

@ -2,42 +2,49 @@
title: Audit IPsec Main Mode (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Main Mode, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
ms.assetid: 06ed26ec-3620-4ef4-a47a-c70df9c8827b
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit IPsec Main Mode
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Main Mode**, which determines whether the operating system generates events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation.
Main Mode Internet Key Exchange (IKE) negotiation establishes a secure channel, known as the Internet Security Association and Key Management Protocol (ISAKMP) security association (SA), between two computers. To establish the secure channel, Main Mode negotiation determines a set of cryptographic protection suites, exchanges keying material to establish the shared secret key, and authenticates computer identities.
Audit IPsec Main Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Main Mode negotiations.
Event volume: High
Audit IPsec Main Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Main Mode troubleshooting.
Default: Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Main Mode troubleshooting, or for tracing or monitoring IPsec Main Mode operations. |
| Event ID | Event message |
| - | - |
| 4646 | Security ID: %1 |
| 4650 | An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used. |
| 4651 | An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication. |
| 4652 | An IPsec Main Mode negotiation failed.<br>**Note:** This audit event returns detailed audit data in the following categories: Local Endpoint, Local Certificate, Remote Endpoint, Remote Certificate, Additional Information, and Failure Information. |
| 4653 | An IPsec Main Mode negotiation failed.<br>**Note:** This audit event returns detailed audit data in the following categories: Local Endpoint, Remote Endpoint, Additional Information, and Failure Information. |
| 4655 | An IPsec Main Mode security association ended. |
| 4976 | During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation. |
| 5049 | An IPsec Security Association was deleted. |
| 5453 | An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started. |
 
## Related topics
## 4646: Security ID: %1
## 4650: An IPsec Main Mode security association was established. Extended Mode was not enabled. Certificate authentication was not used.
## 4651: An IPsec Main Mode security association was established. Extended Mode was not enabled. A certificate was used for authentication.
## 4652: An IPsec Main Mode negotiation failed.
## 4653: An IPsec Main Mode negotiation failed.
## 4655: An IPsec Main Mode security association ended.
## 4976: During Main Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
## 5049: An IPsec Security Association was deleted.
## 5453: An IPsec negotiation with a remote computer failed because the IKE and AuthIP IPsec Keying Modules (IKEEXT) service is not started.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

39
windows/keep-secure/audit-ipsec-quick-mode.md
View File

@ -2,36 +2,37 @@
title: Audit IPsec Quick Mode (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit IPsec Quick Mode, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
ms.assetid: 7be67a15-c2ce-496a-9719-e25ac7699114
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit IPsec Quick Mode
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit IPsec Quick Mode**, which determines whether the operating system generates audit events for the results of the Internet Key Exchange (IKE) protocol and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
IKE is an Internet standard, defined in RFC 2409, that defines a mechanism to establish IPsec security associations (SAs). An SA is a combination of a mutually agreeable policy and keys that define the security services and mechanisms that help protect communication between IPsec peers.
AuthIP is an enhanced version of IKE that offers additional flexibility with support for user-based authentication, authentication with multiple credentials, improved authentication method negotiation, and asymmetric authentication. Like IKE, AuthIP supports Main Mode and Quick Mode negotiation.
Quick Mode (also known as Phase 2) IKE negotiation establishes a secure channel between two computers to protect data. Because this phase involves the establishment of security associations (SAs) that are negotiated on behalf of the IPsec service, the SAs that are created during Quick Mode are called the IPsec SAs. During Quick Mode, keying material is refreshed or, if necessary, new keys are generated. A protection suite that protects specified IP traffic is also selected. A protection suite is a defined set of data integrity or data encryption settings. Quick Mode is not considered a complete exchange because it is dependent on a Main Mode exchange.
Audit IPsec Quick Mode allows you to audit events generated by Internet Key Exchange protocol (IKE) and Authenticated Internet Protocol (AuthIP) during Quick Mode negotiations.
Event volume: High
Audit IPsec Quick Mode subcategory is out of scope of this document, because this subcategory is mainly used for IPsec Quick Mode troubleshooting.
Default: Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
| Member Server | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
| Workstation | IF | IF | IF | IF | IF - This subcategory is mainly used for IPsec Quick Mode troubleshooting, or for tracing or monitoring IPsec Quick Mode operations. |
| Event ID | Event message |
|- |- |
| 4977 | During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.|
| 5451 | An IPsec Quick Mode security association was established.|
| 5452 | An IPsec Quick Mode security association ended.|
 
## Related topics
## 4977: During Quick Mode negotiation, IPsec received an invalid negotiation packet. If this problem persists, it could indicate a network issue or an attempt to modify or replay this negotiation.
## 5451: An IPsec Quick Mode security association was established.
## 5452: An IPsec Quick Mode security association ended.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

42
windows/keep-secure/audit-kerberos-authentication-service.md
View File

@ -2,35 +2,43 @@
title: Audit Kerberos Authentication Service (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Authentication Service, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
ms.assetid: 990dd6d9-1a1f-4cce-97ba-5d7e0a7db859
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Kerberos Authentication Service
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Authentication Service**, which determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
Audit Kerberos Authentication Service determines whether to generate audit events for Kerberos authentication ticket-granting ticket (TGT) requests.
If you configure this policy setting, an audit event is generated after a Kerberos authentication TGT request. Success audits record successful attempts and Failure audits record unsuccessful attempts.
Event volume: High on Kerberos Key Distribution Center servers
**Event volume**: High on Kerberos Key Distribution Center servers.
Default: Not configured
This subcategory contains events about issued TGTs and failed TGT requests. It also contains events about failed Pre-Authentications, due to wrong user password or when the users password has expired.
| Event ID | Event message |
| - | - |
| 4768 | A Kerberos authentication ticket (TGT) was requested. |
| 4771 | Kerberos preauthentication failed. |
| 4772 | A Kerberos authentication ticket request failed. |
 
## Related topics
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, because you will see all Kerberos Authentication requests (TGT requests), which are a part of domain account logons. Also, you can see the IP address from which this account requested a TGT, when TGT was requested, which encryption type was used and so on.<br>We recommend Failure auditing, because you will see all failed requests with wrong password, username, revoked certificate, and so on. You will also be able to detect Kerberos issues or possible attack attempts. <br>Expected volume is high on domain controllers. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
**Events List:**
- [4768](event-4768.md)(S, F): A Kerberos authentication ticket (TGT) was requested.
- [4771](event-4771.md)(F): Kerberos pre-authentication failed.
- [4772](event-4772.md)(F): A Kerberos authentication ticket request failed.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

42
windows/keep-secure/audit-kerberos-service-ticket-operations.md
View File

@ -2,37 +2,43 @@
title: Audit Kerberos Service Ticket Operations (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kerberos Service Ticket Operations, which determines whether the operating system generates security audit events for Kerberos service ticket requests.
ms.assetid: ddc0abef-ac7f-4849-b90d-66700470ccd6
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Kerberos Service Ticket Operations
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kerberos Service Ticket Operations**, which determines whether the operating system generates security audit events for Kerberos service ticket requests.
Audit Kerberos Service Ticket Operations determines whether the operating system generates security audit events for Kerberos service ticket requests.
Events are generated every time Kerberos is used to authenticate a user who wants to access a protected network resource. Kerberos service ticket operation audit events can be used to track user activity.
Event volume:
**Event volume**: Very High on Kerberos Key Distribution Center servers.
- High on a domain controller that is in a Key Distribution Center (KDC)
- Low on domain members
This subcategory contains events about issued TGSs and failed TGS requests.
Default: Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | Yes | Yes | Yes | Expected volume is very high on domain controllers.<br><br>IF - We recommend Success auditing, because you will see all Kerberos Service Ticket requests (TGS requests), which are part of service use and access requests by specific accounts. Also, you can see the IP address from which this account requested TGS, when TGS was requested, which encryption type was used, and so on. For recommendations for using and analyzing the collected information, see the ***Security Monitoring Recommendations*** sections.<br>We recommend Failure auditing, because you will see all failed requests and be able to investigate the reason for failure. You will also be able to detect Kerberos issues or possible attack attempts. |
| Member Server | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Workstation | No | No | No | No | This subcategory makes sense only on domain controllers. |
| Event ID | Event message |
| - | - |
| 4769 | A Kerberos service ticket was requested. |
| 4770 | A Kerberos service ticket was renewed. |
 
## Related topics
**Events List:**
- [4769](event-4769.md)(S, F): A Kerberos service ticket was requested.
- [4770](event-4770.md)(S): A Kerberos service ticket was renewed.
- [4773](event-4773.md)(F): A Kerberos service ticket request failed.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

53
windows/keep-secure/audit-kernel-object.md
View File

@ -2,40 +2,49 @@
title: Audit Kernel Object (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Kernel Object, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
ms.assetid: 75619d8b-b1eb-445b-afc9-0f9053be97fb
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Kernel Object
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Kernel Object**, which determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
Only kernel objects with a matching system access control list (SACL) generate security audit events. The audits generated are usually useful only to developers.
Audit Kernel Object determines whether the operating system generates audit events when users attempt to access the system kernel, which includes mutexes and semaphores.
Typically, kernel objects are given SACLs only if the **AuditBaseObjects** or **AuditBaseDirectories** auditing options are enabled.
Only kernel objects with a matching system access control list ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)) generate security audit events. The audits generated are usually useful only to developers.
> **Note:**  The **Audit: Audit the access of global system objects** policy setting controls the default SACL of kernel objects.
 
Event volume: High if you have enabled one of the Global Object Access Auditing settings
Typically, kernel objects are given SACLs only if the AuditBaseObjects or AuditBaseDirectories auditing options are enabled.
The “[Audit: Audit the access of global system objects](https://technet.microsoft.com/en-us/library/jj852233.aspx)” policy setting controls the default SACL of kernel objects.
**Event volume**: High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
| Member Server | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
| Workstation | No | No | No | No | Typically Kernel object auditing events have little to no security relevance and are hard to parse or analyze. Also, the volume of these events is typically very high. <br>There is no recommendation to enable this subcategory, unless you know exactly what you need to monitor at the Kernel objects level. |
**Events List:**
- [4656](event-4656.md)(S, F): A handle to an object was requested.
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4660](event-4660.md)(S): An object was deleted.
- [4663](event-4663.md)(S): An attempt was made to access an object.
Default setting: Not configured
| Event ID | Event message |
| - | - |
| 4659 | A handle to an object was requested with intent to delete. |
| 4660 | An object was deleted. |
| 4661 | A handle to an object was requested. |
| 4663 | An attempt was made to access an object. |
 
## Related topics
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

43
windows/keep-secure/audit-logoff.md
View File

@ -2,38 +2,45 @@
title: Audit Logoff (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logoff, which determines whether the operating system generates audit events when logon sessions are terminated.
ms.assetid: 681e51f2-ba06-46f5-af8c-d9c48d515432
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Logoff
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logoff**, which determines whether the operating system generates audit events when logon sessions are terminated.
Audit Logoff determines whether the operating system generates audit events when logon sessions are terminated.
These events occur on the computer that was accessed. In the case of an interactive logon, these events are generated on the computer that was logged on to.
> **Note: **  There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
 
There is no failure event in this subcategory because failed logoffs (such as when a system abruptly shuts down) do not generate an audit record.
Logon events are essential to understanding user activity and detecting potential attacks. Logoff events are not 100 percent reliable. For example, the computer can be turned off without a proper logoff and shutdown; in this case, a logoff event is not generated.
Event volume: Low
**Event volume**: Low.
Default: Success
This subcategory allows you to audit events generated by the closing of a logon session. These events occur on the computer that was accessed. For an interactive logoff the security audit event is generated on the computer that the user account logged on to.
| Event ID | Event message |
| - | - |
| 4634 | An account was logged off. |
| 4647 | User initiated logoff. |
 
## Related topics
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | No | No | Yes | No | This subcategory typically generates huge amount of “[4634](event-4634.md)(S): An account was logged off.” events which, typically has little security relevance. It is more important to audit Logon events using [Audit Logon](audit-logon.md) subcategory, rather than Logoff events.<br>Enable Success audit if you want to track, for example, for how long session was active (in correlation with [Audit Logon](audit-logon.md) events) and when user actually logged off.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4634](event-4634.md)(S): An account was logged off.
- [4647](event-4647.md)(S): User initiated logoff.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

51
windows/keep-secure/audit-logon.md
View File

@ -2,44 +2,57 @@
title: Audit Logon (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Logon, which determines whether the operating system generates audit events when a user attempts to log on to a computer.
ms.assetid: ca968d03-7d52-48c4-ba0e-2bcd2937231b
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Logon
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Logon**, which determines whether the operating system generates audit events when a user attempts to log on to a computer.
Audit Logon determines whether the operating system generates audit events when a user attempts to log on to a computer.
These events are related to the creation of logon sessions and occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For a network logon, such as accessing a share, events are generated on the computer that hosts the resource that was accessed.
The following events are recorded:
- Logon success and failure.
- Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the Runas command.
- Logon attempts by using explicit credentials. This event is generated when a process attempts to log on an account by explicitly specifying that account's credentials. This most commonly occurs in batch configurations such as scheduled tasks, or when using the **RunAs** command.
- Security identifiers (SIDs) are filtered.
Logon events are essential to tracking user activity and detecting potential attacks.
Event volume: Low on a client computer; medium on a domain controller or network server
**Event volume**:
Default: Success for client computers; success and failure for servers
- Low on a client computer.
| Event ID | Event message |
| - | - |
| 4624 | An account was successfully logged on. |
| 4625 | An account failed to log on. |
| 4648 | A logon was attempted using explicit credentials. |
| 4675 | SIDs were filtered. |
 
## Related topics
- Medium on a domain controllers or network servers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
| Member Server | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
| Workstation | Yes | Yes | Yes | Yes | Audit Logon events, for example, will give you information about which account, when, using which Logon Type, from which machine logged on to this machine.<br>Failure events will show you failed logon attempts and the reason why these attempts failed. |
**Events List:**
- [4624](event-4624.md)(S): An account was successfully logged on.
- [4625](event-4625.md)(F): An account failed to log on.
- [4648](event-4648.md)(S): A logon was attempted using explicit credentials.
- [4675](event-4675.md)(S): SIDs were filtered.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

77
windows/keep-secure/audit-mpssvc-rule-level-policy-change.md
View File

@ -2,54 +2,77 @@
title: Audit MPSSVC Rule-Level Policy Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit MPSSVC Rule-Level Policy Change, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
ms.assetid: 263461b3-c61c-4ec3-9dee-851164845019
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit MPSSVC Rule-Level Policy Change
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit MPSSVC Rule-Level Policy Change**, which determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
Audit MPSSVC Rule-Level Policy Change determines whether the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe).
The Microsoft Protection Service, which is used by Windows Firewall, is an integral part of the computers threat protection against malware. The tracked activities include:
- Active policies when the Windows Firewall service starts.
- Changes to Windows Firewall rules.
- Changes to the Windows Firewall exception list.
- Changes to Windows Firewall settings.
- Rules ignored or not applied by the Windows Firewall service.
- Changes to Windows Firewall Group Policy settings.
Changes to firewall rules are important for understanding the security state of the computer and how well it is protected against network attacks.
Event volume: Low
**Event volume**: Medium.
Default: Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
| Member Server | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
| Workstation | Yes | Yes | Yes | Yes | Success events shows you changes in Windows Firewall rules and settings, active configuration and rules after Windows Firewall Service startup and default configuration restore actions.<br>Failure events may help to identify configuration problems with Windows Firewall rules or settings. |
| Event ID | Event message |
| - | - |
| 4944 | The following policy was active when the Windows Firewall started. |
| 4945 | A rule was listed when the Windows Firewall started. |
| 4946 | A change has been made to Windows Firewall exception list. A rule was added. |
| 4947 | A change has been made to Windows Firewall exception list. A rule was modified. |
| 4948 | A change has been made to Windows Firewall exception list. A rule was deleted. |
| 4949 | Windows Firewall settings were restored to the default values. |
| 4950 | A Windows Firewall setting has changed. |
| 4951 | A rule has been ignored because its major version number was not recognized by Windows Firewall. |
| 4952 | Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced. |
| 4953 | A rule has been ignored by Windows Firewall because it could not parse the rule. |
| 4954 | Windows Firewall Group Policy settings have changed. The new settings have been applied. |
| 4956 | Windows Firewall has changed the active profile. |
| 4957 | Windows Firewall did not apply the following rule: |
| 4958 | Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: |
 
## Related topics
**Events List:**
- [4944](event-4944.md)(S): The following policy was active when the Windows Firewall started.
- [4945](event-4945.md)(S): A rule was listed when the Windows Firewall started.
- [4946](event-4946.md)(S): A change has been made to Windows Firewall exception list. A rule was added.
- [4947](event-4947.md)(S): A change has been made to Windows Firewall exception list. A rule was modified.
- [4948](event-4948.md)(S): A change has been made to Windows Firewall exception list. A rule was deleted.
- [4949](event-4949.md)(S): Windows Firewall settings were restored to the default values.
- [4950](event-4950.md)(S): A Windows Firewall setting has changed.
- [4951](event-4951.md)(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
- [4952](event-4952.md)(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
- [4953](event-4953.md)(F): A rule has been ignored by Windows Firewall because it could not parse the rule.
- [4954](event-4954.md)(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
- [4956](event-4956.md)(S): Windows Firewall has changed the active profile.
- [4957](event-4957.md)(F): Windows Firewall did not apply the following rule:
- [4958](event-4958.md)(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

61
windows/keep-secure/audit-network-policy-server.md
View File

@ -2,40 +2,57 @@
title: Audit Network Policy Server (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Network Policy Server, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock).
ms.assetid: 43b2aea4-26df-46da-b761-2b30f51a80f7
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Network Policy Server
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Network Policy Server**, which determines whether the operating system generates audit events for RADIUS (IAS) and Network Access Protection (NAP) activity on user access requests (Grant, Deny, Discard, Quarantine, Lock, and Unlock).
Audit Network Policy Server allows you to audit events generated by RADIUS (IAS) and Network Access Protection (NAP) activity related to user access requests. These requests can be Grant, Deny, Discard, Quarantine, Lock, and Unlock.
If you configure this subcategory, an audit event is generated for each IAS and NAP user access request.
This subcategory generates events only if NAS or IAS role is installed on the server.
NAP events can be used to help understand the overall health of the network.
Event volume: Medium to high on servers that are running Network Policy Server (NPS); moderate on other servers or on client computers
**Event volume**: Medium to High on servers that are running [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS).
Default: Success and failure
Role-specific subcategories are outside the scope of this document.
| Event ID | Event message |
| - | - |
| 6272 | Network Policy Server granted access to a user. |
| 6273 | Network Policy Server denied access to a user. |
| 6274 | Network Policy Server discarded the request for a user. |
| 6275 | Network Policy Server discarded the accounting request for a user. |
| 6276 | Network Policy Server quarantined a user. |
| 6277 | Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy. |
| 6278 | Network Policy Server granted full access to a user because the host met the defined health policy. |
| 6279 | Network Policy Server locked the user account due to repeated failed authentication attempts. |
| 6280 | Network Policy Server unlocked the user account. |
 
## Related topics
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | IF | IF | IF | IF if a server has the [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
| Member Server | IF | IF | IF | IF | IF if a server has the [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role installed and you need to monitor access requests and other NPS-related events, enable this subcategory. |
| Workstation | No | No | No | No | [Network Policy Server](https://msdn.microsoft.com/en-us/library/cc732912.aspx) (NPS) role cannot be installed on client OS. |
## 6272: Network Policy Server granted access to a user.
## 6273: Network Policy Server denied access to a user.
## 6274: Network Policy Server discarded the request for a user.
## 6275: Network Policy Server discarded the accounting request for a user.
## 6276: Network Policy Server quarantined a user.
## 6277: Network Policy Server granted access to a user but put it on probation because the host did not meet the defined health policy.
## 6278: Network Policy Server granted full access to a user because the host met the defined health policy.
## 6279: Network Policy Server locked the user account due to repeated failed authentication attempts.
## 6280: Network Policy Server unlocked the user account.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

118
windows/keep-secure/audit-non-sensitive-privilege-use.md
View File

@ -1,68 +1,88 @@
---
title: Audit Non-Sensitive Privilege Use (Windows 10)
title: Audit Non Sensitive Privilege Use (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Non-Sensitive Privilege Use, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
ms.assetid: 8fd74783-1059-443e-aa86-566d78606627
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Non-Sensitive Privilege Use
# Audit Non Sensitive Privilege Use
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Non-Sensitive Privilege Use**, which determines whether the operating system generates audit events when non-sensitive privileges (user rights) are used.
The following privileges are non-sensitive:
Audit Non Sensitive Privilege Use contains events that show usage of non-sensitive privileges. This is the list of non-sensitive privileges:
- **Access Credential Manager as a trusted caller**
- **Access this computer from the network**
- **Add workstations to domain**
- **Adjust memory quotas for a process**
- **Allow log on locally**
- **Allow log on through Terminal Services**
- **Bypass traverse checking**
- **Change the system time**
- **Create a page file**
- **Create global objects**
- **Create permanent shared objects**
- **Create symbolic links**
- **Deny access to this computer from the network**
- **Deny log on as a batch job**
- **Deny log on as a service**
- **Deny log on locally**
- **Deny log on through Terminal Services**
- **Force shutdown from a remote system**
- **Increase a process working set**
- **Increase scheduling priority**
- **Lock pages in memory**
- **Log on as a batch job**
- **Log on as a service**
- **Modify an object label**
- **Perform volume maintenance tasks**
- **Profile single process**
- **Profile system performance**
- **Remove computer from docking station**
- **Shut down the system**
- **Synchronize directory service data**
- Access Credential Manager as a trusted caller
- Add workstations to domain
- Adjust memory quotas for a process
- Bypass traverse checking
- Change the system time
- Change the time zone
- Create a page file
- Create global objects
- Create permanent shared objects
- Create symbolic links
- Force shutdown from a remote system
- Increase a process working set
- Increase scheduling priority
- Lock pages in memory
- Modify an object label
- Perform volume maintenance tasks
- Profile single process
- Profile system performance
- Remove computer from docking station
- Shut down the system
- Synchronize directory service data
This subcategory also contains informational events from filesystem Transaction Manager.
If you configure this policy setting, an audit event is generated when a non-sensitive privilege is called. Success audits record successful attempts, and failure audits record unsuccessful attempts.
Event volume: Very high
**Event volume**: Very High.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
| Member Server | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
| Workstation | No | IF | No | IF | We do not recommend Success auditing because the volume of events is very high and typically they are not as important as events from [Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) subcategory.<br>IF You can enable Failure auditing if you need information about failed attempts to use non-sensitive privileges, for example, **SeShutdownPrivilege** or **SeRemoteShutdownPrivilege**. |
**Events List:**
- [4673](event-4673.md)(S, F): A privileged service was called.
- [4674](event-4674.md)(S, F): An operation was attempted on a privileged object.
- [4985](event-4985.md)(S): The state of a transaction has changed.
Default: Not configured
| Event ID | Event message |
| - | - |
| 4672 | Special privileges assigned to new logon. |
| 4673 | A privileged service was called. |
| 4674 | An operation was attempted on a privileged object. |
 
## Related topics
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

52
windows/keep-secure/audit-other-account-logon-events.md
View File

@ -2,53 +2,31 @@
title: Audit Other Account Logon Events (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Other Account Logon Events, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
ms.assetid: c8c6bfe0-33d2-4600-bb1a-6afa840d75b3
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Other Account Logon Events
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit Other Account Logon Events**, which allows you to audit events generated by responses to credential requests submitted for a user account logon that are not credential validation or Kerberos tickets.
Examples can include the following:
**General Subcategory Information:**
- Remote Desktop session disconnections
- New Remote Desktop sessions
- Locking and unlocking a workstation
- Invoking a screen saver
- Dismissing a screen saver
- Detection of a Kerberos replay attack, in which a Kerberos request with identical information was received twice
This auditing subcategory does not contain any events. It is intended for future use.
> **Note:**  This condition could be caused by a network misconfiguration.
 
- Access to a wireless network granted to a user or computer account
- Access to a wired 802.1x network granted to a user or computer account
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
| Member Server | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
| Workstation | No | No | No | No | This auditing subcategory does not contain any events. It is intended for future use, and there is no reason to enable it. |
Event volume: Varies, depending on system use
Default: Not configured
| Event ID | Event message |
| - | - |
| 4649 | A replay attack was detected. |
| 4778 | A session was reconnected to a Window Station. |
| 4779 | A session was disconnected from a Window Station. |
| 4800 | The workstation was locked. |
| 4801 | The workstation was unlocked. |
| 4802 | The screen saver was invoked. |
| 4803 | The screen saver was dismissed. |
| 5378 | The requested credentials delegation was disallowed by policy. |
| 5632 | A request was made to authenticate to a wireless network. |
| 5633 | A request was made to authenticate to a wired network. |
 
## Related topics
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

47
windows/keep-secure/audit-other-account-management-events.md
View File

@ -2,38 +2,43 @@
title: Audit Other Account Management Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Account Management Events, which determines whether the operating system generates user account management audit events.
ms.assetid: 4ce22eeb-a96f-4cf9-a46d-6642961a31d5
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Other Account Management Events
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Account Management Events**, which determines whether the operating system generates user account management audit events.
Events can be generated for user account management auditing when:
Audit Other Account Management Events determines whether the operating system generates user account management audit events.
- The password hash of an account is accessed. This typically happens when the Active Directory Migration Tool (ADMT) is moving password data.
- The Password Policy Checking application programming interface (API) is called. Calls to this function could be part of an attack from a malicious application that is testing whether password complexity policy settings are being applied.
- Changes are made to domain policy under **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Password Policy** or **Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Account Lockout Policy**.
> **Note:**  These events are logged when the domain policy is applied (on refresh or restart), not when settings are modified by an administrator.
 
Event volume: Low
**Event volume:** Typically Low on all types of computers.
Default: Not configured
This subcategory allows you to audit next events:
| Event ID | Event message |
| - | - |
| 4782 | The password hash for an account was accessed. |
| 4793 | The Password Policy Checking API was called. |
 
## Related topics
- The password hash of a user account was accessed. This happens during an Active Directory Management Tool password migration.
- The Password Policy Checking API was called. Password Policy Checking API allows an application to check password compliance against an application-provided account database or single account and verify that passwords meet the complexity, aging, minimum length, and history reuse requirements of a password policy.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash an account was accessed.”<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | No | No | The only event which is generated on Member Servers is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | No | No | No | No | The only event which is generated on Workstations is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4782](event-4782.md)(S): The password hash an account was accessed.
- [4793](event-4793.md)(S): The Password Policy Checking API was called.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

69
windows/keep-secure/audit-other-logonlogoff-events.md
View File

@ -2,50 +2,69 @@
title: Audit Other Logon/Logoff Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Logon/Logoff Events, which determines whether Windows generates audit events for other logon or logoff events.
ms.assetid: 76d987cd-1917-4907-a739-dd642609a458
<<<<<<< HEAD
ms.prod: w10
=======
ms.pagetype: security
ms.prod: W10
>>>>>>> secaudit
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Other Logon/Logoff Events
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Logon/Logoff Events**, which determines whether Windows generates audit events for other logon or logoff events.
Audit Other Logon/Logoff Events determines whether Windows generates audit events for other logon or logoff events.
These other logon or logoff events include:
- A Remote Desktop session connects or disconnects.
- A workstation is locked or unlocked.
- A screen saver is invoked or dismissed.
- A replay attack is detected. This event indicates that a Kerberos request was received twice with identical information. This condition could also be caused by network misconfiguration.
- A user is granted access to a wireless network. It can either be a user account or the computer account.
- A user is granted access to a wired 802.1x network. It can either be a user account or the computer account.
- A user is granted access to a wireless network. It can be either a user account or the computer account.
- A user is granted access to a wired 802.1x network. It can be either a user account or the computer account.
Logon events are essential to understanding user activity and detecting potential attacks.
Event volume: Low
**Event volume**: Low.
Default: Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible Kerberos replay attacks, terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing, to track possible terminal session connect and disconnect actions, network authentication events, and some other events. Volume of these events is typically very low.<br>Failure events will show you when requested credentials [CredSSP](https://msdn.microsoft.com/en-us/library/cc226764.aspx) delegation was disallowed by policy. The volume of these events is very low—typically you will not get any of these events. |
| Event ID | Event message |
| - | - |
| 4649 | A replay attack was detected. |
| 4778 | A session was reconnected to a Window Station. |
| 4779 | A session was disconnected from a Window Station. |
| 4800 | The workstation was locked. |
| 4801 | The workstation was unlocked. |
| 4802 | The screen saver was invoked. |
| 4803 | The screen saver was dismissed. |
| 5378 | The requested credentials delegation was disallowed by policy. |
| 5632 | A request was made to authenticate to a wireless network. |
| 5633 | A request was made to authenticate to a wired network. |
 
## Related topics
**Events List:**
- [4649](event-4649.md)(S): A replay attack was detected.
- [4778](event-4778.md)(S): A session was reconnected to a Window Station.
- [4779](event-4779.md)(S): A session was disconnected from a Window Station.
- [4800](event-4800.md)(S): The workstation was locked.
- [4801](event-4801.md)(S): The workstation was unlocked.
- [4802](event-4802.md)(S): The screen saver was invoked.
- [4803](event-4803.md)(S): The screen saver was dismissed.
- [5378](event-5378.md)(F): The requested credentials delegation was disallowed by policy.
- [5632](event-5632.md)(S): A request was made to authenticate to a wireless network.
- [5633](event-5633.md)(S): A request was made to authenticate to a wired network.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

70
windows/keep-secure/audit-other-object-access-events.md
View File

@ -2,55 +2,53 @@
title: Audit Other Object Access Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
ms.assetid: b9774595-595d-4199-b0c5-8dbc12b6c8b2
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Other Object Access Events
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Object Access Events**, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects.
For scheduler jobs, the following actions are audited:
Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests.
- Job created.
- Job deleted.
- Job enabled.
- Job disabled.
- Job updated.
**Event volume**: Low.
For COM+ objects, the following actions are audited:
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICPM DoS attack. |
| Member Server | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICPM DoS attack. |
| Workstation | Yes | Yes | Yes | Yes | We recommend Success auditing first of all because of scheduled tasks events.<br>We recommend Failure auditing to get events about possible ICPM DoS attack. |
- Catalog object added.
- Catalog object updated.
- Catalog object deleted.
**Events List:**
Event volume: Low
- [4671](event-4671.md)(-): An application attempted to access a blocked ordinal through the TBS.
Default: Not configured
- [4691](event-4691.md)(S): Indirect access to an object was requested.
| Event ID | Event message |
| - | - |
| 4671 | An application attempted to access a blocked ordinal through the TBS. |
| 4691 | Indirect access to an object was requested. |
| 4698 | A scheduled task was created. |
| 4699 | A scheduled task was deleted. |
| 4700 | A scheduled task was enabled. |
| 4701 | A scheduled task was disabled. |
| 4702 | A scheduled task was updated. |
| 5148 | The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded. |
| 5149 | The DoS attack has subsided and normal processing is being resumed. |
| 5888 | An object in the COM+ Catalog was modified. |
| 5889 | An object was deleted from the COM+ Catalog. |
| 5890 | An object was added to the COM+ Catalog. |
 
## Related topics
- [5148](event-5148.md)(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
- [5149](event-5149.md)(F): The DoS attack has subsided and normal processing is being resumed.
- [4698](event-4698.md)(S): A scheduled task was created.
- [4699](event-4699.md)(S): A scheduled task was deleted.
- [4700](event-4700.md)(S): A scheduled task was enabled.
- [4701](event-4701.md)(S): A scheduled task was disabled.
- [4702](event-4702.md)(S): A scheduled task was updated.
- [5888](event-5888.md)(S): An object in the COM+ Catalog was modified.
- [5889](event-5889.md)(S): An object was deleted from the COM+ Catalog.
- [5890](event-5890.md)(S): An object was added to the COM+ Catalog.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

77
windows/keep-secure/audit-other-policy-change-events.md
View File

@ -2,50 +2,61 @@
title: Audit Other Policy Change Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Policy Change Events, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category.
ms.assetid: 8618502e-c21c-41cc-8a49-3dc1eb359e60
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Other Policy Change Events
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other Policy Change Events**, which determines whether the operating system generates audit events for security policy changes that are not otherwise audited in the Policy Change category.
These other activities in the Policy Change category that can be audited include:
Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.
- Trusted Platform Module (TPM) configuration changes.
- Kernel-mode cryptographic self tests.
- Cryptographic provider operations.
- Cryptographic context operations or modifications.
**Event volume**: Low.
Event volume: Low
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
| Member Server | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
| Workstation | IF | Yes | IF | Yes | IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.<br>We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions. |
Default: Not configured
**Events List:**
| Event ID | Event message |
| - | - |
| 4670 | Permissions on an object were changed. |
| 4909 | The local policy settings for the TBS were changed. |
| 4910 | The group policy settings for the TBS were changed. |
| 5063 | A cryptographic provider operation was attempted. |
| 5064 | A cryptographic context operation was attempted. |
| 5065 | A cryptographic context modification was attempted. |
| 5066 | A cryptographic function operation was attempted. |
| 5067 | A cryptographic function modification was attempted. |
| 5068 | A cryptographic function provider operation was attempted. |
| 5069 | A cryptographic function property operation was attempted. |
| 5070 | A cryptographic function property modification was attempted. |
| 5447 | A Windows Filtering Platform filter has been changed. |
| 6144 | Security policy in the group policy objects has been applied successfully. |
| 6145 | One or more errors occurred while processing security policy in the group policy objects. |
 
## Related topics
- [4714](event-4714.md)(S): Encrypted data recovery policy was changed.
- [4819](event-4819.md)(S): Central Access Policies on the machine have been changed.
- [4826](event-4826.md)(S): Boot Configuration Data loaded.
- [4909](event-4909.md)(-): The local policy settings for the TBS were changed.
- [4910](event-4910.md)(-): The group policy settings for the TBS were changed.
- [5063](event-5063.md)(S, F): A cryptographic provider operation was attempted.
- [5064](event-5064.md)(S, F): A cryptographic context operation was attempted.
- [5065](event-5065.md)(S, F): A cryptographic context modification was attempted.
- [5066](event-5066.md)(S, F): A cryptographic function operation was attempted.
- [5067](event-5067.md)(S, F): A cryptographic function modification was attempted.
- [5068](event-5068.md)(S, F): A cryptographic function provider operation was attempted.
- [5069](event-5069.md)(S, F): A cryptographic function property operation was attempted.
- [5070](event-5070.md)(S, F): A cryptographic function property modification was attempted.
- [5447](event-5447.md)(S): A Windows Filtering Platform filter has been changed.
- [6144](event-6144.md)(S): Security policy in the group policy objects has been applied successfully.
- [6145](event-6145.md)(F): One or more errors occurred while processing security policy in the group policy objects.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

28
windows/keep-secure/audit-other-privilege-use-events.md
View File

@ -2,21 +2,31 @@
title: Audit Other Privilege Use Events (Windows 10)
description: This security policy setting is not used.
ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Other Privilege Use Events
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This auditing subcategory should not have any events in it, but for some reason Success auditing will enable generation of event 4985(S): The state of a transaction has changed.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------|
| Domain Controller | No | No | No | No | This auditing subcategory doesnt have any informative events inside. |
| Member Server | No | No | No | No | This auditing subcategory doesnt have any informative events inside. |
| Workstation | No | No | No | No | This auditing subcategory doesnt have any informative events inside. |
**Events List:**
- [4985](event-4674.md)(S): The state of a transaction has changed.
This security policy setting is not used.
## Related topics
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

104
windows/keep-secure/audit-other-system-events.md
View File

@ -2,59 +2,87 @@
title: Audit Other System Events (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other System Events, which determines whether the operating system audits various system events.
ms.assetid: 2401e4cc-d94e-41ec-82a7-e10914295f8b
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Other System Events
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Other System Events**, which determines whether the operating system audits various system events.
Audit Other System Events contains Windows Firewall Service and Windows Firewall driver start and stop events, failure events for these services and Windows Firewall Service policy processing failures.
Audit Other System Events determines whether the operating system audits various system events.
The system events in this category include:
- Startup and shutdown of the Windows Firewall service and driver.
- Security policy processing by the Windows Firewall service.
- Cryptography key file and migration operations.
> **Important:**  Failure to start the Windows Firewall service may result in a computer that is not fully protected against network threats.
 
Event volume: Low
- BranchCache events.
Default: Success and failure
**Event volume**: Low.
| Event ID | Event message |
| - | - |
| 5024 | The Windows Firewall Service has started successfully. |
| 5025 | The Windows Firewall Service has been stopped. |
| 5027 | The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy. |
| 5028 | The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy. |
| 5029 | The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy. |
| 5030 | The Windows Firewall Service failed to start. |
| 5032 | Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.|
| 5033 | The Windows Firewall Driver has started successfully. |
| 5034 | The Windows Firewall Driver has been stopped. |
| 5035 | The Windows Firewall Driver failed to start. |
| 5037 | The Windows Firewall Driver detected critical runtime error. Terminating.|
| 5058 | Key file operation. |
| 5059 | Key migration operation.|
| 6400 | BranchCache: Received an incorrectly formatted response while discovering availability of content.|
| 6401 | BranchCache: Received invalid data from a peer. Data discarded. |
| 6402 | BranchCache: The message to the hosted cache offering it data is incorrectly formatted.|
| 6403 | BranchCache: The hosted cache sent an incorrectly formatted response to the client. |
| 6404 | BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.|
| 6405 | BranchCache: %2 instance(s) of event id %1 occurred. |
| 6406 | %1 registered to Windows Firewall to control filtering for the following: %2|
| 6407 | 1% |
| 6408 | Registered product %1 failed and Windows Firewall is now controlling the filtering for %2 |
 
## Related topics
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
| Member Server | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
| Workstation | Yes | Yes | Yes | Yes | We recommend enabling Success and Failure auditing because you will be able to get Windows Firewall Service and Windows Firewall Driver status events. |
**Events List:**
- [5024](event-5024.md)(S): The Windows Firewall Service has started successfully.
- [5025](event-5025.md)(S): The Windows Firewall Service has been stopped.
- [5027](event-5027.md)(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
- [5028](event-5028.md)(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
- [5029](event-5029.md)(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
- [5030](event-5030.md)(F): The Windows Firewall Service failed to start.
- [5032](event-5032.md)(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
- [5033](event-5033.md)(S): The Windows Firewall Driver has started successfully.
- [5034](event-5034.md)(S): The Windows Firewall Driver was stopped.
- [5035](event-5035.md)(F): The Windows Firewall Driver failed to start.
- [5037](event-5037.md)(F): The Windows Firewall Driver detected critical runtime error. Terminating.
- [5058](event-5058.md)(S, F): Key file operation.
- [5059](event-5059.md)(S, F): Key migration operation.
- [6400](event-6400.md)(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
- [6401](event-6401.md)(-): BranchCache: Received invalid data from a peer. Data discarded.
- [6402](event-6402.md)(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
- [6403](event-6403.md)(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
- [6404](event-6404.md)(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
- [6405](event-6405.md)(-): BranchCache: %2 instance(s) of event id %1 occurred.
- [6406](event-6406.md)(-): %1 registered to Windows Firewall to control filtering for the following: %2
- [6407](event-6407.md)(-): 1%
- [6408](event-6408.md)(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2
- [6409](event-6408.md)(-): BranchCache: A service connection point object could not be parsed.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

45
windows/keep-secure/audit-pnp-activity.md
View File

@ -2,32 +2,45 @@
title: Audit PNP Activity (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device.
ms.assetid: A3D87B3B-EBBE-442A-953B-9EB75A5F600E
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit PNP Activity
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit PNP Activity**, which determines when plug and play detects an external device.
A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a PC a PnP event is triggered.
Audit PNP Activity determines when Plug and Play detects an external device.
Event volume: Varies, depending on how the computer is used
A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered.
Default: Not configured
**Event volume**: Varies, depending on how the computer is used. Typically Low.
| Event ID | Event message |
| - | - |
| 6416 | A new external device was recognized by the system. |
 
## Related topics
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to a domain controller, which is typically not allowed. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to a critical server, which is typically not allowed. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy. <br>You can track, for example, whether a USB flash drive or stick was attached to an administrative workstation or VIP workstation. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [6416](event-6416.md)(S): A new external device was recognized by the System
- [6419](event-6419.md)(S): A request was made to disable a device
- [6420](event-6420.md)(S): A device was disabled.
- [6421](event-6421.md)(S): A request was made to enable a device.
- [6422](event-6422.md)(S): A device was enabled.
- [6423](event-6423.md)(S): The installation of this device is forbidden by system policy.
- [6424](event-6424.md)(S): The installation of this device was allowed, after having previously been forbidden by policy.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

37
windows/keep-secure/audit-process-creation.md
View File

@ -2,34 +2,37 @@
title: Audit Process Creation (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Creation, which determines whether the operating system generates audit events when a process is created (starts).
ms.assetid: 67e39fcd-ded6-45e8-b1b6-d411e4e93019
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Process Creation
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Creation**, which determines whether the operating system generates audit events when a process is created (starts).
Audit Process Creation determines whether the operating system generates audit events when a process is created (starts).
These audit events can help you track user activity and understand how a computer is being used. Information includes the name of the program or the user that created the process.
Event volume: Low to medium, depending on system usage
**Event volume**: Low to Medium, depending on system usage.
Default: Not configured
This subcategory allows you to audit events generated when a process is created or starts. The name of the application and user that created the process is also audited.
| Event ID | Event message |
| - | - |
| 4688 | A new process has been created.|
| 4696 | A primary token was assigned to a process.|
 
## Related topics
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | It is typically useful to collect Success auditing information for this subcategory for forensic investigations, to find information who, when and with which options\\parameters ran specific process. <br>Additionally, you can analyse process creation events for elevated credentials use, potential malicious process names and so on.<br>The event volume is typically medium-high level, depending on the process activity on the computer.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4688](event-4688.md)(S): A new process has been created.
- [4696](event-4696.md)(S): A primary token was assigned to process.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

32
windows/keep-secure/audit-process-termination.md
View File

@ -2,37 +2,35 @@
title: Audit Process Termination (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Process Termination, which determines whether the operating system generates audit events when an attempt is made to end a process.
ms.assetid: 65d88e53-14aa-48a4-812b-557cebbf9e50
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Process Termination
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Process Termination**, which determines whether the operating system generates audit events when an attempt is made to end a process.
Audit Process Termination determines whether the operating system generates audit events when process has exited.
Success audits record successful attempts and Failure audits record unsuccessful attempts.
If you do not configure this policy setting, no audit event is generated when a process ends.
This policy setting can help you track user activity and understand how the computer is used.
Event volume: Varies, depending on how the computer is used
**Event volume**: Low to Medium, depending on system usage.
Default: Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | No | No | IF | No | IF - This subcategory typically is not as important as [Audit Process Creation](audit-process-creation.md) subcategory. Using this subcategory you can, for example get information about for how long process was run in correlation with [4688](event-4688.md) event. <br>If you have a list of critical processes that run on some computers, you can enable this subcategory to monitor for termination of these critical processes. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Event ID | Event message |
| - | - |
| 4689 | A process has exited. |
**Events List:**
## Related topics
- [4689](event-4689.md)(S): A process has exited.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

48
windows/keep-secure/audit-registry.md
View File

@ -2,37 +2,45 @@
title: Audit Registry (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Registry, which determines whether the operating system generates audit events when users attempt to access registry objects.
ms.assetid: 02bcc23b-4823-46ac-b822-67beedf56b32
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Registry
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Registry**, which determines whether the operating system generates audit events when users attempt to access registry objects.
Audit events are generated only for objects that have configured system access control lists (SACLs) specified, and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.
Audit Registry allows you to audit attempts to access registry objects. A security audit event is generated only for objects that have system access control lists ([SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s) specified, and only if the type of access requested, such as Read, Write, or Modify, and the account making the request match the settings in the SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching
SACL.
If success auditing is enabled, an audit entry is generated each time any account successfully accesses a registry object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a registry object that has a matching SACL.
Event volume: Low to medium, depending on how registry SACLs are configured
**Event volume**: Low to Medium, depending on how registry SACLs are configured.
Default: Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | IF | IF | IF | We strongly recommend that you develop a Registry Objects Security Monitoring policy and define appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s for registry objects for different operating system templates and roles. Do not enable this subcategory if you have not planned how to use and analyze the collected information. It is also important to delete non-effective, excess [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx)s. Otherwise the auditing log will be overloaded with useless information.<br>Failure events can show you unsuccessful attempts to access specific registry objects.<br>Consider enabling this subcategory for critical computers first, after you develop a Registry Objects Security Monitoring policy for them. |
| Member Server | IF | IF | IF | IF | |
| Workstation | IF | IF | IF | IF | |
| Event ID | Event message |
| - | - |
| 4657 | A registry value was modified. |
| 5039 | A registry key was virtualized. |
 
## Related topics
**Events List:**
- [4663](event-4663.md)(S): An attempt was made to access an object.
- [4656](event-4656.md)(S, F): A handle to an object was requested.
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4660](event-4660.md)(S): An object was deleted.
- [4657](event-4657.md)(S): A registry value was modified.
- [5039](event-5039.md)(-): A registry key was virtualized.
- [4670](event-4670.md)(S): Permissions on an object were changed.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

133
windows/keep-secure/audit-removable-storage.md
View File

@ -2,128 +2,35 @@
title: Audit Removable Storage (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Removable Storage, which determines when there is a read or a write to a removable drive.
ms.assetid: 1746F7B3-8B41-4661-87D8-12F734AFFB26
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Removable Storage
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Removable Storage**, which determines when there is a read or a write to a removable drive.
Event volume: Low
Audit Removable Storage allows you to audit user attempts to access file system objects on a removable storage device. A security audit event is generated for all objects and all types of access requested, with no dependency on objects [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | This subcategory will help identify when and which files or folders were accessed or modified on removable devices.<br>It is often useful to track actions with removable storage devices and the files or folders on them, because malicious software very often uses removable devices as a method to get into the system. At the same time, you will be able to track which files were written or executed from a removable storage device.<br>You can track, for example, actions with files or folders on USB flash drives or sticks that were inserted into domain controllers or high value servers, which is typically not allowed. <br>We recommend Failure auditing to track failed access attempts. |
| Member Server | Yes | Yes | Yes | Yes | |
| Workstation | Yes | Yes | Yes | Yes | |
**Events List:**
- [4656](event-4656.md)(S, F): A handle to an object was requested.
- [4658](event-4658.md)(S): The handle to an object was closed.
- [4663](event-4663.md)(S): An attempt was made to access an object.
Default: Not configured
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4663</p></td>
<td align="left"><p>An attempt was made to access an object.</p>
<p>Subject:</p>
<p>Security ID: %1</p>
<p>Account Name: %2</p>
<p>Account Domain: %3</p>
<p>Logon ID: %4</p>
<p>Object:</p>
<p>Object Server: %5</p>
<p>Object Type: %6</p>
<p>Object Name: %7</p>
<p>Handle ID: %8</p>
<p>Process Information:</p>
<p>Process ID: %11</p>
<p>Process Name: %12</p>
<p>Access Request Information:</p>
<p>Accesses: %9</p>
<p>Access Mask: %10</p></td>
</tr>
<tr class="even">
<td align="left"><p>4659</p></td>
<td align="left"><p>A handle to an object was requested with intent to delete.</p>
<p>Subject:</p>
<p>Security ID: %1</p>
<p>Account Name: %2</p>
<p>Account Domain: %3</p>
<p>Logon ID: %4</p>
<p>Object:</p>
<p>Object Server: %5</p>
<p>Object Type: %6</p>
<p>Object Name: %7</p>
<p>Handle ID: %8</p>
<p>Process Information:</p>
<p>Process ID: %13</p>
<p>Access Request Information:</p>
<p>Transaction ID: %9</p>
<p>Accesses: %10</p>
<p>Access Mask: %11</p>
<p>Privileges Used for Access Check: %12</p></td>
</tr>
<tr class="odd">
<td align="left"><p>4818</p></td>
<td align="left"><p>Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.</p>
<p>Subject:</p>
<p>Security ID: %1</p>
<p>Account Name: %2</p>
<p>Account Domain: %3</p>
<p>Logon ID: %4</p>
<p>Object:</p>
<p>Object Server: %5</p>
<p>Object Type: %6</p>
<p>Object Name: %7</p>
<p>Handle ID: %8</p>
<p>Process Information:</p>
<p>Process ID: %9</p>
<p>Process Name: %10</p>
<p>Current Central Access Policy results:</p>
<p>Access Reasons: %11</p>
<p>Proposed Central Access Policy results that differ from the current Central Access Policy results:</p>
<p>Access Reasons: %12</p></td>
</tr>
<tr class="even">
<td align="left"><p>4656</p></td>
<td align="left"><p>A handle to an object was requested.</p>
<p>Subject:</p>
<p>Security ID: %1</p>
<p>Account Name: %2</p>
<p>Account Domain: %3</p>
<p>Logon ID: %4</p>
<p>Object:</p>
<p>Object Server: %5</p>
<p>Object Type: %6</p>
<p>Object Name: %7</p>
<p>Handle ID: %8</p>
<p>Resource Attributes: %17</p>
<p>Process Information:</p>
<p>Process ID: %15</p>
<p>Process Name: %16</p>
<p>Access Request Information:</p>
<p>Transaction ID: %9</p>
<p>Accesses: %10</p>
<p>Access Reasons: %11</p>
<p>Access Mask: %12</p>
<p>Privileges Used for Access Check: %13</p>
<p>Restricted SID Count: %14</p></td>
</tr>
</tbody>
</table>
 
## Related topics
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

29
windows/keep-secure/audit-rpc-events.md
View File

@ -2,32 +2,29 @@
title: Audit RPC Events (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit RPC Events, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
ms.assetid: 868aec2d-93b4-4bc8-a150-941f88838ba6
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit RPC Events
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit RPC Events**, which determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
RPC is a technology for creating distributed client/server programs. RPC is an interprocess communication technique that enables client and server software to communicate. For more information, see [What Is RPC?](http://technet.microsoft.com/library/cc787851.aspx).
Audit RPC Events determines whether the operating system generates audit events when inbound remote procedure call (RPC) connections are made.
Event volume: High on RPC servers
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------|
| Domain Controller | No | No | No | No | Events in this subcategory occur rarely. |
| Member Server | No | No | No | No | Events in this subcategory occur rarely. |
| Workstation | No | No | No | No | Events in this subcategory occur rarely. |
Default: Not configured
**Events List:**
| Event ID | Event message |
| - | - |
| 5712 | A Remote Procedure Call (RPC) was attempted. |
 
## Related topics
- [5712](event-5712.md)(S): A Remote Procedure Call (RPC) was attempted.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

51
windows/keep-secure/audit-sam.md
View File

@ -2,52 +2,55 @@
title: Audit SAM (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
ms.assetid: 1d00f955-383d-4c95-bbd1-fab4a991a46e
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit SAM
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit SAM**, which enables you to audit events that are generated by attempts to access Security Account Manager (SAM) objects.
Audit SAM, which enables you to audit events that are generated by attempts to access Security Account Manager ([SAM](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx)) objects.
The Security Account Manager (SAM) is a database that is present on computers running Windows operating systems that stores user accounts and security descriptors for users on the local computer.
SAM objects include the following:
- SAM objects include the following:
- SAM\_ALIAS: A local group
- SAM\_GROUP: A group that is not a local group
- SAM\_USER: A user account
- SAM\_DOMAIN: A domain
- SAM\_SERVER: A computer account
If you configure this policy setting, an audit event is generated when a SAM object is accessed. Success audits record successful attempts, and failure audits record unsuccessful attempts.
> **Note:**  Only the SACL for SAM\_SERVER can be modified.
 
Only a [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) for SAM\_SERVER can be modified.
Changes to user and group objects are tracked by the Account Management audit category. However, user accounts with enough privileges could potentially alter the files in which the account and password information is stored in the system, bypassing any Account Management events.
Event volume: High on domain controllers
**Event volume**: High on domain controllers.
> **Note:**  For information about reducing the number of events generated in this subcategory, see [KB841001](http://go.microsoft.com/fwlink/p/?LinkId=121698).
 
Default setting: Not configured
For information about reducing the number of events generated in this subcategory, see [KB841001](https://support.microsoft.com/en-us/kb/841001).
| Event ID | Event message |
| - | - |
| 4659 | A handle to an object was requested with intent to delete.|
| 4660 | An object was deleted. |
| 4661 | A handle to an object was requested.|
| 4663 | An attempt was made to access an object.|
 
## Related topics
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx) level. |
| Member Server | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx) level. |
| Workstation | - | - | - | - | There is no recommendation for this subcategory in this document, unless you know exactly what you need to monitor at [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx) level. |
**Events List:**
- [4661](event-4661.md)(S, F): A handle to an object was requested.
#
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

107
windows/keep-secure/audit-security-group-management.md
View File

@ -2,52 +2,91 @@
title: Audit Security Group Management (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit Security Group Management, which determines whether the operating system generates audit events when specific security group management tasks are performed.
ms.assetid: ac2ee101-557b-4c84-b9fa-4fb23331f1aa
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Security Group Management
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit Security Group Management**, which determines whether the operating system generates audit events when specific security group management tasks are performed.
Tasks for security group management include:
Audit Security Group Management determines whether the operating system generates audit events when specific security group management tasks are performed.
- A security group is created, changed, or deleted.
- A member is added to or removed from a security group.
- A group's type is changed.
Security groups can be used for access control permissions and also as distribution lists.
**Event volume**: Low.
Event volume: Low
This subcategory allows you to audit events generated by changes to security groups such as the following:
Default: Success
- Security group is created, changed, or deleted.
| Event ID | Event message |
| - | - |
| 4727 | A security-enabled global group was created. |
| 4728 | A member was added to a security-enabled global group. |
| 4729 | A member was removed from a security-enabled global group. |
| 4730 | A security-enabled global group was deleted. |
| 4731 | A security-enabled local group was created. |
| 4732 | A member was added to a security-enabled local group.|
| 4733 | A member was removed from a security-enabled local group.|
| 4734 | A security-enabled local group was deleted. |
| 4735 | A security-enabled local group was changed. |
| 4737 | A security-enabled global group was changed. |
| 4754 | A security-enabled universal group was created.|
| 4755 | A security-enabled universal group was changed. |
| 4756 | A member was added to a security-enabled universal group.|
| 4757 | A member was removed from a security-enabled universal group.|
| 4758 | A security-enabled universal group was deleted. |
| 4764 | A group's type was changed. |
- Member is added or removed from a security group.
## Related topics
- Group type is changed.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4731](event-4731.md)(S): A security-enabled local group was created.
- [4732](event-4732.md)(S): A member was added to a security-enabled local group.
- [4733](event-4733.md)(S): A member was removed from a security-enabled local group.
- [4734](event-4734.md)(S): A security-enabled local group was deleted.
- [4735](event-4735.md)(S): A security-enabled local group was changed.
- [4764](event-4764.md)(S): A groups type was changed.
- [4799](event-4799.md)(S): A security-enabled local group membership was enumerated.
**4727(S): A security-enabled global group was created.** See event “[4731](event-4731.md): A security-enabled local group was created.” Event 4727 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
**4737(S): A security-enabled global group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed.” Event 4737 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
**4728(S): A member was added to a security-enabled global group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group.” Event 4728 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
**4729(S): A member was removed from a security-enabled global group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group.” Event 4729 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
**4730(S): A security-enabled global group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted.” Event 4730 is the same, but it is generated for a **global** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
**4754(S): A security-enabled universal group was created.** See event “[4731](event-4731.md): A security-enabled local group was created.”. Event 4754 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4731](event-4731.md) do not apply.
**4755(S): A security-enabled universal group was changed.** See event “[4735](event-4735.md): A security-enabled local group was changed.”. Event 4737 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4735](event-4735.md) do not apply.
**4756(S): A member was added to a security-enabled universal group.** See event “[4732](event-4732.md): A member was added to a security-enabled local group.”. Event 4756 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4732](event-4732.md) do not apply.
**4757(S): A member was removed from a security-enabled universal group.** See event “[4733](event-4733.md): A member was removed from a security-enabled local group.”. Event 4757 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4733](event-4733.md) do not apply.
**4758(S): A security-enabled universal group was deleted.** See event “[4734](event-4734.md): A security-enabled local group was deleted.”. Event 4758 is the same, but it is generated for a **universal** security group instead of a **local** security group. All event fields, XML, and recommendations are the same. The type of group is the only difference.
**Important:** this event generates only for domain groups, so the Local sections in event [4734](event-4734.md) do not apply.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

45
windows/keep-secure/audit-security-state-change.md
View File

@ -2,44 +2,37 @@
title: Audit Security State Change (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system.
ms.assetid: decb3218-a67d-4efa-afc0-337c79a89a2d
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Security State Change
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security State Change**, which determines whether Windows generates audit events for changes in the security state of a system.
Changes in the security state of the operating system include:
Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time.
- System startup and shutdown.
- Change of system time.
- System recovery from **CrashOnAuditFail**. This event is logged after a system reboots following **CrashOnAuditFail**.
**Event volume**: Low.
> **Important:**  Some auditable activity may not be recorded when a system restarts due to **CrashOnAuditFail**.
 
System startup and shutdown events are important for understanding system usage.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | The volume of events in this subcategory is very low and all of them are important events and have security relevance. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
Event volume: Low
**Events List:**
Default: Success
- [4608](event-4608.md)(S): Windows is starting up.
| Event ID | Event message summary | Minimum requirement |
| - | - | - |
| 4608 | Windows is starting up. | Windows Vista, Windows Server 2008 |
| 4609 | Windows is shutting down. | Windows Vista, Windows Server 2008 |
| 4616 | The system time was changed.| Windows Vista, Windows Server 2008 |
| 4621 | Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.| Windows Vista, Windows Server 2008 |
 
## Related topics
- [4616](event-4616.md)(S): The system time was changed.
- [4621](event-4621.md)(S): Administrator recovered system from CrashOnAuditFail.
>**Note**&nbsp;&nbsp;Event **4609(S): Windows is shutting down** currently doesnt generate. It is a defined event, but it is never invoked by the operating system.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

52
windows/keep-secure/audit-security-system-extension.md
View File

@ -2,43 +2,47 @@
title: Audit Security System Extension (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Security System Extension, which determines whether the operating system generates audit events related to security system extensions.
ms.assetid: 9f3c6bde-42b2-4a0a-b353-ed3106ebc005
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Security System Extension
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Security System Extension**, which determines whether the operating system generates audit events related to security system extensions.
Audit Security System Extension contains information about the loading of an authentication package, notification package, or security package, plus information about trusted logon process registration events.
Changes to security system extensions in the operating system include the following activities:
- A security extension code is loaded (such as an authentication, notification, or security package). A security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM.
- Security extension code is loaded (for example, an authentication, notification, or security package). Security extension code registers with the Local Security Authority and will be used and trusted to authenticate logon attempts, submit logon requests, and be notified of any account or password changes. Examples of this extension code are Security Support Providers, such as Kerberos and NTLM.
- A service is installed. An audit log is generated when a service is registered with the Service Control Manager. The audit log contains information about the service name, binary, type, start type, and service account.
> **Important:**  Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.
 
Event volume: Low
Attempts to install or load security system extensions or services are critical system events that could indicate a security breach.
These events are expected to appear more on a domain controller than on client computers or member servers.
**Event volume**: Low.
Default: Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.” <br>For other events we strongly recommend monitoring a whitelist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Event ID | Event message |
| - | - |
| 4610 | An authentication package has been loaded by the Local Security Authority. |
| 4611 | A trusted logon process has been registered with the Local Security Authority.|
| 4614 | A notification package has been loaded by the Security Account Manager. |
| 4622 | A security package has been loaded by the Local Security Authority. |
| 4697 | A service was installed in the system. |
 
## Related topics
**Events List:**
- [4610](event-4610.md)(S): An authentication package has been loaded by the Local Security Authority.
- [4611](event-4611.md)(S): A trusted logon process has been registered with the Local Security Authority.
- [4614](event-4614.md)(S): A notification package has been loaded by the Security Account Manager.
- [4622](event-4622.md)(S): A security package has been loaded by the Local Security Authority.
- [4697](event-4697.md)(S): A service was installed in the system.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

85
windows/keep-secure/audit-sensitive-privilege-use.md
View File

@ -2,51 +2,70 @@
title: Audit Sensitive Privilege Use (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used.
ms.assetid: 915abf50-42d2-45f6-9fd1-e7bd201b193d
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Sensitive Privilege Use
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Sensitive Privilege Use**, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used.
Actions that can be audited include:
- A privileged service is called.
- One of the following privileges is called:
- **Act as part of the operating system**
- **Back up files and directories**
- **Create a token object**
- **Debug programs**
- **Enable computer and user accounts to be trusted for delegation**
- **Generate security audits**
- **Impersonate a client after authentication**
- **Load and unload device drivers**
- **Manage auditing and security log**
- **Modify firmware environment values**
- **Replace a process-level token**
- **Restore files and directories**
- **Take ownership of files or other objects**
Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges:
- Act as part of the operating system
- Back up files and directories
- Restore files and directories
- Create a token object
- Debug programs
- Enable computer and user accounts to be trusted for delegation
- Generate security audits
- Impersonate a client after authentication
- Load and unload device drivers
- Manage auditing and security log
- Modify firmware environment values
- Replace a process-level token
- Take ownership of files or other objects
The use of two privileges, “Back up files and directories” and “Restore files and directories,” generate events only if the “[Audit: Audit the use of Backup and Restore privilege](https://technet.microsoft.com/en-us/library/jj852206.aspx)” Group Policy setting is enabled on the computer or device. We do not recommend enabling this Group Policy setting because of the high number of events recorded.
This subcategory also contains informational events from the file system Transaction Manager.
If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful attempts, and failure audits record unsuccessful attempts.
Event volume: High
**Event volume**: High.
Default: Not configured
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
| Member Server | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
| Workstation | Yes | Yes | Yes | Yes | We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account. |
**Events List:**
- [4673](event-4673.md)(S, F): A privileged service was called.
- [4674](event-4674.md)(S, F): An operation was attempted on a privileged object.
- [4985](event-4985.md)(S): The state of a transaction has changed.
>**Note**&nbsp;&nbsp;For some reason event “[4985](event-4985.md)(S): The state of a transaction has changed" from [Audit File System](audit-file-system.md) subcategory generates also in this subcategory. See description of event [4985](event-4985.md) in [Audit File System](audit-file-system.md) subcategory.
| Event ID | Event message |
| - | - |
| 4672 | Special privileges assigned to new logon.|
| 4673 | A privileged service was called. |
| 4674 | An operation was attempted on a privileged object.|
 
## Related topics
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

45
windows/keep-secure/audit-special-logon.md
View File

@ -2,38 +2,43 @@
title: Audit Special Logon (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Special Logon, which determines whether the operating system generates audit events under special sign on (or log on) circumstances.
ms.assetid: e1501bac-1d09-4593-8ebb-f311231567d3
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit Special Logon
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit Special Logon**, which determines whether the operating system generates audit events under special sign on (or log on) circumstances.
This security policy setting determines whether the operating system generates audit events when:
Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances.
- A special logon is used. A special logon is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
- A member of a special group logs on. Special Groups is a Windows feature that enables the administrator to find out when a member of a certain group has logged on. The administrator can set a list of group security identifiers (SIDs) in the registry. If any of these SIDs is added to a token during logon and this auditing subcategory is enabled, a security event is logged. For more information about this feature, see [article 947223](http://go.microsoft.com/fwlink/p/?linkid=120183) in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/p/?linkid=120183).
This subcategory allows you to audit events generated by special logons such as the following:
Users holding special privileges can potentially make changes to the system. We recommend that you track their activity.
- The use of a special logon, which is a logon that has administrator-equivalent privileges and can be used to elevate a process to a higher level.
Event volume: Low
- A logon by a member of a Special Group. Special Groups enable you to audit events generated when a member of a certain group has logged on to your network. You can configure a list of group security identifiers (SIDs) in the registry. If any of those SIDs are added to a token during logon and the subcategory is enabled, an event is logged.
Default: Success
**Event volume**:
| Event ID | Event message |
| - | - |
| 4964 | Special groups have been assigned to a new logon.|
 
## Related topics
- Low on a client computer.
- Medium on a domain controllers or network servers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.<br>At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.<br>At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | Yes | No | Yes | No | This subcategory is very important because of [Special Groups](http://blogs.technet.com/b/askds/archive/2008/03/11/special-groups-auditing-via-group-policy-preferences.aspx) related events, you must enable this subcategory for Success audit if you use this feature.<br>At the same time this subcategory allows you to track account logon sessions to which sensitive privileges were assigned.<br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4964](event-4964.md)(S): Special groups have been assigned to a new logon.
- [4672](event-4672.md)(S): Special privileges assigned to new logon.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

72
windows/keep-secure/audit-system-integrity.md
View File

@ -2,51 +2,67 @@
title: Audit System Integrity (Windows 10)
description: This topic for the IT professional describes the Advanced Security Audit policy setting, Audit System Integrity, which determines whether the operating system audits events that violate the integrity of the security subsystem.
ms.assetid: 942a9a7f-fa31-4067-88c7-f73978bf2034
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit System Integrity
**Applies to**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the Advanced Security Audit policy setting, **Audit System Integrity**, which determines whether the operating system audits events that violate the integrity of the security subsystem.
Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem.
Activities that violate the integrity of the security subsystem include the following:
- Audited events are lost due to a failure of the auditing system.
- A process uses an invalid local procedure call (LPC) port in an attempt to impersonate a client, reply to a client address space, read to a client address space, or write from a client address space.
- A remote procedure call (RPC) integrity violation is detected.
- A code integrity violation with an invalid hash value of an executable file is detected.
- Cryptographic tasks are performed.
> **Important:**  Violations of security subsystem integrity are critical and could indicate a potential security attack.
 
Event volume: Low
Violations of security subsystem integrity are critical and could indicate a potential security attack.
Default: Success and failure
**Event volume**: Low.
| Event ID | Event message |
| - | - |
| 4612 | Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. |
| 4615 | Invalid use of LPC port. |
| 4618 | A monitored security event pattern has occurred.|
| 4816 | RPC detected an integrity violation while decrypting an incoming message.|
| 5038 | Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.|
| 5056 | A cryptographic self-test was performed. |
| 5057 | A cryptographic primitive operation failed.|
| 5060 | Verification operation failed. |
| 5061 | Cryptographic operation. |
| 5062 | A kernel-mode cryptographic self-test was performed.|
| 6281 | Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.|
 
## Related topics
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.<br>The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. |
| Member Server | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.<br>The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. |
| Workstation | Yes | Yes | Yes | Yes | The main reason why we recommend Success auditing for this subcategory is to be able to get RPC integrity violation errors and auditing subsystem errors (event 4612). However, if you are planning to manually invoke “[4618](event-4618.md)(S): A monitored security event pattern has occurred”, then you also need to enable Success auditing for this subcategory.<br>The main reason why we recommend Failure auditing for this subcategory is to be able to get [Code Integrity](https://technet.microsoft.com/en-us/library/dd348642(v=ws.10).aspx) failure events. |
**Events List:**
- [4612](event-4612.md)(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
- [4615](event-4615.md)(S): Invalid use of LPC port.
- [4618](event-4618.md)(S): A monitored security event pattern has occurred.
- [4816](event-4816.md)(S): RPC detected an integrity violation while decrypting an incoming message.
- [5038](event-5038.md)(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
- [5056](event-5056.md)(S): A cryptographic self-test was performed.
- [5062](event-5062.md)(S): A kernel-mode cryptographic self-test was performed.
- [5057](event-5057.md)(F): A cryptographic primitive operation failed.
- [5060](event-5060.md)(F): Verification operation failed.
- [5061](event-5061.md)(S, F): Cryptographic operation.
- [6281](event-6281.md)(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
- [6410](event-6410.md)(F): Code integrity determined that a file does not meet the security requirements to load into a process.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

99
windows/keep-secure/audit-user-account-management.md
View File

@ -2,56 +2,81 @@
title: Audit User Account Management (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit User Account Management, which determines whether the operating system generates audit events when specific user account management tasks are performed.
ms.assetid: f7e72998-3858-4197-a443-19586ecc4bfb
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit User Account Management
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit User Account Management**, which determines whether the operating system generates audit events when specific user account management tasks are performed.
Tasks that are audited for user account management include:
Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed.
**Event volume**: Low.
This policy setting allows you to audit changes to user accounts. Events include the following:
- A user account is created, changed, deleted, renamed, disabled, enabled, locked out or unlocked.
- A user accounts password is set or changed.
- A security identifier (SID) is added to the SID History of a user account, or fails to be added.
- The Directory Services Restore Mode password is configured.
- Permissions on administrative user accounts are changed.
- A user's local group membership was enumerated.
- A user account is created, changed, deleted, renamed, disabled, enabled, locked out, or unlocked.
- A user account password is set or changed.
- Security identifier (SID) history is added to a user account.
- The Directory Services Restore Mode password is set.
- Permissions are changed on accounts that are members of administrator groups.
- Credential Manager credentials are backed up or restored.
This policy setting is essential for tracking events that involve provisioning and managing user accounts.
Some events in this subcategory, for example 4722, 4725, 4724, and 4781, are also generated for computer accounts.
Event volume: Low
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | Yes | Yes | Yes | Yes | This subcategory contains many useful events for monitoring, especially for critical domain accounts, such as domain admins, service accounts, database admins, and so on.<br>We recommend Failure auditing, mostly to see invalid password change and reset attempts for domain accounts, DSRM account password change failures, and failed SID History add attempts. |
| Member Server | Yes | Yes | Yes | Yes | We recommend monitoring all changes related to local user accounts, especially built-in local Administrator and other critical accounts.<br>We recommend Failure auditing, mostly to see invalid password change and reset attempts for local accounts. |
| Workstation | Yes | Yes | Yes | Yes | We recommend monitoring all changes related to local user accounts, especially built-in local Administrator and other critical accounts.<br>We recommend Failure auditing, mostly to see invalid password change and reset attempts for local accounts. |
Default: Success
**Events List:**
| Event ID | Event message |
| - | - |
| 4720 | A user account was created. |
| 4722 | A user account was enabled. |
| 4723 | An attempt was made to change an account's password.|
| 4724 | An attempt was made to reset an account's password. |
| 4725 | A user account was disabled. |
| 4726 | A user account was deleted. |
| 4738 | A user account was changed. |
| 4740 | A user account was locked out.|
| 4765 | SID History was added to an account.|
| 4766 | An attempt to add SID History to an account failed.|
| 4767 | A user account was unlocked. |
| 4780 | The ACL was set on accounts which are members of administrators groups.|
| 4781 | The name of an account was changed: |
| 4794 | An attempt was made to set the Directory Services Restore Mode.|
| 5376 | Credential Manager credentials were backed up. |
| 5377 | Credential Manager credentials were restored from a backup.|
 
## Related topics
- [4720](event-4720.md)(S): A user account was created.
- [4722](event-4722.md)(S): A user account was enabled.
- [4723](event-4723.md)(S, F): An attempt was made to change an account's password.
- [4724](event-4724.md)(S, F): An attempt was made to reset an account's password.
- [4725](event-4725.md)(S): A user account was disabled.
- [4726](event-4726.md)(S): A user account was deleted.
- [4738](event-4738.md)(S): A user account was changed.
- [4740](event-4740.md)(S): A user account was locked out.
- [4765](event-4765.md)(S): SID History was added to an account.
- [4766](event-4766.md)(F): An attempt to add SID History to an account failed.
- [4767](event-4767.md)(S): A user account was unlocked.
- [4780](event-4780.md)(S): The ACL was set on accounts which are members of administrators groups.
- [4781](event-4781.md)(S): The name of an account was changed.
- [4794](event-4794.md)(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
- [4798](event-4798.md)(S): A user's local group membership was enumerated.
- [5376](event-5376.md)(S): Credential Manager credentials were backed up.
- [5377](event-5377.md)(S): Credential Manager credentials were restored from a backup.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

72
windows/keep-secure/audit-user-device-claims.md
View File

@ -2,63 +2,39 @@
title: Audit User/Device Claims (Windows 10)
description: This topic for the IT professional describes the advanced security audit policy setting, Audit User/Device Claims, which enables you to audit security events that are generated by user and device claims.
ms.assetid: D3D2BFAF-F2C0-462A-9377-673DB49D5486
ms.prod: w10
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
author: Mir0sh
---
# Audit User/Device Claims
**Applies to**
- Windows 10
- Windows 10
- Windows Server 2016
This topic for the IT professional describes the advanced security audit policy setting, **Audit User/Device Claims**, which enables you to audit security events that are generated by user and device claims.
Event volume:
Audit User/Device Claims allows you to audit user and device claims information in the accounts logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.
Default: Not configured
For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the computer hosting the resource.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Event ID</th>
<th align="left">Event message</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>4626</p></td>
<td align="left"><p>User / Device claims information.</p>
<p>Subject:</p>
<p>Security ID: %1</p>
<p>Account Name: %2</p>
<p>Account Domain: %3</p>
<p>Logon ID: %4</p>
<p>Logon Type:%9</p>
<p>New Logon:</p>
<p>Security ID: %5</p>
<p>Account Name: %6</p>
<p>Account Domain: %7</p>
<p>Logon ID: %8</p>
<p>Event in sequence: %10 of %11</p>
<p>User Claims: %12</p>
<p>Device Claims: %13</p>
<p>The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.</p>
<p>The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).</p>
<p>The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.</p>
<p>This event is generated when the Audit User/Device claims subcategory is configured and the users logon token contains user/device claims information. The Logon ID field can be used to correlate this event with the corresponding user logon event as well as to any other security audit events generated during this logon session.</p></td>
</tr>
</tbody>
</table>
 
## Related topics
***Important***: [Audit Logon](audit-logon.md) subcategory must also be enabled in order to get events from this subcategory.
**Event volume**:
- Low on a client computer.
- Medium on a domain controller or network servers.
| Computer Type | General Success | General Failure | Stronger Success | Stronger Failure | Comments |
|-------------------|-----------------|-----------------|------------------|------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Domain Controller | IF | No | IF | No | IF if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Member Server | IF | No | IF | No | IF if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
| Workstation | IF | No | IF | No | IF if claims are in use in your organization and you need to monitor user/device claims, enable Success auditing for this subcategory. <br>This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
- [4626](event-4626.md)(S): User/Device claims information.
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
 
 

73
windows/keep-secure/event-1100.md Normal file
View File

@ -0,0 +1,73 @@
---
title: 1100(S) The event logging service has shut down. (Windows 10)
description: Describes security event 1100(S) The event logging service has shut down.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 1100(S): The event logging service has shut down.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-1100.png" alt="Event 1100 illustration" width="449" height="317" hspace="10" align="left" />
***Subcategory:***&nbsp;[Other Events](other-events.md)
***Event Description:***
This event generates every time Windows Event Log service has shut down.
It also generates during normal system shutdown.
This event doesnt generate during emergency system reset.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1100</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>103</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-15T07:02:20.010585400Z" />
<EventRecordID>1048124</EventRecordID>
<Correlation />
<Execution ProcessID="820" ThreadID="964" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <UserData>
<ServiceShutdown xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog" />
</UserData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
For 1100(S): The event logging service has shut down.
- With this event, you can track system shutdowns and restarts.
- This event also can be a sign of malicious action when someone tried to shut down the Log Service to cover his or her activity.

98
windows/keep-secure/event-1102.md Normal file
View File

@ -0,0 +1,98 @@
---
title: 1102(S) The audit log was cleared. (Windows 10)
description: Describes security event 1102(S) The audit log was cleared.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 1102(S): The audit log was cleared.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-1102.png" alt="Event 1102 illustration" width="449" height="336" hspace="10" align="left" />
***Subcategory:***&nbsp;[Other Events](other-events.md)
***Event Description:***
This event generates every time Windows Security audit log was cleared.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1102</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>104</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-16T00:39:58.656871200Z" />
<EventRecordID>1087729</EventRecordID>
<Correlation />
<Execution ProcessID="820" ThreadID="2644" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <UserData>
- <LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
<SubjectUserSid>S-1-5-21-3457937927-2839227994-823803824-1104</SubjectUserSid>
<SubjectUserName>dadmin</SubjectUserName>
<SubjectDomainName>CONTOSO</SubjectDomainName>
<SubjectLogonId>0x55cd1d</SubjectLogonId>
</LogFileCleared>
</UserData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that cleared the system security audit log. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that cleared the system security audit log.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
## Security Monitoring Recommendations
For 1102(S): The audit log was cleared.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Typically you should not see this event. There is no need to manually clear the Security event log in most cases. We recommend monitoring this event and investigating why this action was performed.

67
windows/keep-secure/event-1104.md Normal file
View File

@ -0,0 +1,67 @@
---
title: 1104(S) The security log is now full. (Windows 10)
description: Describes security event 1104(S) The security log is now full.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 1104(S): The security log is now full.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-1104.png" alt="Event 1104 illustration" width="449" height="317" hspace="10" align="left" />
***Subcategory:***&nbsp;[Other Events](other-events.md)
***Event Description:***
This event generates every time Windows security log becomes full.
This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Do not overwrite events (Clear logs manually)](https://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx)”.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1104</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>101</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-15T23:36:50.479431200Z" />
<EventRecordID>1087728</EventRecordID>
<Correlation />
<Execution ProcessID="820" ThreadID="4224" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <UserData>
<FileIsFull xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog" />
</UserData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
- If the Security event log retention method is set to “[Do not overwrite events (Clear logs manually)](https://technet.microsoft.com/en-us/library/cc778402(v=ws.10).aspx)”, then this event will indicate that log file is full and you need to perform immediate actions, for example, archive the log or clear it.

98
windows/keep-secure/event-1105.md Normal file
View File

@ -0,0 +1,98 @@
---
title: 1105(S) Event log automatic backup. (Windows 10)
description: Describes security event 1105(S) Event log automatic backup.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 1105(S): Event log automatic backup.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-1105.png" alt="Event 1105 illustration" width="572" height="317" hspace="10" align="left" />
***Subcategory:***&nbsp;[Other Events](other-events.md)
***Event Description:***
This event generates every time Windows security log becomes full and new event log file was created.
This event generates, for example, if the maximum size of Security Event Log file was reached and event log retention method is: “[Archive the log when full, do not overwrite events](https://technet.microsoft.com/en-us/library/cc721981.aspx)”.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1105</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>105</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-16T00:50:12.715302700Z" />
<EventRecordID>1128551</EventRecordID>
<Correlation />
<Execution ProcessID="820" ThreadID="3660" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <UserData>
- <AutoBackup xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
<Channel>Security</Channel>
<BackupPath>C:\\Windows\\System32\\Winevt\\Logs\\Archive-Security-2015-10-16-00-50-12-621.evtx</BackupPath>
</AutoBackup>
</UserData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Log** \[Type = UnicodeString\]: the name of the log which was archived (new event log file was created and previous event log was archived). Always “**Security”** for Security Event Logs.
**File**: \[Type = FILETIME\]: full path and filename of archived log file.
The format of archived log file name is: “Archive-LOG\_FILE\_NAME-YYYY-MM-DD-hh-mm-ss-nnn.evtx”. Where:
- LOG\_FILE\_NAME the name of archived file.
- Y years.
- M months.
- D days.
- h hours.
- m minutes.
- s seconds.
- n fractional seconds.
The time in this event is always in ***GMT+0/UTC+0*** time zone.
## Security Monitoring Recommendations
For 1105(S): Event log automatic backup.
- Typically its an informational event and no actions are needed. But if your baseline settings are not set to [Archive the log when full, do not overwrite events](https://technet.microsoft.com/en-us/library/cc721981.aspx), then this event will be a sign that some settings are not set to baseline settings or were changed.

83
windows/keep-secure/event-1108.md Normal file
View File

@ -0,0 +1,83 @@
---
title: 1108(S) The event logging service encountered an error while processing an incoming event published from %1. (Windows 10)
description: Describes security event 1108(S) The event logging service encountered an error while processing an incoming event published from %1.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-1108.png" alt="Event 1108 illustration" width="613" height="429" hspace="10" align="left" />
***Subcategory:***&nbsp;[Other Events](other-events.md)
***Event Description:***
This event generates when event logging service encountered an error while processing an incoming event.
It typically generates when logging service will not be able to correctly write the event to the event log or some parameters were not passed to logging service to log the event correctly. You will typically see a defective or incorrect event before 1108.
For example, event 1108 might be generated after an incorrect [4703](event-4703.md) event:
<img src="images/event-4703-partial.png" alt="Event 4703, partial illustration" width="438" height="588" hspace="10" align="left" />
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Eventlog" Guid="{fc65ddd8-d6ef-4962-83d5-6e5cfe9ce148}" />
<EventID>1108</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>101</Task>
<Opcode>0</Opcode>
<Keywords>0x4020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T20:59:47.431979300Z" />
<EventRecordID>5599</EventRecordID>
<Correlation />
<Execution ProcessID="972" ThreadID="1320" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <UserData>
- <EventProcessingFailure xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog">
<Error Code="15005" />
<EventID>0</EventID>
<PublisherID>Microsoft-Windows-Security-Auditing</PublisherID>
</EventProcessingFailure>
</UserData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008 R2, Windows 7.
***Event Versions:*** 0.
***Field Descriptions:***
**%1** \[Type = UnicodeString\]: the name of [security event source](https://msdn.microsoft.com/en-us/library/windows/desktop/aa363661(v=vs.85).aspx) from which event was received for processing. You can see all registered security event source names in this registry path: “HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\EventLog\\Security”. Here is an example:
<img src="images/subkeys-under-security-key.png" alt="Subkeys under Security key illustration" width="236" height="246" />
## Security Monitoring Recommendations
For 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
- We recommend monitoring for all events of this type and checking what the cause of the error was.

67
windows/keep-secure/event-4608.md Normal file
View File

@ -0,0 +1,67 @@
---
title: 4608(S) Windows is starting up. (Windows 10)
description: Describes security event 4608(S) Windows is starting up.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4608(S): Windows is starting up.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4608.png" alt="Event 4608 illustration" width="449" height="317" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Security State Change](audit-security-state-change.md)
***Event Description:***
This event is logged when LSASS.EXE process starts and the auditing subsystem is initialized.
It typically generates during operating system startup process.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4608</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12288</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-09T05:25:38.222242500Z" />
<EventRecordID>1101704</EventRecordID>
<Correlation />
<Execution ProcessID="508" ThreadID="512" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
<EventData />
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
For 4608(S): Windows is starting up.
- With this event, you can track system startup events.

77
windows/keep-secure/event-4610.md Normal file
View File

@ -0,0 +1,77 @@
---
title: 4610(S) An authentication package has been loaded by the Local Security Authority. (Windows 10)
description: Describes security event 4610(S) An authentication package has been loaded by the Local Security Authority.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4610(S): An authentication package has been loaded by the Local Security Authority.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4610.png" alt="Event 4610 illustration" width="656" height="317" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Security System Extension](audit-security-system-extension.md)
***Event Description:***
This event generates every time [Authentication Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374733(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)).
Each time the system starts, the LSA loads the Authentication Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Authentication Packages** registry value and performs the initialization sequence for every package located in these DLLs.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4610</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12289</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-14T03:36:41.391489300Z" />
<EventRecordID>1048138</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="520" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="AuthenticationPackageName">C:\\Windows\\system32\\msv1\_0.DLL : MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Authentication Package Name** \[Type = UnicodeString\]**:** the name of loaded [Authentication Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374733(v=vs.85).aspx). The format is: DLL\_PATH\_AND\_NAME: AUTHENTICATION\_PACKAGE\_NAME.
By default the only one Authentication Package loaded by Windows 10 is “[MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378753(v=vs.85).aspx)”.
## Security Monitoring Recommendations
For 4610(S): An authentication package has been loaded by the Local Security Authority.
- Report all “**Authentication Package Name**” not equals “C:\\Windows\\system32\\msv1\_0.DLL : MICROSOFT\_AUTHENTICATION\_PACKAGE\_V1\_0”, because by default this is the only Authentication Package loaded by Windows 10.
- Typically this event has an informational purpose. If you have a pre-defined list of allowed Authentication Packages in the system, then you can check whether “**Authentication Package Name”** is in your defined list.

109
windows/keep-secure/event-4611.md Normal file
View File

@ -0,0 +1,109 @@
---
title: 4611(S) A trusted logon process has been registered with the Local Security Authority. (Windows 10)
description: Describes security event 4611(S) A trusted logon process has been registered with the Local Security Authority.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4611(S): A trusted logon process has been registered with the Local Security Authority.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4611.png" alt="Event 4611 illustration" width="449" height="393" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Security System Extension](audit-security-system-extension.md)
***Event Description:***
This event indicates that a logon process has registered with the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)). Also, logon requests will now be accepted from this source.
At the technical level, the event does not come from the registration of a trusted logon process, but from a confirmation that the process is a trusted logon process. If it is a trusted logon process, the event generates.
A logon process is a trusted part of the operating system that handles the overall logon function for different logon methods (network, interactive, etc.).
You typically see these events during operating system startup or user logon and authentication actions.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4611</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12289</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-14T03:43:29.604031000Z" />
<EventRecordID>1048175</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="548" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="LogonProcessName">Winlogon</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that registered the trusted logon process. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that registered the trusted logon process.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Logon Process Name** \[Type = UnicodeString\]**:** the name of registered logon process.
## Security Monitoring Recommendations
For 4611(S): A trusted logon process has been registered with the Local Security Authority.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
- Typically this event has an informational purpose. If you defined the list of allowed Logon Processes in the system, then you can check is “**Logon Process Name”** field value in the whitelist or not.
-

43
windows/keep-secure/event-4612.md Normal file
View File

@ -0,0 +1,43 @@
---
title: 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. (Windows 10)
description: Describes security event 4612(S) Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
**Applies to**
- Windows 10
- Windows Server 2016
This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk.
This event doesn't generate when the event log service is stopped or event log is full and events retention is disabled.
There is no example of this event in this document.
***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
***Event Schema:***
*Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. *
*Number of audit messages discarded: %1 *
*This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk, or when the auditing system loses connectivity to the event log, such as when the event log service is stopped.*
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
- This event can be a sign of hardware issues or lack of system resources (for example, RAM). We recommend monitoring this event and investigating the reason for the condition.

77
windows/keep-secure/event-4614.md Normal file
View File

@ -0,0 +1,77 @@
---
title: 4614(S) A notification package has been loaded by the Security Account Manager. (Windows 10)
description: Describes security event 4614(S) A notification package has been loaded by the Security Account Manager.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4614(S): A notification package has been loaded by the Security Account Manager.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4614.png" alt="Event 4614 illustration" width="449" height="317" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Security System Extension](audit-security-system-extension.md)
***Event Description:***
This event generates every time a Notification Package has been loaded by the [Security Account Manager](https://technet.microsoft.com/en-us/library/cc756748(v=ws.10).aspx).
In reality, starting with Windows Vista, a notification package should be interpreted as afs [Password Filter](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721882(v=vs.85).aspx).
Password Filters are DLLs that are loaded or called when passwords are set or changed.
Each time a system starts, it loads the notification package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Notification Packages** registry value and performs the initialization sequence for every package.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4614</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12289</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-14T03:36:43.073484900Z" />
<EventRecordID>1048140</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="520" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="NotificationPackageName">WDIGEST</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Notification Package Name** \[Type = UnicodeString\]**:** the name of loaded Notification Package.
## Security Monitoring Recommendations
For 4614(S): A notification package has been loaded by the Security Account Manager.
- Typically this event has an informational purpose. If you defined the list of allowed Notification Packages in the system, then you can check is “**Notification Package Name”** field value in the whitelist or not.

57
windows/keep-secure/event-4615.md Normal file
View File

@ -0,0 +1,57 @@
---
title: 4615(S) Invalid use of LPC port. (Windows 10)
description: Describes security event 4615(S) Invalid use of LPC port.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4615(S): Invalid use of LPC port.
**Applies to**
- Windows 10
- Windows Server 2016
It appears that this event never occurs.
***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
***Event Schema:***
*Invalid use of LPC port.*
*Subject:*
> *Security ID%1*
>
> *Account Name:%2*
>
> *Account Domain:%3*
>
> *Logon ID:%4*
*Process Information:*
> *PID:%7*
>
> *Name:%8*
*Invalid Use:%5*
*LPC Server Port Name:%6*
*Windows Local Security Authority (LSA) communicates with the Windows kernel using Local Procedure Call (LPC) ports. If you see this event, an application has inadvertently or intentionally accessed this port which is reserved exclusively for LSAs use. The application (process) should be investigated to ensure that it is not attempting to tamper with this communications channel." *
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
- There is no recommendation for this event in this document.

172
windows/keep-secure/event-4616.md Normal file
View File

@ -0,0 +1,172 @@
---
title: 4616(S) The system time was changed. (Windows 10)
description: Describes security event 4616(S) The system time was changed.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4616(S): The system time was changed.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4616.png" alt="Event 4616 illustration" width="522" height="518" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Security State Change](audit-security-state-change.md)
***Event Description:***
This event generates every time system time was changed.
This event is always logged regardless of the "Audit Security State Change" sub-category setting.
You will typically see these events with “**Subject\\Security ID**” = “**LOCAL SERVICE**”, these are normal time correction actions.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4616</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12288</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-09T05:04:29.995794600Z" />
<EventRecordID>1101699</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="148" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x48f29</Data>
<Data Name="PreviousTime">2015-10-09T05:04:30.000941900Z</Data>
<Data Name="NewTime">2015-10-09T05:04:30.000000000Z</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\WinSxS\\amd64\_microsoft-windows-com-surrogate-core\_31bf3856ad364e35\_6.3.9600.16384\_none\_25a8f00faa8f185c\\dllhost.exe</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:***
- 0 - Windows Server 2008, Windows Vista.
- 1 - Windows Server 2008 R2, Windows 7.
- Added “Process Information” section.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change system time” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change system time” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Process Information** \[Version 1\]**:**
- **Process ID** \[Type = Pointer\] \[Version 1\]: hexadecimal Process ID of the process that changed the system time. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Name** \[Type = UnicodeString\] \[Version 1\]**:** full path and the name of the executable for the process.
**Previous Time** \[Type = FILETIME\]: previous time in ***UTC*** time zone. The format is **YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:
- Y - years
- M - months
- D - days
- T - the beginning of the time element, as specified in [ISO 8601](http://www.iso.org/iso/home/standards/iso8601.htm).
- h - hours
- m - minutes
- s - seconds
- n - fractional seconds
- Z - the zone designator for the zero UTC offset. "09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC" would be "14:45:15Z".
**New Time** \[Type = FILETIME\]: new time that was set in ***UTC*** time zone. The format is **YYYY-MM-DDThh:mm:ss.nnnnnnnZ**:
- Y - years
- M - months
- D - days
- T - the beginning of the time element, as specified in [ISO 8601](http://www.iso.org/iso/home/standards/iso8601.htm).
- h - hours
- m - minutes
- s - seconds
- n - fractional seconds
- Z - the zone designator for the zero UTC offset. "09:30 UTC" is therefore represented as "09:30Z". "14:45:15 UTC" would be "14:45:15Z".
## Security Monitoring Recommendations
For 4616(S): The system time was changed.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made not by Windows Time service.
- Report all “**Process Information\\Name**” not equals **“C:\\Windows\\System32\\svchost.exe”** (path to svchost.exe can be different, you can search for “svchost.exe” substring), which means that the time change was not made not by Windows Time service.
<!-- -->
- <span id="Reccomendations_Process_Name" class="anchor"></span>If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”

97
windows/keep-secure/event-4618.md Normal file
View File

@ -0,0 +1,97 @@
---
title: 4618(S) A monitored security event pattern has occurred. (Windows 10)
description: Describes security event 4618(S) A monitored security event pattern has occurred.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4618(S): A monitored security event pattern has occurred.
**Applies to**
- Windows 10
- Windows Server 2016
***Subcategory:***&nbsp;[Audit System Integrity](audit-system-integrity.md)
This event can be generated (invoked) only externally using the following command:
**%windir%\\system32\\rundll32 %windir%\\system32\\authz.dll,AuthziGenerateAdminAlertAudit OrgEventId ComputerName UserSid UserName UserDomain UserLogonId EventCount Duration**
Account must have **SeAuditPrivilege** (Generate security audits) to be able to generate this event.
- **UserSid** is resolved when viewing the event in event viewer.
- Only **OrgEventID**, **ComputerName**, and **EventCount** are required—others are optional. Fields not specified appear with “**-**“ in the event description field.
- If a field doesnt match the expected data type, the event is not generated. (i.e., if **EventCount** = “XYZ” then no event is generated.)
- **UserSid**, **UserName**, and **UserDomain** are not related to each other (think **SubjectUser** fields, where they are)
- Parameters are space delimited, even if a parameter is enclosed in double-quotes.
- Here are the expected data types for the parameters:
| Parameter | Expected Data Type |
|--------------|--------------------------------------------------|
| OrgEventID | Ulong |
| ComputerName | String |
| UserSid | SID (in string format) |
| UserName | String |
| UserDomain | String |
| UserLogonID | Luid (a ULongLong converted to Hex in the event) |
| EventCount | Ulong |
| Duration | String |
<img src="images/event-4618.png" alt="Event 4618 illustration" width="449" height="494" hspace="10" align="left" />
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4618</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12290</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-11T21:42:33.264246700Z" />
<EventRecordID>1198759</EventRecordID>
<Correlation />
<Execution ProcessID="500" ThreadID="528" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="EventId">4624</Data>
<Data Name="ComputerName">DC01.contoso.local</Data>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetUserDomain">CONTOSO</Data>
<Data Name="TargetLogonId">0x1</Data>
<Data Name="EventCount">10</Data>
<Data Name="Duration">“Hour"</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
For 4618(S): A monitored security event pattern has occurred.
- This event can be invoked only manually/intentionally, it is up to you how interpret this event depends on information you put inside of it.

43
windows/keep-secure/event-4621.md Normal file
View File

@ -0,0 +1,43 @@
---
title: 4621(S) Administrator recovered system from CrashOnAuditFail. (Windows 10)
description: Describes security event 4621(S) Administrator recovered system from CrashOnAuditFail.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4621(S): Administrator recovered system from CrashOnAuditFail.
**Applies to**
- Windows 10
- Windows Server 2016
This event is logged after a system reboots following [CrashOnAuditFail](https://technet.microsoft.com/en-us/library/cc963220.aspx?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2.
There is no example of this event in this document.
***Subcategory:***&nbsp;[Audit Security State Change](audit-security-state-change.md)
***Event Schema:***
*Administrator recovered system from CrashOnAuditFail. Users who are not administrators will now be allowed to log on. Some auditable activity might not have been recorded.*
*Value of CrashOnAuditFail:%1*
*This event is logged after a system reboots following CrashOnAuditFail.*
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
## Security Monitoring Recommendations
- We recommend triggering an alert for any occurrence of this event. The event shows that the system halted because it could not record an auditable event in the Security Log, as described in [CrashOnAuditFail](https://technet.microsoft.com/en-us/library/cc963220.aspx?f=255&MSPPError=-2147217396).
- If your computers dont have the [CrashOnAuditFail](https://technet.microsoft.com/en-us/library/cc963220.aspx?f=255&MSPPError=-2147217396) flag enabled, then this event will be a sign that some settings are not set to baseline settings or were changed.

99
windows/keep-secure/event-4622.md Normal file
View File

@ -0,0 +1,99 @@
---
title: 4622(S) A security package has been loaded by the Local Security Authority. (Windows 10)
description: Describes security event 4622(S) A security package has been loaded by the Local Security Authority.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4622(S): A security package has been loaded by the Local Security Authority.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4622.png" alt="Event 4622 illustration" width="449" height="317" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Security System Extension](audit-security-system-extension.md)
***Event Description:***
This event generates every time [Security Package](https://msdn.microsoft.com/en-us/library/windows/desktop/aa380501(v=vs.85).aspx) has been loaded by the Local Security Authority ([LSA](https://msdn.microsoft.com/en-us/library/windows/desktop/aa378326(v=vs.85).aspx)).
Security Package is the software implementation of a security protocol (Kerberos, NTLM, for example). Security packages are contained in security support provider DLLs or security support provider/authentication package DLLs.
Each time the system starts, the LSA loads the Security Package DLLs from **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig\\Security Packages** registry value and performs the initialization sequence for every package located in these DLLs.
It is also possible to add security package dynamically using [AddSecurityPackage](https://msdn.microsoft.com/en-us/library/windows/desktop/dd401506(v=vs.85).aspx) function, not only during system startup process.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4622</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12289</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-14T03:36:41.359331100Z" />
<EventRecordID>1048131</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="520" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SecurityPackageName">C:\\Windows\\system32\\kerberos.DLL : Kerberos</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Security Package Name** \[Type = UnicodeString\]**:** the name of loaded Security Package. The format is: DLL\_PATH\_AND\_NAME: SECURITY\_PACKAGE\_NAME.
These are some Security Package DLLs loaded by default in Windows 10:
- C:\\Windows\\system32\\schannel.DLL : Microsoft Unified Security Protocol Provider
- C:\\Windows\\system32\\schannel.DLL : Schannel
- C:\\Windows\\system32\\cloudAP.DLL : CloudAP
- C:\\Windows\\system32\\wdigest.DLL : WDigest
- C:\\Windows\\system32\\pku2u.DLL : pku2u
- C:\\Windows\\system32\\tspkg.DLL : TSSSP
- C:\\Windows\\system32\\msv1\_0.DLL : NTLM
- C:\\Windows\\system32\\kerberos.DLL : Kerberos
- C:\\Windows\\system32\\negoexts.DLL : NegoExtender
- C:\\Windows\\system32\\lsasrv.dll : Negotiate
## Security Monitoring Recommendations
For 4622(S): A security package has been loaded by the Local Security Authority.
- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the whitelist or not.

308
windows/keep-secure/event-4624.md Normal file
View File

@ -0,0 +1,308 @@
---
title: 4624(S) An account was successfully logged on. (Windows 10)
description: Describes security event 4624(S) An account was successfully logged on.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4624(S): An account was successfully logged on.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4624.png" alt="Event 4624 illustration" width="438" height="668" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Logon](audit-logon.md)
***Event Description:***
This event generates when a logon session is created (on destination machine). It generates on the computer that was accessed, where the session was created.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T00:24:35.079785200Z" />
<EventRecordID>211</EventRecordID>
<Correlation ActivityID="{00D66690-1CDF-0000-AC66-D600DF1CD101}" />
<Execution ProcessID="716" ThreadID="760" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-500</Data>
<Data Name="TargetUserName">Administrator</Data>
<Data Name="TargetDomainName">WIN-GG82ULGC9GO</Data>
<Data Name="TargetLogonId">0x8dcdc</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">WIN-GG82ULGC9GO</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x44c</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:***
- 0 - Windows Server 2008, Windows Vista.
- 1 - Windows Server 2012, Windows 8.
- Added “Impersonation Level” field.
- 2 Windows 10.
- Added “Logon Information:” section.
- **Logon Type** moved to “Logon Information:” section.
- Added “Restricted Admin Mode” field.
- Added “Virtual Account” field.
- Added “Elevated Token” field.
- Added “Linked Logon ID” field.
- Added “Network Account Name” field.
- Added “Network Account Domain” field.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about successful logon.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
**Logon Information** \[Version 2\]**: **
- **Logon Type** \[Version 0, 1, 2\] \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field.
## Logon types and descriptions
| Logon Type | Logon Title | Description |
|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
- **Restricted Admin Mode** \[Version 2\] \[Type = UnicodeString\]**:** Only populated for **RemoteInteractive** logon type sessions. This is a Yes/No flag indicating if the credentials provided were passed using Restricted Admin mode. Restricted Admin mode was added in Win8.1/2012R2 but this flag was added to the event in Win10.
Reference: <http://blogs.technet.com/b/kfalde/archive/2013/08/14/restricted-admin-mode-for-rdp-in-windows-8-1-2012-r2.aspx>.
If not a **RemoteInteractive** logon, then this will be "-" string.
- **Virtual Account** \[Version 2\] \[Type = UnicodeString\]**:** a “Yes” or “No” flag, which indicates if the account is a virtual account (e.g., "[Managed Service Account](https://technet.microsoft.com/en-us/library/dd560633(v=ws.10).aspx)"), which was introduced in Windows 7 and Windows Server 2008 R2 to provide the ability to identify the account that a given Service uses, instead of just using "NetworkService".
- **Elevated Token** \[Version 2\] \[Type = UnicodeString\]**:** a “Yes” or “No” flag. If “Yes” then the session this event represents is elevated and has administrator privileges.
**Impersonation Level** \[Version 1, 2\] \[Type = UnicodeString\]: can have one of these four values:
- SecurityAnonymous (displayed as **empty string**): The server process cannot obtain identification information about the client, and it cannot impersonate the client. It is defined with no value given, and thus, by ANSI C rules, defaults to a value of zero.
- SecurityIdentification (displayed as "**Identification**"): The server process can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client. This is useful for servers that export their own objects, for example, database products that export tables and views. Using the retrieved client-security information, the server can make access-validation decisions without being able to use other services that are using the client's security context.
- SecurityImpersonation (displayed as "**Impersonation**"): The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems. This is the most common type.
- SecurityDelegation (displayed as "**Delegation**"): The server process can impersonate the client's security context on remote systems.
**New Logon:**
- **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
- **Linked Logon ID** \[Version 2\] \[Type = HexInt64\]**:** A hexadecimal value of the paired logon session. If there is no other logon session associated with this logon session, then the value is “**0x0**”.
- **Network Account Name** \[Version 2\] \[Type = UnicodeString\]**:** User name that will be used for outbound (network) connections. Valid only for [NewCredentials](#logon-types-and-descriptions) logon type.
If not **NewCredentials** logon, then this will be a "-" string.
- **Network Account Domain** \[Version 2\] \[Type = UnicodeString\]**:** Domain for the user that will be used for outbound (network) connections. Valid only for [NewCredentials](#logon-types-and-descriptions) logon type.
If not **NewCredentials** logon, then this will be a "-" string.
- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
It also can be used for correlation between a 4624 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4648](event-4648.md)(S): A logon was attempted using explicit credentials” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
**Process Information:**
- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
**Network Information:**
- **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed.
- **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
- IPv6 address or ::ffff:IPv4 address of a client.
- ::1 or 127.0.0.1 means localhost.
- **Source Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
- 0 for interactive logons.
**Detailed Authentication Information:**
- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
- **NTLM** NTLM-family Authentication
- **Kerberos** Kerberos authentication.
- **Negotiate** the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see <https://msdn.microsoft.com/en-us/library/cc246072.aspx>
- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager sub-package ([NTLM-family](https://msdn.microsoft.com/en-us/library/cc236627.aspx) protocol name) that was used during logon. Possible values are:
- “NTLM V1”
- “NTLM V2”
- “LM”
Only populated if “**Authentication Package” = “NTLM”**.
- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/en-us/library/cc236650.aspx) key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “**Authentication Package” = “Kerberos”**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package.
## Security Monitoring Recommendations
For 4624(S): An account was successfully logged on.
| **Type of monitoring required** | **Recommendation** |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“New Logon\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“New Logon\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“New Logon\\Security ID”** that corresponds to the accounts that should never be used. |
| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“New Logon\\Security ID”** for accounts that are outside the whitelist. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“New Logon\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Subject\\Account Domain”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“New Logon\\Security ID”** that you are concerned about. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** for names that dont comply with naming conventions. |
- Because this event is typically triggered by the SYSTEM account, we recommend that you report it whenever **“Subject\\Security ID”** is not SYSTEM.
- If “**Restricted Admin**” mode must be used for logons by certain accounts, use this event to monitor logons by “**New Logon\\Security ID**” in relation to “**Logon Type**”=10 and “**Restricted Admin Mode**”=”Yes”. If “**Restricted Admin Mode**”=”No” for these accounts, trigger an alert.
- If you need to monitor all logon events for accounts with administrator privileges, monitor this event with “**Elevated Token**”=”Yes”.
- If you need to monitor all logon events for managed service accounts and group managed service accounts, monitor for events with “**Virtual Account**”=”Yes”.
- To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event.
- If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
- If the user account **“New Logon\\Security ID”** should never be used to log on from the specific **Computer:**.
- If **New Logon\\Security ID** credentials should not be used from **Workstation Name** or **Source Network Address**.
- If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses.
- If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** does not equal **NTLM V2**.
- If NTLM is not used in your organization, or should not be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM.
- If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
- If you monitor for potentially malicious software, or software that is not authorized to request logon actions, monitor this event for **Process Name**.
- If you have a trusted logon processes list, monitor for a **Logon Process** that is not from the list.

289
windows/keep-secure/event-4625.md Normal file
View File

@ -0,0 +1,289 @@
---
title: 4625(F) An account failed to log on. (Windows 10)
description: Describes security event 4625(F) An account failed to log on.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4625(F): An account failed to log on.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4625.png" alt="Event 4625 illustration" width="449" height="780" hspace="10" align="left" />
***Subcategories:***&nbsp;[Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md)
***Event Description:***
This event generates if an account logon attempt failed when the account was already locked out. It also generates for a logon attempt after which the account was locked out.
It generates on the computer where logon attempt was made, for example, if logon attempt was made on users workstation, then event will be logged on this workstation.
This event generates on domain controllers, member servers, and workstations.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-08T22:54:54.962511700Z" />
<EventRecordID>229977</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3240" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">Auditor</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="Status">0xc0000234</Data>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32</Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DC01</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1bc</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\winlogon.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field.
| <span id="Windows_Logon_Types" class="anchor"></span>Logon Type | Logon Title | Description |
|-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
> <span id="_Ref433822321" class="anchor"></span>Table: Windows Logon Types
**Account For Which Logon Failed:**
- **Security ID** \[Type = SID\]**:** SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt.
- **Account Domain** \[Type = UnicodeString\]**:** domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Failure Information:**
- **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event it typically has “**Account locked out**” value.
- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in “Table 12. Windows logon status codes.”
| Status\\Sub-Status Code | Description |
|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0XC000005E | There are currently no logon servers available to service the logon request. |
| 0xC0000064 | User logon with misspelled or bad user account |
| 0xC000006A | User logon with misspelled or bad password |
| 0XC000006D | This is either due to a bad username or authentication information |
| 0XC000006E | Unknown user name or bad password. |
| 0xC000006F | User logon outside authorized hours |
| 0xC0000070 | User logon from unauthorized workstation |
| 0xC0000071 | User logon with expired password |
| 0xC0000072 | User logon to account disabled by administrator |
| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. |
| 0XC0000133 | Clocks between DC and other computer too far out of sync |
| 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine |
| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. |
| 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. |
| 0xC0000193 | User logon with expired account |
| 0XC0000224 | User is required to change password at next logon |
| 0XC0000225 | Evidently a bug in Windows and not a risk |
| 0xC0000234 | User logon with account locked |
| 0XC00002EE | Failure Reason: An Error occurred during Logon |
| 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. |
| 0x0 | Status OK. |
> <span id="_Ref433822658" class="anchor"></span>Table: Windows logon status codes.
> **Note**&nbsp;&nbsp;To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK.
More information: <https://dev.windows.com/en-us/downloads>
- **Sub Status** \[Type = HexInt32\]**:** additional information about logon failure. The most common sub-status codes listed in the “Table 12. Windows logon status codes.”.
**Process Information:**
- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Caller Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
**Network Information:**
- **Workstation Name** \[Type = UnicodeString\]**:** machine name from which logon attempt was performed.
- **Source Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
- IPv6 address or ::ffff:IPv4 address of a client.
- ::1 or 127.0.0.1 means localhost.
- **Source Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
- 0 for interactive logons.
**Detailed Authentication Information:**
- **Logon Process** \[Type = UnicodeString\]**:** the name of the trusted logon process that was used for the logon attempt. See event “[4611](event-4611.md): A trusted logon process has been registered with the Local Security Authority” description for more information.
- **Authentication Package** \[Type = UnicodeString\]**:** The name of the authentication package which was used for the logon authentication process. Default packages loaded on LSA startup are located in “HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\OSConfig” registry key. Other packages can be loaded at runtime. When a new package is loaded a “[4610](event-4610.md): An authentication package has been loaded by the Local Security Authority” (typically for NTLM) or “[4622](event-4622.md): A security package has been loaded by the Local Security Authority” (typically for Kerberos) event is logged to indicate that a new package has been loaded along with the package name. The most common authentication packages are:
- **NTLM** NTLM-family Authentication
- **Kerberos** Kerberos authentication.
- **Negotiate** the Negotiate security package selects between Kerberos and NTLM protocols. Negotiate selects Kerberos unless it cannot be used by one of the systems involved in the authentication or the calling application did not provide sufficient information to use Kerberos.
- **Transited Services** \[Type = UnicodeString\] \[Kerberos-only\]**:** the list of transmitted services. Transmitted services are populated if the logon was a result of a S4U (Service For User) logon process. S4U is a Microsoft extension to the Kerberos Protocol to allow an application service to obtain a Kerberos service ticket on behalf of a user most commonly done by a front-end website to access an internal resource on behalf of a user. For more information about S4U, see <https://msdn.microsoft.com/en-us/library/cc246072.aspx>
- **Package Name (NTLM only)** \[Type = UnicodeString\]**:** The name of the LAN Manager sub-package ([NTLM-family](https://msdn.microsoft.com/en-us/library/cc236627.aspx) protocol name) that was used during the logon attempt. Possible values are:
- “NTLM V1”
- “NTLM V2”
- “LM”
Only populated if “**Authentication Package” = “NTLM”**.
- **Key Length** \[Type = UInt32\]**:** the length of [NTLM Session Security](https://msdn.microsoft.com/en-us/library/cc236650.aspx) key. Typically it has 128 bit or 56 bit length. This parameter is always 0 if “**Authentication Package” = “Kerberos”**, because it is not applicable for Kerberos protocol. This field will also have “0” value if Kerberos was negotiated using **Negotiate** authentication package.
## Security Monitoring Recommendations
For 4625(F): An account failed to log on.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
<!-- -->
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
- If **Subject\\Account Name** is a name of service account or user account, it may be useful to investigate whether that account is allowed (or expected) to request logon for **Account For Which Logon Failed\\Security ID**.
- To monitor for a mismatch between the logon type and the account that uses it (for example, if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor **Logon Type** in this event.
- If you have a high-value domain or local account for which you need to monitor every lockout, monitor all [4625](event-4625.md) events with the **“Subject\\Security ID”** that corresponds to the account.
- We recommend monitoring all [4625](event-4625.md) events for local accounts, because these accounts typically should not be locked out. This is especially relevant for critical servers, administrative workstations, and other high value assets.
- We recommend monitoring all [4625](event-4625.md) events for service accounts, because these accounts should not be locked out or prevented from functioning. This is especially relevant for critical servers, administrative workstations, and other high value assets.
- If your organization restricts logons in the following ways, you can use this event to monitor accordingly:
- If the **“Account For Which Logon Failed \\Security ID”** should never be used to log on from the specific **Network Information\\Workstation Name**.
- If a specific account, such as a service account, should only be used from your internal IP address list (or some other list of IP addresses). In this case, you can monitor for **Network Information\\Source Network Address** and compare the network address with your list of IP addresses.
- If a particular version of NTLM is always used in your organization. In this case, you can use this event to monitor **Package Name (NTLM only)**, for example, to find events where **Package Name (NTLM only)** does not equal **NTLM V2**.
- If NTLM is not used in your organization, or should not be used by a specific account (**New Logon\\Security ID**). In this case, monitor for all events where **Authentication Package** is NTLM.
- If the **Authentication Package** is NTLM. In this case, monitor for **Key Length** not equal to 128, because all Windows operating systems starting with Windows 2000 support 128-bit Key Length.
- If **Logon Process** is not from a trusted logon processes list.
- Monitor for all events with the fields and values in the following table:
| **Field** | Value to monitor for |
|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000005E “There are currently no logon servers available to service the logon request.” <br>This is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000064 “User logon with misspelled or bad user account”. <br>Especially if you get a number of these in a row, it can be a sign of user enumeration attack. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006A “User logon with misspelled or bad password” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000006D “This is either due to a bad username or authentication information” for critical accounts or service accounts. <br>Especially watch for a number of such events in a row. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC000006F “User logon outside authorized hours”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000070 “User logon from unauthorized workstation”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000072 “User logon to account disabled by administrator”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC000015B “The user has not been granted the requested logon type (aka logon right) at this machine”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000192 “An attempt was made to logon, but the Netlogon service was not started”. <br>This is typically not a security issue but it can be an infrastructure or availability issue. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0xC0000193 “User logon with expired account”. |
| **Failure Information\\Status** or <br>**Failure Information\\Sub Status** | 0XC0000413 “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. |

181
windows/keep-secure/event-4626.md Normal file
View File

@ -0,0 +1,181 @@
---
title: 4626(S) User/Device claims information. (Windows 10)
description: Describes security event 4626(S) User/Device claims information.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4626(S): User/Device claims information.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4626.png" alt="Event 4626 illustration" width="549" height="771" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit User/Device Claims](audit-user-device-claims.md)
***Event Description:***
This event generates for new account logons and contains user/device claims which were associated with a new logon session.
This event does not generate if the user/device doesnt have claims.
For computer account logons you will also see device claims listed in the “**User Claims**” field.
You will typically get “[4624](event-4624.md): An account was successfully logged on” and after it a 4626 event with the same information in **Subject**, **Logon Type** and **New Logon** sections.
This event generates on the computer to which the logon was performed (target computer). For example, for Interactive logons it will be the same computer.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4626</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12553</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T00:12:02.243396300Z" />
<EventRecordID>232648</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1092" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x136f7b</Data>
<Data Name="LogonType">3</Data>
<Data Name="EventIdx">1</Data>
<Data Name="EventCountTotal">1</Data>
<Data Name="UserClaims">ad://ext/cn:88d2b96fdb2b4c49 <%%1818> : "dadmin" ad://ext/Department:88d16a8edaa8c66b <%%1818> : "IT"</Data>
<Data Name="DeviceClaims">-</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2012, Windows 8.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that reported information about claims. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about claims.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field:
| Logon Type | Logon Title | Description |
|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
**New Logon:**
- **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Event in sequence** \[Type = UInt32\]**: I**f is there is not enough space in one event to put all claims, you will see “**1 of N**” in this field and additional events will be generated. Typically this field has “**1 of 1**” value.
**User Claims** \[Type = UnicodeString\]**:** list of user claims for new logon session. This field contains user claims if user account was logged in and device claims if computer account was logged in. Here is an example how to parse the entrance of this field:
- ad://ext/cn:88d2b96fdb2b4c49 &lt;String&gt; : “dadmin”
- cn claim display name.
- 88d2b96fdb2b4c49 unique claim ID.
- &lt;String&gt; - claim type.
- “dadmin” claim value.
**Device Claims** \[Type = UnicodeString\]**:** list of device claims for new logon session. For user accounts this field typically has “**-**“ value**.** For computer accounts this field has device claims listed.
## Security Monitoring Recommendations
For 4626(S): User/Device claims information.
- <span id="Reccomendations_Subject_NULLSID" class="anchor"></span>Typically this action is reported by the NULL SID account, so we recommend reporting all events with **“Subject\\Security ID”** not equal “**NULL SID**”.
- If you need to monitor account logons with specific claims, you can monitor for [4626](event-4626.md) and check **User Claims**\\**Device Claims** fields.
- If you have specific requirements, such as:
- Users with specific claims should not access specific computers;
- Computer account should not have specific claims;
- User account should not have specific claims;
- Claim should not be empty
- And so on…
You can monitor for [4626](event-4626.md) and check **User Claims**\\**Device Claims** fields.
- If you need to monitor computer/user logon attempts only and you dont need information about claims, then it is better to monitor “[4624](event-4624.md): An account was successfully logged on.”

152
windows/keep-secure/event-4627.md Normal file
View File

@ -0,0 +1,152 @@
---
title: 4627(S) Group membership information. (Windows 10)
description: Describes security event 4627(S) Group membership information.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4627(S): Group membership information.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4627.png" alt="Event 4627 illustration" width="876" height="1418" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Group Membership](audit-group-membership.md)
***Event Description:***
This event generates with “[4624](event-4624.md)(S): An account was successfully logged on” and shows the list of groups that the logged-on account belongs to.
You must also enable the Success audit for [Audit Logon](audit-logon.md) subcategory to get this event.
Multiple events are generated if the group membership information cannot fit in a single security audit event.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4627</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12554</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T03:51:25.843673000Z" />
<EventRecordID>3081</EventRecordID>
<Correlation ActivityID="{913FBE70-1CE6-0000-67BF-3F91E61CD101}" />
<Execution ProcessID="736" ThreadID="808" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-0-0</Data>
<Data Name="SubjectUserName">-</Data>
<Data Name="SubjectDomainName">-</Data>
<Data Name="SubjectLogonId">0x0</Data>
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x569860</Data>
<Data Name="LogonType">3</Data>
<Data Name="EventIdx">1</Data>
<Data Name="EventCountTotal">1</Data>
<Data Name="GroupMembership">%{S-1-5-21-1377283216-344919071-3415362939-513} %{S-1-1-0} %{S-1-5-32-544} %{S-1-5-32-545} %{S-1-5-32-554} %{S-1-5-2} %{S-1-5-11} %{S-1-5-15} %{S-1-5-21-1377283216-344919071-3415362939-512} %{S-1-5-21-1377283216-344919071-3415362939-572} %{S-1-5-64-10} %{S-1-16-12288}</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2016, Windows 10.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that reported information about successful logon or invokes it. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about successful logon or invokes it.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. The table below contains the list of possible values for this field:
| Logon Type | Logon Title | Description |
|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
**New Logon:**
- **Security ID** \[Type = SID\]**:** SID of account for which logon was performed. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account for which logon was performed.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4672](event-4672.md)(S): Special privileges assigned to new logon.”
**Event in sequence** \[Type = UInt32\]**: I**f is there is not enough space in one event to put all groups, you will see “**1 of N**” in this field and additional events will be generated. Typically this field has “**1 of 1**” value.
**Group Membership** \[Type = UnicodeString\]**:** the list of group SIDs which logged account belongs to (member of). Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
## Security Monitoring Recommendations
For 4627(S): Group membership information.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Typically this action is reported by the NULL SID account, so we recommend reporting all events with **“Subject\\Security ID”** not equal “**NULL SID**”.
<!-- -->
- If you need to track that a member of a specific group logged on to a computer, check the “**Group Membership**” field.

117
windows/keep-secure/event-4634.md Normal file
View File

@ -0,0 +1,117 @@
---
title: 4634(S) An account was logged off. (Windows 10)
description: Describes security event 4634(S) An account was logged off.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4634(S): An account was logged off.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4634.png" alt="Event 4634 illustration" width="449" height="431" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Logoff](audit-logoff.md)
***Event Description:***
This event shows that logon session was terminated and no longer exists.
The main difference between “[4647](event-4647.md): User initiated logoff.” and 4647 event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4634</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-09T02:27:57.877205900Z" />
<EventRecordID>230019</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="832" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-90-1</Data>
<Data Name="TargetUserName">DWM-1</Data>
<Data Name="TargetDomainName">Window Manager</Data>
<Data Name="TargetLogonId">0x1a0992</Data>
<Data Name="LogonType">2</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that was logged off. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that was logged off.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Logon Type** \[Type = UInt32\]**:** the type of logon which was used. The table below contains the list of possible values for this field:
| Logon Type | Logon Title | Description |
|------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 2 | Interactive | A user logged on to this computer. |
| 3 | Network | A user or computer logged on to this computer from the network. |
| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. |
| 5 | Service | A service was started by the Service Control Manager. |
| 7 | Unlock | This workstation was unlocked. |
| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). |
| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. |
| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. |
| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. |
## Security Monitoring Recommendations
For 4634(S): An account was logged off.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If a particular **Logon Type** should not be used by a particular account (for example if **Logon Type** 4-Batch or 5-Service is used by a member of a domain administrative group), monitor this event for such actions.

100
windows/keep-secure/event-4647.md Normal file
View File

@ -0,0 +1,100 @@
---
title: 4647(S) User initiated logoff. (Windows 10)
description: Describes security event 4647(S) User initiated logoff.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4647(S): User initiated logoff.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4647.png" alt="Event 4647 illustration" width="449" height="392" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Logoff](audit-logoff.md)
***Event Description:***
This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event.
The main difference with “[4634](event-4634.md)(S): An account was logged off.” event is that 4647 event is generated when logoff procedure was initiated by specific account using logoff function, and 4634 event shows that session was terminated and no longer exists.
4647 is more typical for **Interactive** and **RemoteInteractive** logon types when user was logged off using standard methods. You will typically see both 4647 and 4634 events when logoff procedure was initiated by user.
It may be positively correlated with a “[4624](event-4624.md): An account was successfully logged on.” event using the **Logon ID** value. Logon IDs are only unique between reboots on the same computer.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4647</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12545</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-09T03:08:39.126890800Z" />
<EventRecordID>230200</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="3864" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x29b379</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “logoff” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “logoff” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
## Security Monitoring Recommendations
For 4647(S): User initiated logoff.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).

194
windows/keep-secure/event-4648.md Normal file
View File

@ -0,0 +1,194 @@
---
title: 4648(S) A logon was attempted using explicit credentials. (Windows 10)
description: Describes security event 4648(S) A logon was attempted using explicit credentials.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4648(S): A logon was attempted using explicit credentials.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4648.png" alt="Event 4648 illustration" width="486" height="663" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Logon](audit-logon.md)
***Event Description:***
This event is generated when a process attempts an account logon by explicitly specifying that accounts credentials.
This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the “RUNAS” command.
It is also a routine event which periodically occurs during normal operating system activity.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4648</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-10T02:54:50.771459000Z" />
<EventRecordID>233200</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="1116" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31844</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TargetUserName">ladmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonGuid">{0887F1E4-39EA-D53C-804F-31D568A06274}</Data>
<Data Name="TargetServerName">localhost</Data>
<Data Name="TargetInfo">localhost</Data>
<Data Name="ProcessId">0x368</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\svchost.exe</Data>
<Data Name="IpAddress">::1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the new logon session with explicit credentials. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the new logon session with explicit credentials.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
It also can be used for correlation between a 4648 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4624](event-4624.md)(S): An account was successfully logged on” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
**Account Whose Credentials Were Used:**
- **Account Name** \[Type = UnicodeString\]**:** the name of the account whose credentials were used.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon GUID** \[Type = GUID\]: a GUID that can help you correlate this event with another event that can contain the same **Logon GUID**, “[4769](event-4769.md)(S, F): A Kerberos service ticket was requested event on a domain controller.
It also can be used for correlation between a 4648 event and several other events (on the same computer) that can contain the same **Logon GUID**, “[4624](event-4624.md)(S): An account was successfully logged on” and “[4964](event-4964.md)(S): Special groups have been assigned to a new logon.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
**Target Server:**
- **Target Server Name** \[Type = UnicodeString\]**:** the name of the server on which the new process was run. Has “**localhost**” value if the process was run locally.
- **Additional Information** \[Type = UnicodeString\]**:** there is no detailed information about this field in this document.
**Process Information:**
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which was run using explicit credentials. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
**Network Information:**
- **Network Address** \[Type = UnicodeString\]**:** IP address of machine from which logon attempt was performed.
- IPv6 address or ::ffff:IPv4 address of a client.
- ::1 or 127.0.0.1 means localhost.
- **Port** \[Type = UnicodeString\]: source port which was used for logon attempt from remote machine.
- 0 for interactive logons.
## Security Monitoring Recommendations
For 4648(S): A logon was attempted using explicit credentials.
The following table is similar to the table in [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md), but also describes ways of monitoring that use “**Account Whose Credentials Were Used\\Security ID.**”
| **Type of monitoring required** | **Recommendation** |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **High-value accounts**: You might have high value domain or local accounts for which you need to monitor each action.<br>Examples of high value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the high value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that correspond to the accounts that should never be used. |
| **Account whitelist**: You might have a specific whitelist of accounts that are allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Subject\\Security ID”** and “**Account Whose Credentials Were Used\\Security ID**” for accounts that are outside the whitelist. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform the action corresponding to this event. | Monitor for the **“Subject\\Account Domain”** or “**Account Whose Credentials Were Used\\Security ID**” corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Subject\\Security ID”** or “**Account Whose Credentials Were Used\\Security ID**” that you are concerned about.<br>For example, you might monitor to ensure that “**Account Whose Credentials Were Used\\Security ID**” is not used to log on to a certain computer. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Subject\\Account Name”** and “**Account Whose Credentials Were Used\\Security ID**” for names that dont comply with naming conventions. |
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
<!-- -->
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
- If **Subject\\Security ID** should not know or use credentials for **Account Whose Credentials Were Used\\Account Name**, monitor this event.
- If credentials for **Account Whose Credentials Were Used\\Account Name** should not be used from **Network Information\\Network Address**, monitor this event.
- Check that **Network Information\\Network Address** is from internal IP address list. For example, if you know that a specific account (for example, a service account) should be used only from specific IP addresses, you can monitor for all events where **Network Information\\Network Address** is not one of the allowed IP addresses.

79
windows/keep-secure/event-4649.md Normal file
View File

@ -0,0 +1,79 @@
---
title: 4649(S) A replay attack was detected. (Windows 10)
description: Describes security event 4649(S) A replay attack was detected.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4649(S): A replay attack was detected.
**Applies to**
- Windows 10
- Windows Server 2016
This event generates on domain controllers when **KRB\_AP\_ERR\_REPEAT** Kerberos response was sent to the client.
Domain controllers cache information from recently received tickets. If the server name, client name, time, and microsecond fields from the Authenticator match recently seen entries in the cache, it will return KRB\_AP\_ERR\_REPEAT. You can read more about this in [RFC-1510](http://www.ietf.org/rfc/rfc1510.txt). One potential cause for this is a misconfigured network device between the client and server that could send the same packet(s) repeatedly.
There is no example of this event in this document.
***Subcategory:***&nbsp;[Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md)
***Event Schema:***
*A replay attack was detected.*
*Subject:*
> *Security ID:%1*
>
> *Account Name:%2*
>
> *Account Domain:%3*
>
> *Logon ID:%4*
*Credentials Which Were Replayed:*
> *Account Name:%5*
>
> *Account Domain:%6*
*Process Information:*
> *Process ID:%12*
>
> *Process Name:%13*
*Network Information:*
> *Workstation Name:%10*
*Detailed Authentication Information:*
> *Request Type:%7*
>
> *Logon Process:%8*
>
> *Authentication Package:%9*
>
> *Transited Services:%11*
*This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration."*
***Required Server Roles:*** Active Directory domain controller.
***Minimum OS Version:*** Windows Server 2008.
***Event Versions:*** 0.
## Security Monitoring Recommendations
For 4649(S): A replay attack was detected.
- This event can be a sign of Kerberos replay attack or, among other things, network device configuration or routing problems. In both cases, we recommend triggering an alert and investigating the reason the event was generated.

277
windows/keep-secure/event-4656.md Normal file
View File

@ -0,0 +1,277 @@
---
title: 4656(S, F) A handle to an object was requested. (Windows 10)
description: Describes security event 4656(S, F) A handle to an object was requested.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4656(S, F): A handle to an object was requested.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4656.png" alt="Event 4656 illustration" width="764" height="895"/>
***Subcategories:***&nbsp;[Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
***Event Description:***
This event indicates that specific access was requested for an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
If access was declined, a Failure event is generated.
This event generates only if the objects [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) has the required ACE to handle the use of specific access rights.
This event shows that access was requested, and the results of the request, but it doesnt show that the operation was performed. To see that the operation was performed, check “[4663](event-4663.md)(S): An attempt was made to access an object.”
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML***:
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4656</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:15:19.346776600Z" />
<EventRecordID>274057</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%1538 %%1541 %%4416 %%4417 %%4418 %%4419 %%4420 %%4423 %%4424</Data>
<Data Name="AccessReason">%%1538: %%1804 %%1541: %%1809 %%4416: %%1809 %%4417: %%1809 %%4418: %%1802 D:(D;;LC;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4419: %%1809 %%4420: %%1809 %%4423: %%1811 D:(A;OICI;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104) %%4424: %%1809</Data>
<Data Name="AccessMask">0x12019f</Data>
<Data Name="PrivilegeList">-</Data>
<Data Name="RestrictedSidCount">0</Data>
<Data Name="ProcessId">0x1074</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:***
- 0 - Windows Server 2008, Windows Vista.
- 1 - Windows Server 2012, Windows 8.
- Added “Resource Attributes” field.
- Added “Access Reasons” field.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested a handle to an object.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Object**:
- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation.
The following table contains the list of the most common **Object Types**:
| Directory | Event | Timer | Device |
|-------------------------|--------------|----------------------|--------------|
| Mutant | Type | File | Token |
| Thread | Section | WindowStation | DebugObject |
| FilterCommunicationPort | EventPair | Driver | IoCompletion |
| Controller | SymbolicLink | WmiGuid | Process |
| Profile | Desktop | KeyedEvent | Adapter |
| Key | WaitablePort | Callback | Semaphore |
| Job | Port | FilterConnectionPort | ALPC Port |
- **Object Name** \[Type = UnicodeString\]: name and other identifying information for the object for which access was requested. For example, for a file, the path would be included.
- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
- **Resource Attributes** \[Type = UnicodeString\] \[Version 1\]: attributes associated with the object. For some objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))
- Impact\_MS: Resource Property ***ID***.
- 3000: Recourse Property ***Value***.
<img src="images/impact-property.png" alt="Impact property illustration" width="886" height="592" />
**Process Information:**
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the access was requested. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
**Access Request Information:**
- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary.
| <span id="File_system_objects_access_rights" class="anchor"></span>Access | Hexadecimal Value,<br>Schema Value | Description |
|---------------------------------------------------------------------------------------|-------------------------------------|----------------|
| ReadData (or ListDirectory)<br><br>(For registry objects, this is “Query key value.”) | 0x1,<br>%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.<br>**ListDirectory -** For a directory, the right to list the contents of the directory. |
| WriteData (or AddFile)<br><br>(For registry objects, this is “Set key value.”) | 0x2,<br>%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).<br>**AddFile -** For a directory, the right to create a file in the directory. |
| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,<br>%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). <br>**AddSubdirectory -** For a directory, the right to create a subdirectory.<br>**CreatePipeInstance -** For a named pipe, the right to create a pipe. |
| ReadEA<br>(For registry objects, this is “Enumerate sub-keys.”) | 0x8,<br>%%4419 | The right to read extended file attributes. |
| WriteEA | 0x10,<br>%%4420 | The right to write extended file attributes. |
| Execute/Traverse | 0x20,<br>%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.<br>**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**&thinsp; [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**&thinsp; [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. |
| DeleteChild | 0x40,<br>%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. |
| ReadAttributes | 0x80,<br>%%4423 | The right to read file attributes. |
| WriteAttributes | 0x100,<br>%%4424 | The right to write file attributes. |
| DELETE | 0x10000,<br>%%1537 | The right to delete the object. |
| READ\_CONTROL | 0x20000,<br>%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). |
| WRITE\_DAC | 0x40000,<br>%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. |
| WRITE\_OWNER | 0x80000,<br>%%1540 | The right to change the owner in the object's security descriptor |
| SYNCHRONIZE | 0x100000,<br>%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. |
| ACCESS\_SYS\_SEC | 0x1000000,<br>%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. |
> <span id="_Ref433973578" class="anchor"></span>Table 14. File System objects access rights.
- **Access Reasons** \[Type = UnicodeString\] \[Version 1\]: the list of access check results. The format of this varies, depending on the object. For kernel objects, this field does not apply.
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the requested or performed operation. For more information, see the preceding table.
<!-- -->
- **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
| Privilege Name | User Right Group Policy Name | Description |
|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.<br>This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE |
| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. |
| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.<br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.<br>With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.<br>The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.<br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process. |
| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.<br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.<br>This privilege is valid only on domain controllers. |
| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. |
| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. |
| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.<br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.<br>A user with this privilege can also view and clear the security log. |
| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. |
| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
| SeSystemtimePrivilege | Change the system time | Required to modify the system time.<br>With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.<br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.<br>This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.<br>With this privilege, the user can undock a portable computer from its docking station without logging on. |
| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**.
## Security Monitoring Recommendations
For 4656(S, F): A handle to an object was requested.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.
For other types of objects, the following recommendations apply.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
<!-- -->
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
- If **Object Name** is a sensitive or critical object for which you need to monitor any access attempt, monitor all [4656](event-4656.md) events.
- If **Object Name** is a sensitive or critical object for which you need to monitor specific access attempts (for example, only write actions), monitor for all [4656](event-4656.md) events with the corresponding **Access Request Information\\Accesses** values.
- If you need to monitor files and folders with specific Resource Attribute values, monitor for all [4656](event-4656.md) events with specific **Resource Attributes** field values.
For file system objects, we recommend that you monitor these **Access Request Information\\Accesses** rights (especially for Failure events):
- WriteData (or AddFile)
- AppendData (or AddSubdirectory or CreatePipeInstance)
- WriteEA
- DeleteChild
- WriteAttributes
- DELETE
- WRITE\_DAC
- WRITE\_OWNER

179
windows/keep-secure/event-4657.md Normal file
View File

@ -0,0 +1,179 @@
---
title: 4657(S) A registry value was modified. (Windows 10)
description: Describes security event 4657(S) A registry value was modified.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4657(S): A registry value was modified.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4657.png" alt="Event 4657 illustration" width="449" height="570" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Registry](audit-registry.md)
***Event Description:***
This event generates when a registry key ***value*** was modified. It doesnt generate when a registry key was modified.
This event generates only if “Set Value" auditing is set in registry keys [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4657</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12801</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-24T01:28:43.639634100Z" />
<EventRecordID>744725</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="4824" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x364eb</Data>
<Data Name="ObjectName">\\REGISTRY\\MACHINE</Data>
<Data Name="ObjectValueName">Name\_New</Data>
<Data Name="HandleId">0x54</Data>
<Data Name="OperationType">%%1905</Data>
<Data Name="OldValueType">%%1873</Data>
<Data Name="OldValue" />
<Data Name="NewValueType">%%1873</Data>
<Data Name="NewValue">Andrei</Data>
<Data Name="ProcessId">0xce4</Data>
<Data Name="ProcessName">C:\\Windows\\regedit.exe</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “modify registry value” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “modify registry value” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Object:**
- **Object Name** \[Type = UnicodeString\]: full path and name of the registry key which value was modified. The format is: \\REGISTRY\\HIVE\\PATH where:
- HIVE:
- HKEY\_LOCAL\_MACHINE = \\REGISTRY\\MACHINE
- HKEY\_CURRENT\_USER = \\REGISTRY\\USER\\\[USER\_SID\], where \[USER\_SID\] is the SID of current user.
- HKEY\_CLASSES\_ROOT = \\REGISTRY\\MACHINE\\SOFTWARE\\Classes
- HKEY\_USERS = \\REGISTRY\\USER
- HKEY\_CURRENT\_CONFIG = \\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\Hardware Profiles\\Current
- PATH path to the registry key.
- **Object Value Name** \[Type = UnicodeString\]**:** the name of modified registry key value.
- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4656](event-4656.md): A handle to an object was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
- **Operation Type** \[Type = UnicodeString\]**:** the type of performed operation with registry key value. Most common operations are:
- New registry value created
- Registry value deleted
- Existing registry value modified
**Process Information:**
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the registry key value was modified. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
**Change Information:**
- **Old Value Type** \[Type = UnicodeString\]**:** old type of changed registry key value. Registry key value types:
| Value Type | Description |
|-----------------|-------------------------|
| REG\_SZ | String |
| REG\_BINARY | Binary |
| REG\_DWORD | DWORD (32-bit) Value |
| REG\_QWORD | QWORD (64-bit) Value |
| REG\_MULTI\_SZ | Multi-String Value |
| REG\_EXPAND\_SZ | Expandable String Value |
- **Old Value** \[Type = UnicodeString\]: old value for changed registry key value.
- **New Value Type** \[Type = UnicodeString\]**:** new type of changed registry key value. See table above for possible values.
- **New Value** \[Type = UnicodeString\]: new value for changed registry key value.
## Security Monitoring Recommendations
For 4657(S): A registry value was modified.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
<!-- -->
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
- If **Object Name** is a sensitive or critical registry key for which you need to monitor any modification of its values, monitor all [4657](event-4657.md) events.
- If **Object Name** has specific values (**Object Value Name**) and you need to monitor modifications of these values, monitor for all [4657](event-4657.md) events.

132
windows/keep-secure/event-4658.md Normal file
View File

@ -0,0 +1,132 @@
---
title: 4658(S) The handle to an object was closed. (Windows 10)
description: Describes security event 4658(S) The handle to an object was closed.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4658(S): The handle to an object was closed.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4658.png" alt="Event 4658 illustration" width="449" height="463" hspace="10" align="left" />
***Subcategories:***&nbsp;[Audit File System](audit-file-system.md), [Audit Handle Manipulation](audit-handle-manipulation.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
***Event Description:***
This event generates when the handle to an object is closed. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
This event generates only if Success auditing is enabled for [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory.
Typically this event is needed if you need to know how long the handle to the object was open. Otherwise, it might not have any security relevance.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4658</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-22T00:15:42.910428100Z" />
<EventRecordID>276724</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="5056" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x18a8</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “close objects handle” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “close objects handle” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Object**:
- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
**Process Information:**
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that requested that the handle be closed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
## Security Monitoring Recommendations
For 4658(S): The handle to an object was closed.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with it.
- This event can be used to track all actions or operations related to a specific object handle.
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
<!-- -->
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”

133
windows/keep-secure/event-4660.md Normal file
View File

@ -0,0 +1,133 @@
---
title: 4660(S) An object was deleted. (Windows 10)
description: Describes security event 4660(S) An object was deleted.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4660(S): An object was deleted.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4660.png" alt="Event 4660 illustration" width="449" height="477" hspace="10" align="left" />
***Subcategories:***&nbsp;[Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), and [Audit Registry](audit-registry.md)
***Event Description:***
This event generates when an object was deleted. The object could be a file system, kernel, or registry object.
This event generates only if “Delete" auditing is set in objects [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx).
This event doesnt contain the name of the deleted object (only the **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object” with DELETE access to track object deletion.
The advantage of this event is that its generated only during real delete operations. In contrast, “4663(S): An attempt was made to access an object” also generates during other actions, such as object renaming.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4660</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T21:05:28.677152100Z" />
<EventRecordID>270188</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="3060" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="HandleId">0x1678</Data>
<Data Name="ProcessId">0xef0</Data>
<Data Name="ProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “delete object” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “delete object” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Object**:
- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
**Process Information:**
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that deleted the object. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
<!-- -->
- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4656](event-4656.md)(S, F): A handle to an object was requested.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
## Security Monitoring Recommendations
For 4660(S): An object was deleted.
- This event doesnt contains the name of deleted object (only **Handle ID**). It is better to use “[4663](event-4663.md)(S): An attempt was made to access an object.” events with DELETE access to track object deletion actions.
- For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.

220
windows/keep-secure/event-4661.md Normal file
View File

@ -0,0 +1,220 @@
---
title: 4661(S, F) A handle to an object was requested. (Windows 10)
description: Describes security event 4661(S, F) A handle to an object was requested.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4661(S, F): A handle to an object was requested.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4661.png" alt="Event 4661 illustration" width="449" height="661" hspace="10" align="left" />
***Subcategories:***&nbsp;[Audit Directory Service Access](audit-directory-service-access.md) and [Audit SAM](audit-sam.md)
***Event Description:***
This event indicates that a handle was requested for either an Active Directory object or a Security Account Manager (SAM) object.
If access was declined, then Failure event is generated.
This event generates only if Success auditing is enabled for the [Audit Handle Manipulation](audit-handle-manipulation.md) subcategory.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML***:
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4661</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-30T00:11:56.547696700Z" />
<EventRecordID>1048009</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="528" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4280e</Data>
<Data Name="ObjectServer">Security Account Manager</Data>
<Data Name="ObjectType">SAM\_DOMAIN</Data>
<Data Name="ObjectName">DC=contoso,DC=local</Data>
<Data Name="HandleId">0xdd64d36870</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="AccessList">%%5400</Data>
<Data Name="AccessMask">0x2d</Data>
<Data Name="PrivilegeList">Ā</Data>
<Data Name="Properties">-</Data>
<Data Name="RestrictedSidCount">2949165</Data>
<Data Name="ProcessId">0x9000a000d002d</Data>
<Data Name="ProcessName">{bf967a90-0de6-11d0-a285-00aa003049e2} %%5400 {ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}</Data>
</EventData>
</Event>
```
***Required Server Roles:*** For an Active Directory object, the domain controller role is required. For a SAM object, there is no required role.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested a handle to an object.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Object**:
- **Object Server** \[Type = UnicodeString\]: has “**Security Account Manager**” value for this event.
- **Object Type** \[Type = UnicodeString\]: the type or class of the object that was accessed. The following list contains possible values for this field:
- SAM\_ALIAS - a local group.
- SAM\_GROUP - a group that is not a local group.
- SAM\_USER - a user account.
- SAM\_DOMAIN - a domain. For Active Directory events, this is the typical value.
- SAM\_SERVER - a computer account.
- **Object Name** \[Type = UnicodeString\]: the name of an object for which access was requested. Depends on **Object Type.** This event can have the following format:
- SAM\_ALIAS SID of the group.
- SAM\_GROUP - SID of the group.
- SAM\_USER - SID of the account.
- SAM\_DOMAIN distinguished name of the accessed object.
- SAM\_SERVER - distinguished name of the accessed object.
> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
> • DC - domainComponent
> • CN - commonName
> • OU - organizationalUnitName
> • O - organizationName
- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4662](event-4662.md): An operation was performed on an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
**Process Information:**
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that requested the handle. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
**Access Request Information:**
- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same the **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
- **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
| Privilege Name | User Right Group Policy Name | Description |
|---------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.<br>This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE |
| SeChangeNotifyPrivilege | Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
| SeCreateGlobalPrivilege | Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
| SeCreatePagefilePrivilege | Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
| SeCreatePermanentPrivilege | Create permanent shared objects | Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
| SeCreateSymbolicLinkPrivilege | Create symbolic links | Required to create a symbolic link. |
| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.<br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.<br>With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.<br>The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
| SeIncreaseBasePriorityPrivilege | Increase scheduling priority | Required to increase the base priority of a process.<br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
| SeIncreaseQuotaPrivilege | Adjust memory quotas for a process | Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process. |
| SeIncreaseWorkingSetPrivilege | Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.<br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
| SeLockMemoryPrivilege | Lock pages in memory | Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
| SeMachineAccountPrivilege | Add workstations to domain | With this privilege, the user can create a computer account.<br>This privilege is valid only on domain controllers. |
| SeManageVolumePrivilege | Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
| SeProfileSingleProcessPrivilege | Profile single process | Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
| SeRelabelPrivilege | Modify an object label | Required to modify the mandatory integrity level of an object. |
| SeRemoteShutdownPrivilege | Force shutdown from a remote system | Required to shut down a system using a network request. |
| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.<br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.<br>A user with this privilege can also view and clear the security log. |
| SeShutdownPrivilege | Shut down the system | Required to shut down a local system. |
| SeSyncAgentPrivilege | Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
| SeSystemProfilePrivilege | Profile system performance | Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
| SeSystemtimePrivilege | Change the system time | Required to modify the system time.<br>With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.<br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.<br>This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
| SeTimeZonePrivilege | Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
| SeTrustedCredManAccessPrivilege | Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
| SeUndockPrivilege | Remove computer from docking station | Required to undock a laptop.<br>With this privilege, the user can undock a portable computer from its docking station without logging on. |
| SeUnsolicitedInputPrivilege | Not applicable | Required to read unsolicited input from a [*terminal*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721627(v=vs.85).aspx#_security_terminal_gly) device. |
- **Properties** \[Type = UnicodeString\]: depends on **Object Type**. This field can be empty or contain the list of the object properties that were accessed. See more detailed information in “[4661](event-4661.md): A handle to an object was requested” from [Audit SAM](audit-sam.md) subcategory.
- **Restricted SID Count** \[Type = UInt32\]: Number of [restricted SIDs](https://msdn.microsoft.com/en-us/library/windows/desktop/aa446583(v=vs.85).aspx) in the token. Applicable to only specific **Object Types**.
## Security Monitoring Recommendations
For 4661(S, F): A handle to an object was requested.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document.

248
windows/keep-secure/event-4662.md Normal file
View File

@ -0,0 +1,248 @@
---
title: 4662(S, F) An operation was performed on an object. (Windows 10)
description: Describes security event 4662(S, F) An operation was performed on an object.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4662(S, F): An operation was performed on an object.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4662.png" alt="Event 4662 illustration" width="496" height="614" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Directory Service Access](audit-directory-service-access.md)
***Event Description:***
This event generates every time when an operation was performed on an Active Directory object.
This event generates only if appropriate [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) was set for Active Directory object and performed operation meets this SACL.
If operation failed then Failure event will be generated.
You will get one 4662 for each operation type which was performed.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4662</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14080</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-28T01:58:36.894922400Z" />
<EventRecordID>407230</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="600" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x35867</Data>
<Data Name="ObjectServer">DS</Data>
<Data Name="ObjectType">%{bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="ObjectName">%{38b3d2e6-9948-4dc1-ae90-1605d5eab9a2}</Data>
<Data Name="OperationType">Object Access</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessList">%%1537</Data>
<Data Name="AccessMask">0x10000</Data>
<Data Name="Properties">%%1537 {bf967a86-0de6-11d0-a285-00aa003049e2}</Data>
<Data Name="AdditionalInfo">-</Data>
<Data Name="AdditionalInfo2" />
</EventData>
</Event>
```
***Required Server Roles:*** Active Directory domain controller.
***Minimum OS Version:*** Windows Server 2008.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Object:**
- **Object Server** \[Type = UnicodeString\]: has “**DS**” value for this event.
- **Object Type** \[Type = UnicodeString\]: type or class of the object that was accessed. Some of the common Active Directory object types and classes are:
- container for containers.
- user for users.
- group for groups.
- domainDNS for domain object.
- groupPolicyContainer for group policy objects.
For all possible values of **Object Type** open Active Directory Schema snap-in (see how to enable this snap-in: <https://technet.microsoft.com/en-us/library/Cc755885(v=WS.10).aspx)> and navigate to **Active Directory Schema\\Classes**. Or use this document: <https://msdn.microsoft.com/en-us/library/cc221630.aspx>
- **Object Name** \[Type = UnicodeString\]: distinguished name of the object that was accessed.
> **Note**&nbsp;&nbsp;The LDAP API references an LDAP object by its **distinguished name (DN)**. A DN is a sequence of relative distinguished names (RDN) connected by commas.
> An RDN is an attribute with an associated value in the form attribute=value; . These are examples of RDNs attributes:
> • DC - domainComponent
> • CN - commonName
> • OU - organizationalUnitName
> • O - organizationName
- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4661](event-4661.md): A handle to an object was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
**Operation:**
- **Operation Type** \[Type = UnicodeString\]: the type of operation which was performed on an object. Typically has “**Object Access”** value for this event.
- **Accesses** \[Type = UnicodeString\]: the type of access used for the operation. See “Table 9. Active Directory Access Codes and Rights.” for more information.
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the type of access used for the operation. See “Table 9. Active Directory Access Codes and Rights.” for more information.
| <span id="Active_Directory_Access_Codes_and_Types" class="anchor"></span>Access Mask | Access Name | Description |
|--------------------------------------------------------------------------------------|--------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| 0x1 | Create Child | The right to create child objects of the object. |
| 0x2 | Delete Child | The right to delete child objects of the object. |
| 0x4 | List Contents | The right to list child objects of this object. |
| 0x8 | SELF | The right to perform an operation controlled by a validated write access right. |
| 0x10 | Read Property | The right to read properties of the object. |
| 0x20 | Write Property | The right to write properties of the object. |
| 0x40 | Delete Tree | Delete all children of this object, regardless of the permissions of the children. It is indicates that “Use Delete Subtree server control” check box was checked during deletion. This operation means that all objects within the subtree, including all delete-protected objects, will be deleted. |
| 0x80 | List Object | The right to list a particular object. |
| 0x100 | Control Access | Access allowed only after extended rights checks supported by the object are performed.<br>The right to perform an operation controlled by an extended access right. |
| 0x10000 | DELETE | The right to delete the object. <br>DELETE also generated when object was moved. |
| 0x20000 | READ\_CONTROL | The right to read data from the security descriptor of the object, not including the data in the SACL. |
| 0x40000 | WRITE\_DAC | The right to modify the discretionary access-control list (DACL) in the object security descriptor. |
| 0x80000 | WRITE\_OWNER | The right to assume ownership of the object. The user must be an object trustee. The user cannot transfer the ownership to other users. |
| 0x100000 | SYNCHRONIZE | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. |
| 0x1000000 | ADS\_RIGHT\_ACCESS\_SYSTEM\_SECURITY | The right to get or set the SACL in the object security descriptor. |
| 0x80000000 | ADS\_RIGHT\_GENERIC\_READ | The right to read permissions on this object, read all the properties on this object, list this object name when the parent container is listed, and list the contents of this object if it is a container. |
| 0x40000000 | ADS\_RIGHT\_GENERIC\_WRITE | The right to read permissions on this object, write all the properties on this object, and perform all validated writes to this object. |
| 0x20000000 | ADS\_RIGHT\_GENERIC\_EXECUTE | The right to read permissions on, and list the contents of, a container object. |
| 0x10000000 | ADS\_RIGHT\_GENERIC\_ALL | The right to create or delete child objects, delete a subtree, read and write properties, examine child objects and the object itself, add and remove the object from the directory, and read or write with an extended right. |
> <span id="_Ref433797298" class="anchor"></span>Table 9. Active Directory Access Codes and Rights.
- **Properties** \[Type = UnicodeString\]: first part is the type of access that was used. Typically has the same value as **Accesses** field.
Second part is a tree of **GUID** values of Active Directory classes or property sets, for which operation was performed.
> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
To translate this GUID, use the following procedure:
- Perform the following LDAP search using LDP.exe tool:
- Base DN: CN=Schema,CN=Configuration,DC=XXX,DC=XXX
- Filter: (&(objectClass=\*)(schemaIDGUID=GUID))
- Perform the following operations with the GUID before using it in a search request:
- We have this GUID to search for: bf967a86-0de6-11d0-a285-00aa003049e2
- Take first 3 sections bf967a86-0de6-11d0.
- For each of these 3 sections you need to change (Invert) the order of bytes, like this 867a96bf-e60d-d011
- Add the last 2 sections without transformation: 867a96bf-e60d-d011-a285-00aa003049e2
- Delete - : 867a96bfe60dd011a28500aa003049e2
- Divide bytes with backslashes: \\86\\7a\\96\\bf\\e6\\0d\\d0\\11\\a2\\85\\00\\aa\\00\\30\\49\\e2
- Filter example: (&(objectClass=\*)(schemaIDGUID=\\86\\7a\\96\\bf\\e6\\0d\\d0\\11\\a2\\85\\00\\aa\\00\\30\\49\\e2))
- Scope: Subtree
- Attributes: schemaIDGUID
<img src="images/schema-search.png" alt="Schema search illustration" width="313" height="212" />
Sometimes GUID refers to pre-defined Active Directory Property Sets, you can find GUID (**Rights-GUID** field), “property set name” and details here: <https://msdn.microsoft.com/en-us/library/ms683990(v=vs.85).aspx>.
Here is an example of decoding of **Properties** field:
| Properties | Translation |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------|
| {bf967a86-0de6-11d0-a285-00aa003049e2}<br>{91e647de-d96f-4b70-9557-d63ff4f3ccd8}<br> {6617e4ac-a2f1-43ab-b60c-11fbd1facf05}<br> {b3f93023-9239-4f7c-b99c-6745d87adbc2}<br> {b8dfa744-31dc-4ef1-ac7c-84baf7ef9da7} | Computer<br>Private-Information property set<br>ms-PKI-RoamingTimeStamp<br>ms-PKI-DPAPIMasterKeys<br>ms-PKI-AccountCredentials |
**Additional Information:**
- **Parameter 1** \[Type = UnicodeString\]**:** there is no information about this field in this document.
- **Parameter 2** \[Type = UnicodeString\]**:** there is no information about this field in this document.
## Security Monitoring Recommendations
For 4662(S, F): An operation was performed on an object.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If you need to monitor operations attempts to specific Active Directory classes, monitor for **Object Type** field with specific class name. For example, we recommend that you monitor all operations attempts to **domainDNS** class.
- If you need to monitor operations attempts to specific Active Directory objects, monitor for **Object Name** field with specific object name. For example, we recommend that you monitor all operations attempts to “**CN=AdminSDHolder,CN=System,DC=domain,DC=com”** object.
- Some access types are more important to monitor, for example:
- Write Property
- Control Access
- DELETE
- WRITE\_DAC
- WRITE\_OWNER
You can decide to monitor these (or one of these) access types for specific Active Directory objects. To do so, monitor for **Accesses** field with specific access type.
- If you need to monitor operations attempts to specific Active Directory properties, monitor for **Properties** field with specific property GUID.
- Do not forget that **Failure** attempts are also very important to audit. Decide where you want to monitor Failure attempts based on previous recommendations.

223
windows/keep-secure/event-4663.md Normal file
View File

@ -0,0 +1,223 @@
---
title: 4663(S) An attempt was made to access an object. (Windows 10)
description: Describes security event 4663(S) An attempt was made to access an object.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4663(S): An attempt was made to access an object.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4663.png" alt="Event 4663 illustration" width="530" height="589" hspace="10" align="left" />
***Subcategories:***&nbsp;[Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), and [Audit Removable Storage](audit-removable-storage.md)
***Event Description:***
This event indicates that a specific operation was performed on an object. The object could be a file system, kernel, or registry object, or a file system object on removable storage or a device.
This event generates only if objects [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) has required ACE to handle specific access right use.
The main difference with “[4656](event-4656.md): A handle to an object was requested.” event is that 4663 shows that access right was used instead of just requested and 4663 doesnt have Failure events.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4663</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T22:13:54.770429700Z" />
<EventRecordID>273866</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x4367b</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\HBI Data.txt</Data>
<Data Name="HandleId">0x1bc</Data>
<Data Name="AccessList">%%4417 %%4418</Data>
<Data Name="AccessMask">0x6</Data>
<Data Name="ProcessId">0x458</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
<Data Name="ResourceAttributes">S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:***
- 0 - Windows Server 2008, Windows Vista.
- 1 - Windows Server 2012, Windows 8.
- Added “Resource Attributes” field.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to access an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to access an object.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Object**:
- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
- **Object Type** \[Type = UnicodeString\]: The type of object that was accessed during the operation.
The following table contains the list of the most common **Object Types**:
| Directory | Event | Timer | Device |
|-------------------------|--------------|----------------------|--------------|
| Mutant | Type | File | Token |
| Thread | Section | WindowStation | DebugObject |
| FilterCommunicationPort | EventPair | Driver | IoCompletion |
| Controller | SymbolicLink | WmiGuid | Process |
| Profile | Desktop | KeyedEvent | Adapter |
| Key | WaitablePort | Callback | Semaphore |
| Job | Port | FilterConnectionPort | ALPC Port |
- **Object Name** \[Type = UnicodeString\]: name and other identifying information for the object for which access was requested. For example, for a file, the path would be included.
- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can be used for correlation with other events, for example with **Handle ID** field in “[4656](event-4656.md)(S, F): A handle to an object was requested.” This parameter might not be captured in the event, and in that case appears as “0x0”.
- **Resource Attributes** \[Type = UnicodeString\] \[Version 1\]: attributes associated with the object. For some objects, the field does not apply and “-“ is displayed.
For example, for a file, the following might be displayed: S:AI(RA;ID;;;;WD;("Impact\_MS",TI,0x10020,3000))
- Impact\_MS: Resource Property ***ID***.
- 3000: Recourse Property ***Value***.
<img src="images/impact-property.png" alt="Impact property illustration" width="886" height="592" />
**Process Information:**
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that accessed the object. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
**Access Request Information:**
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were used by **Subject\\Security ID**. These access rights depend on **Object Type**. The following table contains information about the most common access rights for file system objects. Access rights for registry objects are often similar to file system objects, but the table contains a few notes about how they vary.
| Access | Hex Value,<br>Schema Value | Description |
|----------------------------------------------------------------------------------------|-----------------------------|---------------------|
| ReadData (or ListDirectory) <br><br>(For registry objects, this is “Query key value.”) | 0x1,<br>%%4416 | **ReadData -** For a file object, the right to read the corresponding file data. For a directory object, the right to read the corresponding directory data.<br>**ListDirectory -** For a directory, the right to list the contents of the directory. |
| WriteData (or AddFile) <br><br>(For registry objects, this is “Set key value.”) | 0x2,<br>%%4417 | **WriteData -** For a file object, the right to write data to the file. For a directory object, the right to create a file in the directory (**FILE\_ADD\_FILE**).<br>**AddFile -** For a directory, the right to create a file in the directory. |
| AppendData (or AddSubdirectory or CreatePipeInstance) | 0x4,<br>%%4418 | **AppendData -** For a file object, the right to append data to the file. (For local files, write operations will not overwrite existing data if this flag is specified without **FILE\_WRITE\_DATA**.) For a directory object, the right to create a subdirectory (**FILE\_ADD\_SUBDIRECTORY**). <br>**AddSubdirectory -** For a directory, the right to create a subdirectory.<br>**CreatePipeInstance -** For a named pipe, the right to create a pipe. |
| ReadEA<br>(For registry objects, this is “Enumerate sub-keys.”) | 0x8,<br>%%4419 | The right to read extended file attributes. |
| WriteEA | 0x10,<br>%%4420 | The right to write extended file attributes. |
| Execute/Traverse | 0x20,<br>%%4421 | **Execute** - For a native code file, the right to execute the file. This access right given to scripts may cause the script to be executable, depending on the script interpreter.<br>**Traverse -** For a directory, the right to traverse the directory. By default, users are assigned the **BYPASS\_TRAVERSE\_CHECKING**&thinsp; [privilege](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379306(v=vs.85).aspx), which ignores the **FILE\_TRAVERSE**&thinsp; [access right](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374902(v=vs.85).aspx). See the remarks in [File Security and Access Rights](https://msdn.microsoft.com/en-us/library/windows/desktop/aa364399(v=vs.85).aspx) for more information. |
| DeleteChild | 0x40,<br>%%4422 | For a directory, the right to delete a directory and all the files it contains, including read-only files. |
| ReadAttributes | 0x80,<br>%%4423 | The right to read file attributes. |
| WriteAttributes | 0x100,<br>%%4424 | The right to write file attributes. |
| DELETE | 0x10000,<br>%%1537 | The right to delete the object. |
| READ\_CONTROL | 0x20000,<br>%%1538 | The right to read the information in the object's security descriptor, not including the information in the system access control list (SACL). |
| WRITE\_DAC | 0x40000,<br>%%1539 | The right to modify the discretionary access control list (DACL) in the object's security descriptor. |
| WRITE\_OWNER | 0x80000,<br>%%1540 | The right to change the owner in the object's security descriptor |
| SYNCHRONIZE | 0x100000,<br>%%1541 | The right to use the object for synchronization. This enables a thread to wait until the object is in the signaled state. Some object types do not support this access right. |
| ACCESS\_SYS\_SEC | 0x1000000,<br>%%1542 | The ACCESS\_SYS\_SEC access right controls the ability to get or set the SACL in an object's security descriptor. |
> Table 15. File System objects access rights.
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the requested or performed operation. For more information, see the preceding table.
## Security Monitoring Recommendations
For 4663(S): An attempt was made to access an object.
For kernel objects, this event and other auditing events have little to no security relevance and are hard to parse or analyze. There is no recommendation for auditing them, unless you know exactly what you need to monitor at the Kernel objects level.
For other types of objects, the following recommendations apply.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If you have critical file system objects for which you need to monitor all access attempts, monitor this event for **Object Name**.
- If you have critical file system objects for which you need to monitor certain access attempts (for example, write actions), monitor this event for **Object Name** in relation to **Access Request Information\\Accesses**.
- If you have file system objects with specific attributes, for which you need to monitor access attempts, monitor this event for **Resource Attributes**.
- If **Object Name** is a sensitive or critical registry key for which you need to monitor specific access attempts (for example, only write actions), monitor for all [4663](event-4663.md) events with the corresponding **Access Request Information\\Accesses**.
<!-- -->
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
<!-- -->
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
- For file system objects, we recommend that you monitor for these **Access Request Information\\Accesses** rights:
- WriteData (or AddFile)
- AppendData (or AddSubdirectory or CreatePipeInstance)
- WriteEA
- DeleteChild
- WriteAttributes
- DELETE
- WRITE\_DAC
- WRITE\_OWNER

109
windows/keep-secure/event-4664.md Normal file
View File

@ -0,0 +1,109 @@
---
title: 4664(S) An attempt was made to create a hard link. (Windows 10)
description: Describes security event 4664(S) An attempt was made to create a hard link.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4664(S): An attempt was made to create a hard link.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4664.png" alt="Event 4664 illustration" width="449" height="419" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit File System](audit-file-system.md)
***Event Description:***
This event generates when an NTFS hard link was successfully created.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4664</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12800</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-21T23:50:26.871375900Z" />
<EventRecordID>276680</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="2624" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x43659</Data>
<Data Name="FileName">C:\\notepad.exe</Data>
<Data Name="LinkName">C:\\Docs\\My.exe</Data>
<Data Name="TransactionId">{00000000-0000-0000-0000-000000000000}</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to create the hard link. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to create the hard link.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Link Information:**
- **File Name** \[Type = UnicodeString\]**:** the name of a file or folder that new hard link refers to.
- **Link Name** \[Type = UnicodeString\]**:** full path name with new hard link file name.
- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
> **Note**&nbsp;&nbsp;**GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
## Security Monitoring Recommendations
For 4664(S): An attempt was made to create a hard link.
- We recommend monitoring for any [4664](event-4664.md) event, because this action is not typical for normal operating system behavior and can be a sign of malicious activity.

274
windows/keep-secure/event-4670.md Normal file
View File

@ -0,0 +1,274 @@
---
title: 4670(S) Permissions on an object were changed. (Windows 10)
description: Describes security event 4670(S) Permissions on an object were changed.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4670(S): Permissions on an object were changed.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4670.png" alt="Event 4670 illustration" width="449" height="605" hspace="10" align="left" />
***Subcategories:***&nbsp;[Audit File System](audit-file-system.md), [Audit Registry](audit-registry.md), [Audit Authentication Policy Change](audit-authentication-policy-change.md), and [Audit Authorization Policy Change](audit-authorization-policy-change.md)
***Event Description:***
This event generates when the permissions for an object are changed. The object could be a file system, registry, or security token object.
This event does not generate if the [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx) (Auditing ACL) was changed.
Before this event can generate, certain ACEs might need to be set in the objects [SACL](https://msdn.microsoft.com/en-us/library/windows/desktop/aa374872(v=vs.85).aspx). For example, for a file system object, it generates only if “Change Permissions" and/or "Take Ownership” are set in the objects SACL. For a registry key, it generates only if “Write DAC" and/or "Write Owner” are set in the objects SACL.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4670</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13570</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-18T19:36:50.187044600Z" />
<EventRecordID>269529</EventRecordID>
<Correlation />
<Execution ProcessID="516" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x43659</Data>
<Data Name="ObjectServer">Security</Data>
<Data Name="ObjectType">File</Data>
<Data Name="ObjectName">C:\\Documents\\netcat-1.11</Data>
<Data Name="HandleId">0x3f0</Data>
<Data Name="OldSd">D:AI(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="NewSd">D:ARAI(A;OICI;FA;;;WD)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-2104)(A;OICIID;FA;;;S-1-5-21-3457937927-2839227994-823803824-1104)(A;OICIID;FA;;;SY)(A;OICIID;FA;;;BA)</Data>
<Data Name="ProcessId">0xdb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\dllhost.exe</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “change objects permissions” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change objects permissions” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Object**:
- **Object Server** \[Type = UnicodeString\]: has “**Security**” value for this event.
- **Object Type** \[Type = UnicodeString\]: The type of an object that was accessed during the operation.
The following table contains the list of the most common **Object Types**:
| Directory | Event | Timer | Device |
|-------------------------|--------------|----------------------|--------------|
| Mutant | Type | File | Token |
| Thread | Section | WindowStation | DebugObject |
| FilterCommunicationPort | EventPair | Driver | IoCompletion |
| Controller | SymbolicLink | WmiGuid | Process |
| Profile | Desktop | KeyedEvent | Adapter |
| Key | WaitablePort | Callback | Semaphore |
| Job | Port | FilterConnectionPort | ALPC Port |
- **Object Name** \[Type = UnicodeString\]: name and other identifying information for the object for which permissions were changed. For example, for a file, the path would be included. For Token objects, this field typically equals “-“.
- **Handle ID** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “[4663](event-4663.md)(S): An attempt was made to access an object.” This parameter might not be captured in the event, and in that case appears as “0x0”.
**Process:**
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process through which the permissions were changed. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
**Permissions Change:**
- **Original Security Descriptor** \[Type = UnicodeString\]**:** the old Security Descriptor Definition Language (SDDL) value for the object.
- **New Security Descriptor** \[Type = UnicodeString\]**:** the new Security Descriptor Definition Language (SDDL) value for the object.
> **Note**&nbsp;&nbsp;The ** Security Descriptor Definition Language (SDDL)** defines string elements for enumerating information contained in the security descriptor.
> Example:
> *O*:BA*G*:SY*D*:(D;;0xf0007;;;AN)(D;;0xf0007;;;BG)(A;;0xf0007;;;SY)(A;;0×7;;;BA)*S*:ARAI(AU;SAFA;DCLCRPCRSDWDWO;;;WD)
> - *O*: = Owner. SID of specific security principal, or reserved (pre-defined) value, for example: BA (BUILTIN\_ADMINISTRATORS), WD (Everyone), SY (LOCAL\_SYSTEM), etc.
> See the list of possible values in the table below:
| Value | Description | Value | Description |
|-------|--------------------------------------|-------|---------------------------------|
| "AO" | Account operators | "PA" | Group Policy administrators |
| "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user |
| "AN" | Anonymous logon | "LA" | Local administrator |
| "AU" | Authenticated users | "LG" | Local guest |
| "BA" | Built-in administrators | "LS" | Local service account |
| "BG" | Built-in guests | "SY" | Local system |
| "BO" | Backup operators | "NU" | Network logon user |
| "BU" | Built-in users | "NO" | Network configuration operators |
| "CA" | Certificate server administrators | "NS" | Network service account |
| "CG" | Creator group | "PO" | Printer operators |
| "CO" | Creator owner | "PS" | Personal self |
| "DA" | Domain administrators | "PU" | Power users |
| "DC" | Domain computers | "RS" | RAS servers group |
| "DD" | Domain controllers | "RD" | Terminal server users |
| "DG" | Domain guests | "RE" | Replicator |
| "DU" | Domain users | "RC" | Restricted code |
| "EA" | Enterprise administrators | "SA" | Schema administrators |
| "ED" | Enterprise domain controllers | "SO" | Server operators |
| "WD" | Everyone | "SU" | Service logon user |
- *G*: = Primary Group.
- *D*: = DACL Entries.
- *S*: = SACL Entries.
*DACL/SACL entry format:* entry\_type:inheritance\_flags(ace\_type;ace\_flags;rights;object\_guid;inherit\_object\_guid;account\_sid)
Example: D:(A;;FA;;;WD)
- entry\_type:
“D” - DACL
“S” - SACL
- inheritance\_flags:
"P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked.
"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set.
"AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object.
- ace\_type:
"A" - ACCESS ALLOWED
"D" - ACCESS DENIED
"OA" - OBJECT ACCESS ALLOWED: only applies to a subset of the object(s).
"OD" - OBJECT ACCESS DENIED: only applies to a subset of the object(s).
"AU" - SYSTEM AUDIT
"A" - SYSTEM ALARM
"OU" - OBJECT SYSTEM AUDIT
"OL" - OBJECT SYSTEM ALARM
- ace\_flags:
"CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE.
"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE.
"NP" - NO PROPAGATE: only immediate children inherit this ace.
"IO" - INHERITANCE ONLY: ace doesnt apply to this object, but may affect children via inheritance.
"ID" - ACE IS INHERITED
"SA" - SUCCESSFUL ACCESS AUDIT
"FA" - FAILED ACCESS AUDIT
- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc.
| Value | Description | Value | Description |
|----------------------------|---------------------------------|----------------------|--------------------------|
| Generic access rights | Directory service access rights |
| "GA" | GENERIC ALL | "RC" | Read Permissions |
| "GR" | GENERIC READ | "SD" | Delete |
| "GW" | GENERIC WRITE | "WD" | Modify Permissions |
| "GX" | GENERIC EXECUTE | "WO" | Modify Owner |
| File access rights | "RP" | Read All Properties |
| "FA" | FILE ALL ACCESS | "WP" | Write All Properties |
| "FR" | FILE GENERIC READ | "CC" | Create All Child Objects |
| "FW" | FILE GENERIC WRITE | "DC" | Delete All Child Objects |
| "FX" | FILE GENERIC EXECUTE | "LC" | List Contents |
| Registry key access rights | "SW" | All Validated Writes |
| "KA" | "LO" | "LO" | List Object |
| "K" | KEY READ | "DT" | Delete Subtree |
| "KW" | KEY WRITE | "CR" | All Extended Rights |
| "KX" | KEY EXECUTE | | |
- object\_guid: N/A
- inherit\_object\_guid: N/A
- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details.
For more information about SDDL syntax, see these articles: <https://msdn.microsoft.com/en-us/library/cc230374.aspx>, <https://msdn.microsoft.com/en-us/library/windows/hardware/aa374892(v=vs.85).aspx>.
## Security Monitoring Recommendations
For 4670(S): Permissions on an object were changed.
For token objects, this is typically an informational event, and at the same time it is difficult to identify which token's permission were changed. For token objects, there are no monitoring recommendations for this event in this document.
For file system and registry objects, the following recommendations apply.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
<!-- -->
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
- If you have critical registry objects for which you need to monitor all modifications (especially permissions changes and owner changes), monitor for the specific **Object\\Object Name.**
- If you have high-value computers for which you need to monitor all changes for all or specific objects (for example, file system or registry objects), monitor for all [4670](event-4670.md) events on these computers**.** For example, you could monitor the **ntds.dit** file on domain controllers.

21
windows/keep-secure/event-4671.md Normal file
View File

@ -0,0 +1,21 @@
---
title: 4671(-) An application attempted to access a blocked ordinal through the TBS. (Windows 10)
description: Describes security event 4671(-) An application attempted to access a blocked ordinal through the TBS.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4671(-): An application attempted to access a blocked ordinal through the TBS.
**Applies to**
- Windows 10
- Windows Server 2016
Currently this event doesnt generate. It is a defined event, but it is never invoked by the operating system.
***Subcategory:***&nbsp;[Audit Other Object Access Events](audit-other-object-access-events.md)

149
windows/keep-secure/event-4672.md Normal file
View File

@ -0,0 +1,149 @@
---
title: 4672(S) Special privileges assigned to new logon. (Windows 10)
description: Describes security event 4672(S) Special privileges assigned to new logon.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4672(S): Special privileges assigned to new logon.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4672.png" alt="Event 4672 illustration" width="449" height="503" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Special Logon](audit-special-logon.md)
***Event Description:***
This event generates for new account logons if any of the following sensitive privileges are assigned to the new logon session:
- SeTcbPrivilege - Act as part of the operating system
- SeBackupPrivilege - Back up files and directories
- SeCreateTokenPrivilege - Create a token object
- SeDebugPrivilege - Debug programs
- SeEnableDelegationPrivilege - Enable computer and user accounts to be trusted for delegation
- SeAuditPrivilege - Generate security audits
- SeImpersonatePrivilege - Impersonate a client after authentication
- SeLoadDriverPrivilege - Load and unload device drivers
- SeSecurityPrivilege - Manage auditing and security log
- SeSystemEnvironmentPrivilege - Modify firmware environment values
- SeAssignPrimaryTokenPrivilege - Replace a process-level token
- SeRestorePrivilege - Restore files and directories,
- SeTakeOwnershipPrivilege - Take ownership of files or other objects
You typically will see many of these events in the event log, because every logon of SYSTEM (Local System) account triggers this event.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4672</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12548</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-11T01:10:57.091809600Z" />
<EventRecordID>237692</EventRecordID>
<Correlation />
<Execution ProcessID="504" ThreadID="524" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x671101</Data>
<Data Name="PrivilegeList">SeTcbPrivilege SeSecurityPrivilege SeTakeOwnershipPrivilege SeLoadDriverPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeSystemEnvironmentPrivilege SeEnableDelegationPrivilege SeImpersonatePrivilege</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account to which special privileges were assigned. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account to which special privileges were assigned.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Privileges** \[Type = UnicodeString\]**:** the list of sensitive privileges, assigned to the new logon. The following table contains the list of possible privileges for this event:
| Privilege Name | User Right Group Policy Name | Description |
|-------------------------------|----------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| SeAssignPrimaryTokenPrivilege | Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| SeAuditPrivilege | Generate security audits | With this privilege, the user can add entries to the security log. |
| SeBackupPrivilege | Back up files and directories | - Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system.<br>This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE |
| SeCreateTokenPrivilege | Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs.<br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
| SeDebugPrivilege | Debug programs | Required to debug and adjust the memory of a process owned by another account.<br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
| SeEnableDelegationPrivilege | Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation.<br>With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object.<br>The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
| SeImpersonatePrivilege | Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
| SeLoadDriverPrivilege | Load and unload device drivers | Required to load or unload a device driver.<br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
| SeRestorePrivilege | Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
| SeSecurityPrivilege | Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log.<br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys.<br>A user with this privilege can also view and clear the security log. |
| SeSystemEnvironmentPrivilege | Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
| SeTakeOwnershipPrivilege | Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object.<br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
| SeTcbPrivilege | Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base.<br>This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
## Security Monitoring Recommendations
For 4672(S): Special privileges assigned to new logon.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**.
- If you have a list of specific privileges which should never be granted, or granted only to a few accounts (for example, SeDebugPrivilege), use this event to monitor for those “**Privileges**.”
<!-- -->
- If you are required to monitor any of the sensitive privileges in the [Event Description for this event](event-4672.md), search for those specific privileges in the event.

196
windows/keep-secure/event-4673.md Normal file
View File

@ -0,0 +1,196 @@
---
title: 4673(S, F) A privileged service was called. (Windows 10)
description: Describes security event 4673(S, F) A privileged service was called.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4673(S, F): A privileged service was called.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4673.png" alt="Event 4673 illustration" width="449" height="503" hspace="10" align="left" />
***Subcategories:***&nbsp;[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) and [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
***Event Description:***
This event generates when an attempt was made to perform privileged system service operations.
This event generates, for example, when **SeSystemtimePrivilege**, **SeCreateGlobalPrivilege**, or **SeTcbPrivilege** privilege was used.
Failure event generates when service call attempt fails.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4673</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13056</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-10-09T00:37:36.434836600Z" />
<EventRecordID>1099777</EventRecordID>
<Correlation />
<Execution ProcessID="496" ThreadID="504" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="ObjectServer">NT Local Security Authority / Authentication Service</Data>
<Data Name="Service">LsaRegisterLogonProcess()</Data>
<Data Name="PrivilegeList">SeTcbPrivilege</Data>
<Data Name="ProcessId">0x1f0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\lsass.exe</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested privileged operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested privileged operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Service**:
- **Server** \[Type = UnicodeString\]: contains the name of the Windows subsystem calling the routine. Subsystems examples are:
- Security
- Security Account Manager
- NT Local Security Authority / Authentication Service
- SC Manager
- Win32 SystemShutdown module
- LSA
- **Service Name** \[Type = UnicodeString\] \[Optional\]: supplies a name of the privileged subsystem service or function. For example, "RESET RUNTIME LOCAL SECURITY" might be specified by a **Local Security Authority** service used to update the local security policy database or **LsaRegisterLogonProcess()** might be specified by a **NT Local Security Authority / Authentication Service** used to register new logon process.
**Process:**
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted to call the privileged service. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
**Service Request Information**:
- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were requested. The possible privileges depend on the subcategory, either **Audit Non Sensitive Privilege Use** or **Audit Sensitive Privilege Use**, as shown in the following two tables:
| **Subcategory of event** | **Privilege Name: <br>User Right Group Policy Name** | **Description** |
|-----------------------------------|----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Audit Non Sensitive Privilege Use | **SeChangeNotifyPrivilege: <br>**Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
| Audit Non Sensitive Privilege Use | **SeCreateGlobalPrivilege: <br>**Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
| Audit Non Sensitive Privilege Use | **SeCreatePagefilePrivilege: <br>**Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
| Audit Non Sensitive Privilege Use | **SeCreatePermanentPrivilege: <br>**Create permanent shared objects | Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
| Audit Non Sensitive Privilege Use | **SeCreateSymbolicLinkPrivilege: <br>**Create symbolic links | Required to create a symbolic link. |
| Audit Non Sensitive Privilege Use | **SeIncreaseBasePriorityPrivilege: <br>**Increase scheduling priority | Required to increase the base priority of a process. <br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
| Audit Non Sensitive Privilege Use | **SeIncreaseQuotaPrivilege: <br>**Adjust memory quotas for a process | Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process. |
| Audit Non Sensitive Privilege Use | **SeIncreaseWorkingSetPrivilege: <br>**Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
| Audit Non Sensitive Privilege Use | **SeLockMemoryPrivilege: <br>**Lock pages in memory | Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
| Audit Non Sensitive Privilege Use | **SeMachineAccountPrivilege: <br>**Add workstations to domain | With this privilege, the user can create a computer account. <br>This privilege is valid only on domain controllers. |
| Audit Non Sensitive Privilege Use | **SeManageVolumePrivilege: <br>**Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
| Audit Non Sensitive Privilege Use | **SeProfileSingleProcessPrivilege: <br>**Profile single process | Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
| Audit Non Sensitive Privilege Use | **SeRelabelPrivilege: <br>**Modify an object label | Required to modify the mandatory integrity level of an object. |
| Audit Non Sensitive Privilege Use | **SeRemoteShutdownPrivilege: <br>**Force shutdown from a remote system | Required to shut down a system using a network request. |
| Audit Non Sensitive Privilege Use | **SeShutdownPrivilege: <br>**Shut down the system | Required to shut down a local system. |
| Audit Non Sensitive Privilege Use | **SeSyncAgentPrivilege: <br>**Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
| Audit Non Sensitive Privilege Use | **SeSystemProfilePrivilege: <br>**Profile system performance | Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
| Audit Non Sensitive Privilege Use | **SeSystemtimePrivilege: <br>**Change the system time | Required to modify the system time. With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. <br>If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
| Audit Non Sensitive Privilege Use | **SeTimeZonePrivilege: <br>**Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
| Audit Non Sensitive Privilege Use | **SeTrustedCredManAccessPrivilege: <br>**Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
| Audit Non Sensitive Privilege Use | **SeUndockPrivilege: <br>**Remove computer from docking station | Required to undock a laptop. <br>With this privilege, the user can undock a portable computer from its docking station without logging on. |
| **Subcategory of event** | **Privilege Name: <br>User Right Group Policy Name** | **Description** |
|-------------------------------|-----------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Audit Sensitive Privilege Use | **SeAssignPrimaryTokenPrivilege: <br>**Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| Audit Sensitive Privilege Use | **SeAuditPrivilege: <br>**Generate security audits | With this privilege, the user can add entries to the security log. |
| Audit Sensitive Privilege Use | **SeCreateTokenPrivilege: <br>**Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
| Audit Sensitive Privilege Use | **SeDebugPrivilege: <br>**Debug programs | Required to debug and adjust the memory of a process owned by another account. With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. This user right provides complete access to sensitive and critical operating system components. |
| Audit Sensitive Privilege Use | **SeImpersonatePrivilege: <br>**Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
| Audit Sensitive Privilege Use | **SeLoadDriverPrivilege: <br>**Load and unload device drivers | Required to load or unload a device driver. With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
| Audit Sensitive Privilege Use | **SeLockMemoryPrivilege: <br>**Lock pages in memory | Required to lock physical pages in memory. With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
| Audit Sensitive Privilege Use | **SeSystemEnvironmentPrivilege: <br>**Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
| Audit Sensitive Privilege Use | **SeTcbPrivilege: <br>**Act as part of the operating system | This privilege identifies its holder as part of the trusted computer base. This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. |
| Audit Sensitive Privilege Use | **SeEnableDelegationPrivilege: <br>**Enable computer and user accounts to be trusted for delegation | Required to mark user and computer accounts as trusted for delegation. With this privilege, the user can set the **Trusted for Deleg**ation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using the delegated credentials of a client, as long as the account of the client does not have the **Account cannot be delegated** account control flag set. |
## Security Monitoring Recommendations
For 4673(S, F): A privileged service was called.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events.
- If you need to monitor events related to specific Windows subsystems (“**Service\\Server**”), for example **NT Local Security Authority / Authentication Service** or **Security Account Manager**, monitor this event for the corresponding “**Service\\Server**.”
- If you need to monitor events related to specific Windows security services or functions (“**Service\\Service Name**”), for example **LsaRegisterLogonProcess()**, monitor this event for the corresponding “**Service\\Service Name**.”
<!-- -->
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
<!-- -->
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
- For a specific “**Subject\\Security ID**,” if there is a defined list of allowed privileges, monitor for “**Privileges**” that it should not be able to use.
- If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.”
- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.”

224
windows/keep-secure/event-4674.md Normal file
View File

@ -0,0 +1,224 @@
---
title: 4674(S, F) An operation was attempted on a privileged object. (Windows 10)
description: Describes security event 4674(S, F) An operation was attempted on a privileged object.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4674(S, F): An operation was attempted on a privileged object.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4674.png" alt="Event 4674 illustration" width="449" height="543" hspace="10" align="left" />
***Subcategories:***&nbsp;[Audit Sensitive Privilege Use](audit-sensitive-privilege-use.md) and [Audit Non Sensitive Privilege Use](audit-non-sensitive-privilege-use.md)
***Event Description:***
This event generates when an attempt is made to perform privileged operations on a protected subsystem object after the object is already opened.
This event generates, for example, when SeShutdownPrivilege, SeRemoteShutdownPrivilege, or SeSecurityPrivilege is used.
Failure event generates when operation attempt fails.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4674</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13056</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-10-09T00:22:36.237816000Z" />
<EventRecordID>1099680</EventRecordID>
<Correlation />
<Execution ProcessID="496" ThreadID="504" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-19</Data>
<Data Name="SubjectUserName">LOCAL SERVICE</Data>
<Data Name="SubjectDomainName">NT AUTHORITY</Data>
<Data Name="SubjectLogonId">0x3e5</Data>
<Data Name="ObjectServer">LSA</Data>
<Data Name="ObjectType">-</Data>
<Data Name="ObjectName">-</Data>
<Data Name="HandleId">0x0</Data>
<Data Name="AccessMask">16777216</Data>
<Data Name="PrivilegeList">SeSecurityPrivilege</Data>
<Data Name="ProcessId">0x1f0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\lsass.exe</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested privileged operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested privileged operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Object**:
- **Object Server** \[Type = UnicodeString\] \[Optional\]: Contains the name of the Windows subsystem calling the routine. Subsystems examples are:
- Security
- Security Account Manager
- NT Local Security Authority / Authentication Service
- SC Manager
- Win32 SystemShutdown module
- LSA
- **Object Type** \[Type = UnicodeString\] \[Optional\]: The type of an object that was accessed during the operation.
The following table contains the list of the most common **Object Types**:
| Directory | Event | Timer | Device |
|-------------------------|--------------|----------------------|--------------------|
| Mutant | Type | File | Token |
| Thread | Section | WindowStation | DebugObject |
| FilterCommunicationPort | EventPair | Driver | IoCompletion |
| Controller | SymbolicLink | WmiGuid | Process |
| Profile | Desktop | KeyedEvent | SC\_MANAGER OBJECT |
| Key | WaitablePort | Callback | |
| Job | Port | FilterConnectionPort | |
| ALPC Port | Semaphore | Adapter | |
- **Object Name** \[Type = UnicodeString\] \[Optional\]: the name of the object that was accessed during the operation.
- **Object Handle** \[Type = Pointer\]: hexadecimal value of a handle to **Object Name**. This field can help you correlate this event with other events that might contain the same Handle ID, for example, “4656: A handle to an object was requested” event in appropriate/other subcategory. This parameter might not be captured in the event, and in that case appears as “0x0”.
**Process Information:**
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the operation on the privileged object. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
**Requested Operation**:
- **Desired Access** \[Type = UnicodeString\]: The desired access mask. This mask depends on **Object Server** and **Object Type** parameters values. The value of this parameter is in decimal format. There is no detailed information about this parameter in this document. If **Desired Access** is not presented, then this parameter will have “**0**” value.
- **Privileges** \[Type = UnicodeString\]: the list of user privileges which were requested. The possible privileges depend on the subcategory, either **Audit Non Sensitive Privilege Use** or **Audit Sensitive Privilege Use**, as shown in the following two tables:
| **Subcategory of event** | **Privilege Name: <br>User Right Group Policy Name** | **Description** |
|-----------------------------------|----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Audit Non Sensitive Privilege Use | **SeChangeNotifyPrivilege: <br>**Bypass traverse checking | Required to receive notifications of changes to files or directories. This privilege also causes the system to skip all traversal access checks. <br>With this privilege, the user can traverse directory trees even though the user may not have permissions on the traversed directory. This privilege does not allow the user to list the contents of a directory, only to traverse directories. |
| Audit Non Sensitive Privilege Use | **SeCreateGlobalPrivilege: <br>**Create global objects | Required to create named file mapping objects in the global namespace during Terminal Services sessions. |
| Audit Non Sensitive Privilege Use | **SeCreatePagefilePrivilege: <br>**Create a pagefile | With this privilege, the user can create and change the size of a pagefile. |
| Audit Non Sensitive Privilege Use | **SeCreatePermanentPrivilege: <br>**Create permanent shared objects | Required to create a permanent object. <br>This privilege is useful to kernel-mode components that extend the object namespace. Components that are running in kernel mode already have this privilege inherently; it is not necessary to assign them the privilege. |
| Audit Non Sensitive Privilege Use | **SeCreateSymbolicLinkPrivilege: <br>**Create symbolic links | Required to create a symbolic link. |
| Audit Non Sensitive Privilege Use | **SeIncreaseBasePriorityPrivilege: <br>**Increase scheduling priority | Required to increase the base priority of a process.<br>With this privilege, the user can use a process with Write property access to another process to increase the execution priority assigned to the other process. A user with this privilege can change the scheduling priority of a process through the Task Manager user interface. |
| Audit Non Sensitive Privilege Use | **SeIncreaseQuotaPrivilege: <br>**Adjust memory quotas for a process | Required to increase the quota assigned to a process. <br>With this privilege, the user can change the maximum memory that can be consumed by a process. |
| Audit Non Sensitive Privilege Use | **SeIncreaseWorkingSetPrivilege: <br>**Increase a process working set | Required to allocate more memory for applications that run in the context of users. |
| Audit Non Sensitive Privilege Use | **SeLockMemoryPrivilege: <br>**Lock pages in memory | Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
| Audit Non Sensitive Privilege Use | **SeMachineAccountPrivilege: <br>**Add workstations to domain | With this privilege, the user can create a computer account. This privilege is valid only on domain controllers. |
| Audit Non Sensitive Privilege Use | **SeManageVolumePrivilege: <br>**Perform volume maintenance tasks | Required to run maintenance tasks on a volume, such as remote defragmentation. |
| Audit Non Sensitive Privilege Use | **SeProfileSingleProcessPrivilege: <br>**Profile single process | Required to gather profiling information for a single process. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of non-system processes. |
| Audit Non Sensitive Privilege Use | **SeRelabelPrivilege: <br>**Modify an object label | Required to modify the mandatory integrity level of an object. |
| Audit Non Sensitive Privilege Use | **SeRemoteShutdownPrivilege: <br>**Force shutdown from a remote system | Required to shut down a system using a network request. |
| Audit Non Sensitive Privilege Use | **SeShutdownPrivilege: <br>**Shut down the system | Required to shut down a local system. |
| Audit Non Sensitive Privilege Use | **SeSyncAgentPrivilege: <br>**Synchronize directory service data | This privilege enables the holder to read all objects and properties in the directory, regardless of the protection on the objects and properties. By default, it is assigned to the Administrator and LocalSystem accounts on domain controllers. <br>With this privilege, the user can synchronize all directory service data. This is also known as Active Directory synchronization. |
| Audit Non Sensitive Privilege Use | **SeSystemProfilePrivilege: <br>**Profile system performance | Required to gather profiling information for the entire system. <br>With this privilege, the user can use performance monitoring tools to monitor the performance of system processes. |
| Audit Non Sensitive Privilege Use | **SeSystemtimePrivilege: <br>**Change the system time | Required to modify the system time. <br>With this privilege, the user can change the time and date on the internal clock of the computer. Users that are assigned this user right can affect the appearance of event logs. If the system time is changed, events that are logged will reflect this new time, not the actual time that the events occurred. |
| Audit Non Sensitive Privilege Use | **SeTimeZonePrivilege: <br>**Change the time zone | Required to adjust the time zone associated with the computer's internal clock. |
| Audit Non Sensitive Privilege Use | **SeTrustedCredManAccessPrivilege: <br>**Access Credential Manager as a trusted caller | Required to access Credential Manager as a trusted caller. |
| Audit Non Sensitive Privilege Use | **SeUndockPrivilege: <br>**Remove computer from docking station | Required to undock a laptop. <br>With this privilege, the user can undock a portable computer from its docking station without logging on. |
| **Subcategory of event** | **Privilege Name: <br>User Right Group Policy Name** | **Description** |
|-------------------------------|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| Audit Sensitive Privilege Use | **SeAssignPrimaryTokenPrivilege: <br>**Replace a process-level token | Required to assign the [*primary token*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721603(v=vs.85).aspx#_security_primary_token_gly) of a process. <br>With this privilege, the user can initiate a process to replace the default token associated with a started subprocess. |
| Audit Sensitive Privilege Use | **SeAuditPrivilege: <br>**Generate security audits | With this privilege, the user can add entries to the security log. |
| Audit Sensitive Privilege Use | **SeBackupPrivilege: <br>**Back up files and directories | - Required to perform backup operations. <br>With this privilege, the user can bypass file and directory, registry, and other persistent object permissions for the purposes of backing up the system. This privilege causes the system to grant all read access control to any file, regardless of the [*access control list*](https://msdn.microsoft.com/en-us/library/windows/desktop/ms721532(v=vs.85).aspx#_security_access_control_list_gly) (ACL) specified for the file. Any access request other than read is still evaluated with the ACL. <br>The following access rights are granted if this privilege is held:<br>READ\_CONTROL<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_READ<br>FILE\_TRAVERSE |
| Audit Sensitive Privilege Use | **SeCreateTokenPrivilege: <br>**Create a token object | Allows a process to create a token which it can then use to get access to any local resources when the process uses NtCreateToken() or other token-creation APIs. <br>When a process requires this privilege, we recommend using the LocalSystem account (which already includes the privilege), rather than creating a separate user account and assigning this privilege to it. |
| Audit Sensitive Privilege Use | **SeDebugPrivilege: <br>**Debug programs | Required to debug and adjust the memory of a process owned by another account. <br>With this privilege, the user can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need this user right. Developers who are debugging new system components need this user right. <br>This user right provides complete access to sensitive and critical operating system components. |
| Audit Sensitive Privilege Use | **SeImpersonatePrivilege: <br>**Impersonate a client after authentication | With this privilege, the user can impersonate other accounts. |
| Audit Sensitive Privilege Use | **SeLoadDriverPrivilege: <br>**Load and unload device drivers | Required to load or unload a device driver. <br>With this privilege, the user can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. |
| Audit Sensitive Privilege Use | **SeLockMemoryPrivilege: <br>**Lock pages in memory | Required to lock physical pages in memory. <br>With this privilege, the user can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM). |
| Audit Sensitive Privilege Use | **SeRestorePrivilege: <br>**Restore files and directories | Required to perform restore operations. This privilege causes the system to grant all write access control to any file, regardless of the ACL specified for the file. Any access request other than write is still evaluated with the ACL. Additionally, this privilege enables you to set any valid user or group SID as the owner of a file. The following access rights are granted if this privilege is held:<br>WRITE\_DAC<br>WRITE\_OWNER<br>ACCESS\_SYSTEM\_SECURITY<br>FILE\_GENERIC\_WRITE<br>FILE\_ADD\_FILE<br>FILE\_ADD\_SUBDIRECTORY<br>DELETE<br>With this privilege, the user can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories and determines which users can set any valid security principal as the owner of an object. |
| Audit Sensitive Privilege Use | **SeSecurityPrivilege: <br>**Manage auditing and security log | Required to perform a number of security-related functions, such as controlling and viewing audit events in security event log. <br>With this privilege, the user can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. A user with this privilege can also view and clear the security log. |
| Audit Sensitive Privilege Use | **SeSystemEnvironmentPrivilege: <br>**Modify firmware environment values | Required to modify the nonvolatile RAM of systems that use this type of memory to store configuration information. |
| Audit Sensitive Privilege Use | **SeTakeOwnershipPrivilege: <br>**Take ownership of files or other objects | Required to take ownership of an object without being granted discretionary access. This privilege allows the owner value to be set only to those values that the holder may legitimately assign as the owner of an object. <br>With this privilege, the user can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. |
## Security Monitoring Recommendations
For 4674(S, F): An operation was attempted on a privileged object.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- Monitor for this event where “**Subject\\Security ID**” is *not* one of these well-known security principals: LOCAL SYSTEM, NETWORK SERVICE, LOCAL SERVICE, and where “**Subject\\Security ID**” is not an administrative account that is expected to have the listed **Privileges**. Especially monitor Failure events.
<!-- -->
- If you need to monitor events related to specific Windows subsystems (“**Object Server**”), for example **LSA** or **Security Account Manager**, monitor this event for the corresponding “**Object Server**.”
- <span id="Reccomendations_Object_Type" class="anchor"></span>If you need to monitor events related to specific Windows object types (“**Object Type**”), for example **File** or **Key**, monitor this event for the corresponding “**Object Type**.”
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
<!-- -->
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
<!-- -->
- If you know that specific “**Subject\\Security ID**” should only be able to use the privileges in a pre-defined list, monitor for events in which “**Subject\\Security ID**” used “**Privileges**” that are not on that list.
<!-- -->
- If you have a list of specific user rights which should never be used, or used only by a few accounts (for example, SeDebugPrivilege), trigger an alert for those “**Privileges**.”
- If you have a list of specific user rights for which every use must be reported or monitored (for example, SeRemoteShutdownPrivilege), trigger an alert for those “**Privileges**.”

61
windows/keep-secure/event-4675.md Normal file
View File

@ -0,0 +1,61 @@
---
title: 4675(S) SIDs were filtered. (Windows 10)
description: Describes security event 4675(S) SIDs were filtered.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4675(S): SIDs were filtered.
**Applies to**
- Windows 10
- Windows Server 2016
This event generates when SIDs were filtered for specific Active Directory trust.
See more information about SID filtering here: <https://technet.microsoft.com/en-us/library/cc772633(v=ws.10).aspx>.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
There is no example of this event in this document.
***Subcategory:***&nbsp;[Audit Logon](audit-logon.md)
***Event Schema:***
*SIDs were filtered.*
*Target Account:*
> *Security ID:%1*
>
> *Account Name:%2*
>
> *Account Domain:%3*
*Trust Information:*
> *Trust Direction:%4*
>
> *Trust Attributes:%5*
>
> *Trust Type:%6*
>
> *TDO Domain SID:%7*
>
> *Filtered SIDs:%8*
***Required Server Roles:*** Active Directory domain controller.
***Minimum OS Version:*** Windows Server 2008.
***Event Versions:*** 0.
## Security Monitoring Recommendations
- If you need to monitor all SID filtering events/operations for specific or all Active Directory trusts, you can use this event to get all required information.

212
windows/keep-secure/event-4688.md Normal file
View File

@ -0,0 +1,212 @@
---
title: 4688(S) A new process has been created. (Windows 10)
description: Describes security event 4688(S) A new process has been created.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4688(S): A new process has been created.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4688.png" alt="Event 4688 illustration" width="417" height="479" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Process Creation](audit-process-creation.md)
***Event Description:***
This event generates every time a new process starts.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4688</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>13312</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-11-12T02:24:52.377352500Z" />
<EventRecordID>2814</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="400" />
<Channel>Security</Channel>
<Computer>WIN-GG82ULGC9GO.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">WIN-GG82ULGC9GO$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="NewProcessId">0x2bc</Data>
<Data Name="NewProcessName">C:\\Windows\\System32\\rundll32.exe</Data>
<Data Name="TokenElevationType">%%1938</Data>
<Data Name="ProcessId">0xe74</Data>
<Data Name="CommandLine" />
<Data Name="TargetUserSid">S-1-5-21-1377283216-344919071-3415362939-1104</Data>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetDomainName">CONTOSO</Data>
<Data Name="TargetLogonId">0x4a5af0</Data>
<Data Name="ParentProcessName">C:\\Windows\\explorer.exe</Data>
<Data Name="MandatoryLabel">S-1-16-8192</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:***
- 0 - Windows Server 2008, Windows Vista.
- 1 - Windows Server 2012 R2, Windows 8.1.
- Added “Process Command Line” field.
- 2 - Windows 10.
- **Subject** renamed to **Creator Subject**.
- Added “**Target Subject**” section.
- Added “**Mandatory Label**” field.
- Added “**Creator Process Name**” field.
***Field Descriptions:***
**Creator Subject** \[Value for versions 0 and 1 **Subject**\]**:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “create process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “create process” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Target Subject** \[Version 2\]**:**
> **Note**&nbsp;&nbsp;This event includes the principal of the process creator, but this is not always sufficient if the target context is different from the creator context. In that situation, the subject specified in the process termination event does not match the subject in the process creation event even though both events refer to the same process ID. Therefore, in addition to including the creator of the process, we will also include the target principal when the creator and target do not share the same logon.
- **Security ID** \[Type = SID\] \[Version 2\]**:** SID of target account. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\] \[Version 2\]**:** the name of the target account.
- **Account Domain** \[Type = UnicodeString\] \[Version 2\]**:** target accounts domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\] \[Version 2\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Process Information:**
- **New Process ID** \[Type = Pointer\]: hexadecimal Process ID of the new process. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
> If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
- **New Process Name** \[Type = UnicodeString\]**:** full path and the name of the executable for the new process.
- **Token Elevation Type** \[Type = UnicodeString\]**: **
- **TokenElevationTypeDefault (1):** Type 1 is a full token with no privileges removed or groups disabled. A full token is only used if User Account Control is disabled or if the user is the built-in Administrator account (for which UAC disabled by default), service account or local system account.
- **TokenElevationTypeFull (2):** Type 2 is an elevated token with no privileges removed or groups disabled. An elevated token is used when User Account Control is enabled and the user chooses to start the program using Run as administrator. An elevated token is also used when an application is configured to always require administrative privilege or to always require maximum privilege, and the user is a member of the Administrators group.
- **TokenElevationTypeLimited (3):** Type 3 is a limited token with administrative privileges removed and administrative groups disabled. The limited token is used when User Account Control is enabled, the application does not require administrative privilege, and the user does not choose to start the program using Run as administrator.
- **Mandatory Label** \[Version 2\] \[Type = SID\]**:** SID of [integrity label](https://msdn.microsoft.com/en-us/library/windows/desktop/bb648648(v=vs.85).aspx) which was assigned to the new process. Can have one of the following values:
| SID | RID | RID label | Meaning |
|--------------|------------|----------------------------------------------|------------------------|
| S-1-16-0 | 0x00000000 | SECURITY\_MANDATORY\_UNTRUSTED\_RID | Untrusted. |
| S-1-16-4096 | 0x00001000 | SECURITY\_MANDATORY\_LOW\_RID | Low integrity. |
| S-1-16-8192 | 0x00002000 | SECURITY\_MANDATORY\_MEDIUM\_RID | Medium integrity. |
| S-1-16-8448 | 0x00002100 | SECURITY\_MANDATORY\_MEDIUM\_PLUS\_RID | Medium high integrity. |
| S-1-16-12288 | 0X00003000 | SECURITY\_MANDATORY\_HIGH\_RID | High integrity. |
| S-1-16-16384 | 0x00004000 | SECURITY\_MANDATORY\_SYSTEM\_RID | System integrity. |
| S-1-16-20480 | 0x00005000 | SECURITY\_MANDATORY\_PROTECTED\_PROCESS\_RID | Protected process. |
- **Creator Process ID** \[Type = Pointer\]**:** hexadecimal Process ID of the process which ran the new process. If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
> You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
- **Creator Process Name** \[Version 2\] \[Type = UnicodeString\]**:** full path and the name of the executable for the process.
- **Process Command Line** \[Version 1, 2\] \[Type = UnicodeString\]**:** contains the name of executable and arguments which were passed to it. You must enable “Administrative Templates\\System\\Audit Process Creation\\Include command line in process creation events” group policy to include command line in process creation events:
<img src="images/group-policy.png" alt="Group policy illustration" width="790" height="171" />
By default **Process Command Line** field is empty.
## Security Monitoring Recommendations
For 4688(S): A new process has been created.
| **Type of monitoring required** | **Recommendation** |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.<br>Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor all events with the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** (with other information) to monitor how or when a particular account is being used. |
| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor all events with the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that corresponds to the accounts that should never be used. |
| **Account whitelist**: You might have a specific whitelist of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “whitelist-only” action, review the **“Creator Subject\\Security ID”** and **“Target Subject\\Security ID”** for accounts that are outside the whitelist. |
| **Accounts of different types**: You might want to ensure that certain actions are performed only by certain account types, for example, local or domain account, machine or user account, vendor or employee account, and so on. | If this event corresponds to an action you want to monitor for certain account types, review the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** to see whether the account type is as expected. |
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor the specific events for the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** corresponding to accounts from another domain or “external” accounts. |
| **Restricted-use computers or devices**: You might have certain computers, machines, or devices on which certain people (accounts) should not typically perform any actions. | Monitor the target **Computer:** (or other target device) for actions performed by the **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** that you are concerned about. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor **“Creator Subject\\Security ID”** or **“Target Subject\\Security ID”** for names that dont comply with naming conventions. |
- If you have a pre-defined “**New** **Process Name**” or **“Creator Process Name**” for the process reported in this event, monitor all events with “**New** **Process Name**” or **“Creator Process Name**” not equal to your defined value.
- You can monitor to see if “**New** **Process Name**” or **“Creator Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in process names (for example “**mimikatz**” or “**cain.exe**”), check for these substrings in “**New** **Process Name**” or **“Creator Process Name**.”
- It can be unusual for a process to run using a local account in either **Creator Subject\\Security ID** or in **Target** **Subject\\Security ID**.
- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (1)** when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesnt contain the $ symbol**.** Typically this means that UAC is disabled for this account for some reason.
- Monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when **Subject\\Security ID** lists a real user account, for example when **Account Name** doesnt contain the $ symbol**.** This means that a user ran a program using administrative privileges.
- You can also monitor for **Token Elevation Type** with value **TokenElevationTypeDefault (2)** on standard workstations, when a computer object was used to run the process, but that computer object is not the same computer where the event occurs.
- If you need to monitor all new processes with a specific Mandatory Label, for example S-1-16-20480 (Protected process), check the “**Mandatory Label**” in this event.

119
windows/keep-secure/event-4689.md Normal file
View File

@ -0,0 +1,119 @@
---
title: 4689(S) A process has exited. (Windows 10)
description: Describes security event 4689(S) A process has exited.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4689(S): A process has exited.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4689.png" alt="Event 4689 illustration" width="449" height="421" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Process Termination](audit-process-termination.md)
***Event Description:***
This event generates every time a process has exited.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4689</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13313</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-08-27T17:13:01.826339500Z" />
<EventRecordID>187030</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="144" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="SubjectUserName">dadmin</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x31365</Data>
<Data Name="Status">0x0</Data>
<Data Name="ProcessId">0xfb0</Data>
<Data Name="ProcessName">C:\\Windows\\System32\\notepad.exe</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that requested the “terminate process” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “terminate process” operation.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Process Information:**
- **Process ID** \[Type = Pointer\]: hexadecimal Process ID of the ended/terminated process. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md)(S): A new process has been created” **New Process ID** on this computer.
- **Process Name** \[Type = UnicodeString\]**:** full path and the executable name of the exited/terminated process.
- **Exit Status** \[Type = HexInt32\]**:** hexadecimal exit code of exited/terminated process. This exit code is unique for every application, check application documentation for more details. The exit code value for a process reflects the specific convention implemented by the application developer for that process.
## Security Monitoring Recommendations
For 4689(S): A process has exited.
> **Important**&nbsp;&nbsp;For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
- If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value.
- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**).
- If you have a pre-defined list of restricted substrings or words in process names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Process Name**.”
- If you have a critical processes list for the computer, with the requirement that these processes must always run and not stop, you can monitor **Process Name** field in [4689](event-4689.md) events for these process names.

118
windows/keep-secure/event-4690.md Normal file
View File

@ -0,0 +1,118 @@
---
title: 4690(S) An attempt was made to duplicate a handle to an object. (Windows 10)
description: Describes security event 4690(S) An attempt was made to duplicate a handle to an object.
ms.pagetype: security
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: Mir0sh
---
# 4690(S): An attempt was made to duplicate a handle to an object.
**Applies to**
- Windows 10
- Windows Server 2016
<img src="images/event-4690.png" alt="Event 4690 illustration" width="449" height="463" hspace="10" align="left" />
***Subcategory:***&nbsp;[Audit Handle Manipulation](audit-handle-manipulation.md)
***Event Description:***
This event generates if an attempt was made to duplicate a handle to an object.
> **Note**&nbsp;&nbsp;For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
<br clear="all">
***Event XML:***
```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4690</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12807</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2015-09-23T00:17:41.755998800Z" />
<EventRecordID>338632</EventRecordID>
<Correlation />
<Execution ProcessID="4" ThreadID="1100" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC01$</Data>
<Data Name="SubjectDomainName">CONTOSO</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="SourceHandleId">0x438</Data>
<Data Name="SourceProcessId">0x674</Data>
<Data Name="TargetHandleId">0xd9c</Data>
<Data Name="TargetProcessId">0x4</Data>
</EventData>
</Event>
```
***Required Server Roles:*** None.
***Minimum OS Version:*** Windows Server 2008, Windows Vista.
***Event Versions:*** 0.
***Field Descriptions:***
**Subject:**
- **Security ID** \[Type = SID\]**:** SID of account that made an attempt to duplicate a handle to an object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event.
> **Note**&nbsp;&nbsp;A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security Identifiers](https://msdn.microsoft.com/en-us/library/windows/desktop/aa379571(v=vs.85).aspx).
- **Account Name** \[Type = UnicodeString\]**:** the name of the account that made an attempt to duplicate a handle to an object.
- **Account Domain** \[Type = UnicodeString\]**:** subjects domain or computer name. Formats vary, and include the following:
- Domain NETBIOS name example: CONTOSO
- Lowercase full domain name: contoso.local
- Uppercase full domain name: CONTOSO.LOCAL
- For some [well-known security principals](https://support.microsoft.com/en-us/kb/243330), such as LOCAL SERVICE or ANONYMOUS LOGON, the value of this field is “NT AUTHORITY”.
- For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”.
- **Logon ID** \[Type = HexInt64\]**:** hexadecimal value that can help you correlate this event with recent events that might contain the same Logon ID, for example, “[4624](event-4624.md): An account was successfully logged on.”
**Source Handle Information:**
- **Source Handle ID** \[Type = Pointer\]: hexadecimal value of a handle which was duplicated. This field can help you correlate this event with other events, for example “4663: An attempt was made to access an object” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) or [Audit SAM](audit-sam.md) subcategories.
- **Source Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which opened the **Source Handle ID** before it was duplicated. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):
<img src="images/task-manager.png" alt="Task manager illustration" width="585" height="375" />
If you convert the hexadecimal value to decimal, you can compare it to the values in Task Manager.
You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID**.
**New Handle Information:**
- **Target Handle ID** \[Type = Pointer\]: hexadecimal value of the new handle (the copy of **Source Handle ID**). This field can help you correlate this event with other events, for example “4663: An attempt was made to access an object” in [Audit File System](audit-file-system.md), [Audit Kernel Object](audit-kernel-object.md), [Audit Registry](audit-registry.md), [Audit Removable Storage](audit-removable-storage.md) or [Audit SAM](audit-sam.md) subcategories.
- **Target Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process which opened the **Target Handle ID**. Process ID (PID) is a number used by the operating system to uniquely identify an active process. You can also correlate this process ID with a process ID in other events, for example, “[4688](event-4688.md): A new process has been created” **Process Information\\New Process ID** field.
## Security Monitoring Recommendations
For 4690(S): An attempt was made to duplicate a handle to an object.
- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with it.
- This event can be used to track all actions or operations related to a specific object handle.

Some files were not shown because too many files have changed in this diff Show More