2003 SP1 – "new" feature… Per User Auditing


Ill post a few blogs on some new SP1 items which arent detailed in http://www.microsoft.com/technet/prodtechnol/windowsserver2003/servicepack/overview.mspx

 

There is a “new” feature in 2003 SP1 for Per User Auditing. It’s not really new, it’s been in there since RTM but there was no real easy way to get at it via a GUI to configure it. There is now a command line tool called auditusr.exe.

 

Auditusr.exe was included in XPSp2 as well but no one really documented it.

 

It modifies the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Audit\PerUserAuditing\System with the specified SID and REG_BINARY mask representing the inclusion \ exclusion.

 

A few ground rules:

 

Administrator can be included but not excluded.

Built in and Security groups can’t be included\excluded

If a user is in both the included and excluded group it is included.

 

 

Sample use:

 

C:\WINDOWS\system32>auditusr.exe /es  SpatsDomain\User1:”Object Access”

 

You set the following categories:

 

System Event

Logon/Logoff

Object Access

Privilege Use

Detailed Tracking

Policy Change

Account Management

Directory Service Access

Account Logon

 

You can dump out the current settings via the /e switch

 

Auditusr 1.0

SPATSDOMAIN\User1:exclude:success:Object Access

SPATSDOMAIN\User2:exclude:failure:Object Access

SPATSDOMAIN\Test2:exclude:success:Object Access

 

 

Check  auditusr.exe /? For more info.

 

PS: Since we edit the LSA keys I have found a reboot to be necessary to enforce the new settiungs. I am sure that Eric Fitzgerald can correct me if I am wrong on any points here.

 

Spat

 

Comments (4)

  1. The POSIX subsystem (from the Microsoft product Windows services for unix, version 3.5) seems to crash when SP1 is installed.
    <br>
    <br>I should probably report this through proper channel, but just happened to read your blog first 🙂
    <br>
    <br>

  2. Troy says:

    Thanks for the information. It would be nice if Microsoft would provide a little more info on these hidden tools.

  3. SpatDSG says:

    You mean more info on this specific tool or more info on obscure tools which dont seem to have documentation any where?

    spat

  4. Z says:

    Sure it is documented!!!!

    Security Monitoring and Attack Detection

    http://www.microsoft.com/technet/security/midsizebusiness/topics/serversecurity/attackdetection.mspx

    Oh wait, the documentation misspelled the command. And oh yes, the examples that they posted don’t work even if the command is spelled correctly.

    The joys of running windows