deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 05:47:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
Justin Hall fe6a326f63 moved auditing files
2018-02-01 10:06:00 -08:00

3.6 KiB
Raw Blame History

title, description, ms.assetid, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author, ms.date
title description ms.assetid ms.pagetype ms.prod ms.mktglfcycl ms.sitesec author ms.date
Audit Sensitive Privilege Use (Windows 10) This topic for the IT professional describes the Advanced Security Audit policy setting, Audit Sensitive Privilege Use, which determines whether the operating system generates audit events when sensitive privileges (user rights) are used. 915abf50-42d2-45f6-9fd1-e7bd201b193d security w10 deploy library Mir0sh 04/19/2017

Audit Sensitive Privilege Use

Applies to

  • Windows 10
  • Windows Server 2016

Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges:

  • Act as part of the operating system

  • Back up files and directories

  • Restore files and directories

  • Create a token object

  • Debug programs

  • Enable computer and user accounts to be trusted for delegation

  • Generate security audits

  • Impersonate a client after authentication

  • Load and unload device drivers

  • Manage auditing and security log

  • Modify firmware environment values

  • Replace a process-level token

  • Take ownership of files or other objects

The use of two privileges, “Back up files and directories” and “Restore files and directories,” generate events only if the “Audit: Audit the use of Backup and Restore privilege” Group Policy setting is enabled on the computer or device. We do not recommend enabling this Group Policy setting because of the high number of events recorded.

This subcategory also contains informational events from the file system Transaction Manager.

If you configure this policy setting, an audit event is generated when sensitive privilege requests are made. Success audits record successful attempts, and failure audits record unsuccessful attempts.

Event volume: High.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller Yes Yes Yes Yes We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account.
Member Server Yes Yes Yes Yes We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account.
Workstation Yes Yes Yes Yes We recommend tracking Success and Failure for this subcategory of events, especially if the sensitive privileges were used by a user account.

Events List:

  • 4673(S, F): A privileged service was called.

  • 4674(S, F): An operation was attempted on a privileged object.

  • 4985(S): The state of a transaction has changed.

Note

  For some reason event “4985(S): The state of a transaction has changed" from Audit File System subcategory generates also in this subcategory. See description of event 4985 in Audit File System subcategory.