--- title: Audit Audit the access of global system objects (Windows 10) description: Describes the best practices, location, values, and security considerations for the Audit Audit the access of global system objects security policy setting. ms.assetid: 20d40a79-ce89-45e6-9bb4-148f83958460 ms.prod: W10 ms.mktglfcycl: deploy ms.sitesec: library author: brianlic-msft --- # Audit: Audit the access of global system objects **Applies to** - Windows 10 Describes the best practices, location, values, and security considerations for the **Audit: Audit the access of global system objects** security policy setting. ## Reference If you enable this policy setting, a default system access control list (SACL) is applied when the device creates system objects such as mutexes, events, semaphores, and MS-DOS® devices. If you also enable the [Audit object access](basic-audit-object-access.md) audit setting, access to these system objects is audited. Global system objects, also known as "base system objects" or "base named objects," are temporary kernel objects that have had names assigned to them by the application or system component that created them. These objects are most commonly used to synchronize multiple applications or multiple parts of a complex application. Because they have names, these objects are global in scope and, therefore, visible to all processes on the device. These objects all have a security descriptor; but typically, they do not have a NULL SACL. If you enable this policy setting and it takes effect at startup time, the kernel assigns a SACL to these objects when they are created. The threat is that a globally visible named object, if incorrectly secured, might be acted on by a malicious program that knows the name of the object. For instance, if a synchronization object such as a mutex has a poorly constructed discretionary access control list (DACL), a malicious program can access that mutex by name and cause the program that created it to malfunction. However, the risk of this occurring is very low. Enabling this policy setting can generate a large number of security events, especially on busy domain controllers and application servers. This might cause servers to respond slowly and force the security log to record numerous events of little significance. Auditing for access to global system objects is an all-or-nothing affair; there is no way to filter which events get recorded and which do not. Even if an organization has the resources to analyze events generated when this policy setting is enabled, it is unlikely to have the source code or a description of what each named object is used for; therefore, it is unlikely that many organizations could benefit from enabling this policy setting. ### Possible values - Enabled - Disabled - Not defined ### Best practices - Use the advanced security audit policy option, [Audit Kernel Object](audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access, to reduce the number of unrelated audit events that you generate. ### Location Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options ### Default values The following table lists the actual and effective default values for this policy. Default values are also listed on the policy’s property page.
Server type or GPO | Default value |
---|---|
Default Domain Policy |
Not defined |
Default Domain Controller Policy |
Not defined |
Stand-Alone Server Default Settings |
Disabled |
DC Effective Default Settings |
Disabled |
Member Server Effective Default Settings |
Disabled |
Client Computer Effective Default Settings |
Disabled |
Event ID | Event message |
---|---|
4659 |
A handle to an object was requested with intent to delete. |
4660 |
An object was deleted. |
4661 |
A handle to an object was requested. |
4663 |
An attempt was made to access an object. |
Event ID | Event message |
---|---|
560 |
Access was granted to an already existing object. |
562 |
A handle to an object was closed. |
563 |
An attempt was made to open an object with the intent to delete it.
Note
This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile(). |
564 |
A protected object was deleted. |
565 |
Access was granted to an already existing object type. |
567 |
A permission associated with a handle was used.
Note
A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
569 |
The resource manager in Authorization Manager attempted to create a client context. |
570 |
A client attempted to access an object.
Note
An event will be generated for every attempted operation on the object. |