Privilege Use- what do we audit, and when?

  • Article

Odd thing today- I got two questions about the obscure "FullPrivilegeAuditing" registry setting- so I thought I'd post my answer. Some of this is not new, I posted on the Windows Server 2003 SP1 changes to auditing a while back.

Events ID 577 and 578 are governed by the Privilege Use audit category. All privileges except the following are audited by these events:

  • ChangeNotifyPrivilege
  • AuditPrivilege
  • CreateTokenPrivilege
  • AssignPrimaryTokenPrivilege
  • DebugPrivilege
  • SystemtimePrivilege (only suppressed for services, and only on Windows Server 2003)
  • BackupPrivilege
  • RestorePrivilege

With FullPrivilegeAuditing enabled audit will only be suppressed for these privileges:

  • ChangeNotifyPrivilege
  • AuditPrivilege
  • CreateTokenPrivilege
  • AssignPrimaryTokenPrivilege
  • DebugPrivilege
  • SystemtimePrivilege (only suppressed for services, and only on Windows Server 2003)

Prior to Windows Server 2003 SP1, Windows generated audit event 576 at logon if the account held any of these privileges (notice that it's the same list that is used for FullPrivilegeAuditing, by default- no coincidence- same data structure). The theory of operation was that event ID 576 recorded privileges held at logon which did not cause the generation of privilege use audits under normal usage circumstances.

  • ChangeNotifyPrivilege
  • AuditPrivilege
  • CreateTokenPrivilege
  • AssignPrimaryTokenPrivilege
  • BackupPrivilege
  • RestorePrivilege
  • DebugPrivilege

Starting with Windows Server 2003 SP1, these privileges cause event 576. The new theory of operation is that event ID 576 records privileges which are "administrator-equivalent"- privileges which can either be used to elevate to administrator, or to compromise the audit trail. In other words, we re-purposed an event that no one cared about.

  • AssignPrimaryTokenPrivilege
  • AuditPrivilege
  • BackupPrivilege
  • CreateTokenPrivilege
  • DebugPrivilege
  • EnableDelegationPrivilege
  • ImpersonatePrivilege
  • LoadDriverPrivilege
  • RestorePrivilege
  • SecurityPrivilege
  • SystemEnvironmentPrivilege
  • TakeOwnershipPrivilege
  • TcbPrivilege

In Windows Server 2003 RTM, Windows generates event ID 576 if either the Logon/Logoff category or the Privilege Use category is enabled. In Windows Vista, it's a Logon event only (in the "Special Logon" subcategory), and no longer associated with the Privilege Use category.