deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-23 14:23:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
8cd92d66ee97211a75db5caa0dbb8ee0c7b52ea0
windows-itpro-docs/windows/security/threat-protection/auditing/audit-handle-manipulation.md
Docs Allowlist Management 8cd92d66ee In all content, remove 
ms.technology = itpro-security paired with ms.prod = windows-client

Replace with

ms.subservice = itpro-security paired with ms.service=windows-client
2024-01-12 19:42:18 +00:00

2.8 KiB
Raw Blame History

title, description, ms.assetid, ms.reviewer, manager, ms.author, ms.pagetype, ms.mktglfcycl, ms.sitesec, ms.localizationpriority, author, ms.date, ms.topic
title description ms.assetid ms.reviewer manager ms.author ms.pagetype ms.mktglfcycl ms.sitesec ms.localizationpriority author ms.date ms.topic
Audit Handle Manipulation The Advanced Security Audit policy setting, Audit Handle Manipulation, determines if audit events are generated when a handle to an object is opened or closed. 1fbb004a-ccdc-4c80-b3da-a4aa7a9f4091 aaroncz vinpa security deploy library low vinaypamnani-msft 09/06/2021 reference

Audit Handle Manipulation

Audit Handle Manipulation enables generation of “4658: The handle to an object was closed” in Audit File System, Audit Kernel Object, Audit Registry, Audit Removable Storage and Audit SAM subcategories, and shows objects handle duplication and close actions.

Event volume: High.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller No No No No Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level.
Member Server No No No No Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level.
Workstation No No No No Typically, information about the duplication or closing of an object handle has little to no security relevance and is hard to parse or analyze.
There is no recommendation to enable this subcategory for Success or Failure auditing, unless you know exactly what you need to monitor in Objects Handles level.

Events List:

  • 4658(S): The handle to an object was closed.

  • 4690(S): An attempt was made to duplicate a handle to an object.

  • 4658(S): The handle to an object was closed. For a description of the event, see 4658(S): The handle to an object was closed. in the Audit File System subcategory. This event doesnt generate in the Audit Handle Manipulation subcategory, but you can use this subcategory to enable it.