New Auditing in Vista


Something that is not well known in Vista….this ain’t your typical auditing.


 


There is a HUGE amount of auditing that we added to the OS for system auditing.


Let’s dig in and look at just one of them that previous OS’s never even came close to providing data on…..


 


First – how to get to the new goodies – no UI here sorry  folks.


 


C:\>auditpol /get /category:*


System audit policy


Category/Subcategory                      Setting


System


  Security System Extension               No Auditing


  System Integrity                        Success and Failure


  IPsec Driver                            No Auditing


  Other System Events                     Success and Failure


  Security State Change                   Success


Logon/Logoff


  Logon                                   Success


  Logoff                                  Success


  Account Lockout                         Success


  IPsec Main Mode                         No Auditing


  IPsec Quick Mode                        No Auditing


  IPsec Extended Mode                     No Auditing


  Special Logon                           Success


  Other Logon/Logoff Events               No Auditing


Object Access


  File System                             No Auditing


  Registry                                No Auditing


  Kernel Object                           No Auditing


  SAM                                     No Auditing


  Certification Services                  No Auditing


  Application Generated                   No Auditing


  Handle Manipulation                     No Auditing


  File Share                              No Auditing


  Filtering Platform Packet Drop          No Auditing


  Filtering Platform Connection           No Auditing


  Other Object Access Events              No Auditing


Privilege Use


  Sensitive Privilege Use                 No Auditing


  Non Sensitive Privilege Use             No Auditing


  Other Privilege Use Events              No Auditing


Detailed Tracking


  Process Termination                     No Auditing


  DPAPI Activity                          No Auditing


  RPC Events                              No Auditing


  Process Creation                        No Auditing


Policy Change


  Audit Policy Change                     Success


  Authentication Policy Change            Success


  Authorization Policy Change             No Auditing


  MPSSVC Rule-Level Policy Change         No Auditing


  Filtering Platform Policy Change        No Auditing


  Other Policy Change Events              No Auditing


Account Management


  User Account Management                 Success


  Computer Account Management             No Auditing


  Security Group Management               Success


  Distribution Group Management           No Auditing


  Application Group Management            No Auditing


  Other Account Management Events         No Auditing


DS Access


  Directory Service Changes               No Auditing


  Directory Service Replication           No Auditing


  Detailed Directory Service Replication  No Auditing


  Directory Service Access                No Auditing


Account Logon


  Kerberos Ticket Events                  No Auditing


  Other Account Logon Events              No Auditing


  Credential Validation                   No Auditing


 


 


We will focus on DPAPI – which historically has had limited exposure. For a primer see http://msdn2.microsoft.com/en-us/library/ms995355.aspx


CryptProtectData etc use this system.


 


 


C:\>auditpol /set /subcategory:”DPAPI Activity”  /success:enable


The command was successfully executed.


 


Detailed Tracking


  Process Termination                     No Auditing


  DPAPI Activity                          Success


  RPC Events                              No Auditing


  Process Creation                        No Auditing


 


Now we see that the DPAPI subcat will audit for success ( we could have done /failure:enable as well )


We will see this fact reflected in the Event Log:


 


System audit policy was changed.


 


Subject:


            Security ID:                   DOMAINA\Administrator


            Account Name:             Administrator


            Account Domain:                      DOMAINA


            Logon ID:                     0xfa76f


 


Audit Policy Change:


            Category:                      Detailed Tracking


            Subcategory:                DPAPI Activity


            Subcategory GUID:       {0CCE922D-69AE-11D9-BED3-505054503030}


            Changes:                      Success Added


 


 


 


So let’s give it a  spin….I  used outlook to sign some mail:


Here are the 3 events generated:


 










 


A cryptographic self test was performed.


 


Subject:


            Security ID:                   SYSTEM


            Account Name:             VISTACRISCO$


            Account Domain:                      DOMAINA


            Logon ID:                     0x3e7


 


Module:                        ncrypt.dll


 


Return Code:     0x0


 


 


 


Key file operation.


 


Subject:


            Security ID:                   DOMAINA\Administrator


            Account Name:             Administrator


            Account Domain:                      DOMAINA


            Logon ID:                     0xfa76f


 


Cryptographic Parameters:


            Provider Name: Microsoft Software Key Storage Provider


            Algorithm Name:           Not Available.


            Key Name:        {D9E9DA9C-7F8C-4090-A3E9-56CF76099437}


            Key Type:         User key.


 


Key File Operation Information:


            File Path:            C:\Users\Administrator.DOMAINA\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1062893845-71897300-3205605540-500\88f099cd4d91e383a07203de5a8d0a4d_79f3ab01-e697-496e-afe2-672634d9bf6a


            Operation:         Read persisted key from file.


            Return Code:     0x0


 


 


Cryptographic operation.


 


Subject:


            Security ID:                   DOMAINA\Administrator


            Account Name:             Administrator


            Account Domain:                      DOMAINA


            Logon ID:                     0xfa76f


 


Cryptographic Parameters:


            Provider Name: Microsoft Software Key Storage Provider


            Algorithm Name:           RSA


            Key Name:        {D9E9DA9C-7F8C-4090-A3E9-56CF76099437}


            Key Type:         User key.


 


Cryptographic Operation:


            Operation:         Open Key.


            Return Code:     0x0


 


           


 


 That’s just one example — good heavens , look how long that list of subcategories are!! What fun…


 


 


spatdsg


 


 


 


 


 


 


 

Comments (1)

  1. vedala says:

    Thanks for the post Steve! very helpful.

Skip to main content