f4bb542824
In this patch, I replaced all occurrences of http://go.microsoft.com with https://go.microsoft.com
8.1 KiB
title, description, ms.assetid, ms.prod, ms.mktglfcycl, ms.sitesec, author, ms.pagetype, redirect_url
| title | description | ms.assetid | ms.prod | ms.mktglfcycl | ms.sitesec | author | ms.pagetype | redirect_url |
|---|---|---|---|---|---|---|---|---|
| What's new in security auditing (Windows 10) | Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. | CB35A02E-5C66-449D-8C90-7B73C636F67B | w10 | explore | library | brianlic-msft | security, mobile | https://technet.microsoft.com/itpro/windows/whats-new/whats-new-windows-10-version-1507-and-1511 |
What's new in security auditing?
Applies to
- Windows 10
- Windows 10 Mobile
- Windows Server 2016
Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment.
New features in Windows 10, version 1511
- The WindowsSecurityAuditing and Reporting configuration service providers allow you to add security audit policies to mobile devices.
New features in Windows 10
In Windows 10, security auditing has added some improvements:
New audit subcategories
In Windows 10, two new audit subcategories were added to the Advanced Audit Policy Configuration to provide greater granularity in audit events:
- Audit Group Membership Found in the Logon/Logoff audit category, the Audit Group Membership subcategory allows you to audit the group membership information in a user's logon token. Events in this subcategory are generated when group memberships are enumerated or queried on the PC where the logon session was created. For an interactive logon, the security audit event is generated on the PC that the user logged on to. For a network logon, such as accessing a shared folder on the network, the security audit event is generated on the PC hosting the resource. When this setting is configured, one or more security audit events are generated for each successful logon. You must also enable the Audit Logon setting under Advanced Audit Policy Configuration\System Audit Policies\Logon/Logoff. Multiple events are generated if the group membership information cannot fit in a single security audit event.
- Audit PNP Activity Found in the Detailed Tracking category, the Audit PNP Activity subcategory allows you to audit when plug and play detects an external device. Only Success audits are recorded for this category. If you do not configure this policy setting, no audit event is generated when an external device is detected by plug and play. A PnP audit event can be used to track down changes in system hardware and will be logged on the PC where the change took place. A list of hardware vendor IDs are included in the event.
More info added to existing audit events
With Windows 10, we've added more info to existing audit events to make it easier for you to put together a full audit trail and come away with the information you need to protect your enterprise. Improvements were made to the following audit events:
- Changed the kernel default audit policy
- Added a default process SACL to LSASS.exe
- Added new fields in the logon event
- Added new fields in the process creation event
- Added new Security Account Manager events
- Added new BCD events
- Added new PNP events
Changed the kernel default audit policy
In previous releases, the kernel depended on the Local Security Authority (LSA) to retrieve info in some of its events. In Windows 10, the process creation events audit policy is automatically enabled until an actual audit policy is received from LSA. This results in better auditing of services that may start before LSA starts.
Added a default process SACL to LSASS.exe
In Windows 10, a default process SACL was added to LSASS.exe to log processes attempting to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can enable this under Advanced Audit Policy Configuration\Object Access\Audit Kernel Object. This can help identify attacks that steal credentials from the memory of a process.
New fields in the logon event
The logon event ID 4624 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4624:
- MachineLogon String: yes or no If the account that logged into the PC is a computer account, this field will be yes. Otherwise, the field is no.
- ElevatedToken String: yes or no If the account that logged into the PC is an administrative logon, this field will be yes. Otherwise, the field is no. Additionally, if this is part of a split token, the linked login ID (LSAP_LOGON_SESSION) will also be shown.
- TargetOutboundUserName String TargetOutboundUserDomain String The username and domain of the identity that was created by the LogonUser method for outbound traffic.
- VirtualAccount String: yes or no If the account that logged into the PC is a virtual account, this field will be yes. Otherwise, the field is no.
- GroupMembership String A list of all of the groups in the user's token.
- RestrictedAdminMode String: yes or no If the user logs into the PC in restricted admin mode with Remote Desktop, this field will be yes. For more info on restricted admin mode, see Restricted Admin mode for RDP.
New fields in the process creation event
The logon event ID 4688 has been updated to include more verbose information to make them easier to analyze. The following fields have been added to event 4688:
- TargetUserSid String The SID of the target principal.
- TargetUserName String The account name of the target user.
- TargetDomainName String The domain of the target user..
- TargetLogonId String The logon ID of the target user.
- ParentProcessName String The name of the creator process.
- ParentProcessId String A pointer to the actual parent process if it's different from the creator process.
New Security Account Manager events
In Windows 10, new SAM events were added to cover SAM APIs that perform read/query operations. In previous versions of Windows, only write operations were audited. The new events are event ID 4798 and event ID 4799. The following APIs are now audited:
- SamrEnumerateGroupsInDomain
- SamrEnumerateUsersInDomain
- SamrEnumerateAliasesInDomain
- SamrGetAliasMembership
- SamrLookupNamesInDomain
- SamrLookupIdsInDomain
- SamrQueryInformationUser
- SamrQueryInformationGroup
- SamrQueryInformationUserAlias
- SamrGetMembersInGroup
- SamrGetMembersInAlias
- SamrGetUserDomainPasswordInformation
New BCD events
Event ID 4826 has been added to track the following changes to the Boot Configuration Database (BCD):
- DEP/NEX settings
- Test signing
- PCAT SB simulation
- Debug
- Boot debug
- Integrity Services
- Disable Winload debugging menu
New PNP events
Event ID 6416 has been added to track when an external device is detected through Plug and Play. One important scenario is if an external device that contains malware is inserted into a high-value machine that doesn’t expect this type of action, such as a domain controller. Learn how to manage your security audit policies within your organization.