deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/keep-secure/audit-other-object-access-events.md
Brian Lich fa5ddfcf9d changing from ms.prod: W10 to ms.prod: w10
2016-06-02 15:42:37 -07:00

2.9 KiB
Raw Blame History

title, description, ms.assetid, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author
title description ms.assetid ms.pagetype ms.prod ms.mktglfcycl ms.sitesec author
Audit Other Object Access Events (Windows 10) This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Other Object Access Events, which determines whether the operating system generates audit events for the management of Task Scheduler jobs or COM+ objects. b9774595-595d-4199-b0c5-8dbc12b6c8b2 security w10 deploy library Mir0sh

Audit Other Object Access Events

Applies to

  • Windows 10
  • Windows Server 2016

Audit Other Object Access Events allows you to monitor operations with scheduled tasks, COM+ objects and indirect object access requests.

Event volume: Low.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller Yes Yes Yes Yes We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICPM DoS attack.
Member Server Yes Yes Yes Yes We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICPM DoS attack.
Workstation Yes Yes Yes Yes We recommend Success auditing first of all because of scheduled tasks events.
We recommend Failure auditing to get events about possible ICPM DoS attack.

Events List:

  • 4671(-): An application attempted to access a blocked ordinal through the TBS.

  • 4691(S): Indirect access to an object was requested.

  • 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.

  • 5149(F): The DoS attack has subsided and normal processing is being resumed.

  • 4698(S): A scheduled task was created.

  • 4699(S): A scheduled task was deleted.

  • 4700(S): A scheduled task was enabled.

  • 4701(S): A scheduled task was disabled.

  • 4702(S): A scheduled task was updated.

  • 5888(S): An object in the COM+ Catalog was modified.

  • 5889(S): An object was deleted from the COM+ Catalog.

  • 5890(S): An object was added to the COM+ Catalog.