Windows 2000/XP DSS Auditing Written by: Darren Bennett - CISSP Originally Written 08/04/04 Last Updated 08/07/04

Transcription

1 Windows 2000/XP DSS Auditing Written by: Darren Bennett - CISSP Originally Written 08/04/04 Last Updated 08/07/04 Intro: The NISPOM Chapter 8 establishes requirements for auditing and securing information systems (IS). This document describes how to meet the requirements in preparation for Certification and Accreditation (C&A). The information included is intended to be used as a guide and is not endorsed by the DoD/DSS. All Information systems have unique requirements and therefore, it is important that the DSS Chapter 8 documentation be your primary reference to ensure compliance. References: The following documents/sites were used in developing this guide: (The DSS Website) (NISPOM Chapter 8) DSS Auditing Documentation for Windows 2000/XP (Originally prepared by Northrop Grumman IS Security, updated by Steven Scott (ISSP/DSS) and Anna Schaffroth (ISSM/SAIC)) (The SANS reading room) 2k/09detect.mspx (Microsoft Corporation Solution for Securing Windows 2000 Server roddocs/en-us/520.mspx (Microsoft Corporation Security Configuration Manager tools) 0_Registry.html (Windows Security.com Securing the registry reference) Updates: **NOTE** This is a living document and will be updated regularly. Check to ensure you have the latest version. Any improvements, changes or suggestions for modification should be sent to Darren.L.Bennett@saic.com. Feedback is encouraged!

2 Contents: I. Configure Login Banners: 1. Example Banner 2. Implementation II. Restrict alternate boot device access, disable access to the system PROM: 1. Explanation 2. Implementation III. Configure File System Permissions and Auditing: 1. Verify that the file system is NTFS (convert if necessary) 2. Secure the Windows OS filesystem and enable auditing 3. Enable Security and Auditing for the SAM database, The Registry, Event Log Files (Audit Archive) and Anti virus software IV. Set Security Policies, Settings, Rights Assignments and Special configuration options V. Notes about user accounts VI. Audits and Audit files: 1. Configuring Event Viewer 2. Performing Security Audits and saving log files VII. Policy review questions, Windows Event IDs

3 I. Login Banners: 1. Example Banner: The following text must be displayed at the login screen for all users. ***DoD Warning Banner*** Use of this or any other DoD interest computer system constitutes a consent to monitoring at all times. This is a DoD interest computer system. All DoD interest computer systems and related equipment are intended for the communication, transmission, processing, and storage of official U.S. Government or other authorized information only. All DoD interest computer systems are subject to monitoring at all times to ensure proper functioning of equipment and systems including security devices and systems, to prevent unauthorized use and violations of statutes and security regulations, to deter criminal activity, and for other similar purposes. Any user of a DoD interest computer system should be aware that any information placed in the system is subject to monitoring and is not subject to any expectation of privacy. If monitoring of this or any other DoD interest computer system reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring of this or any other DoD interest computer systems reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of DoD interest computer systems are subject to appropriate disciplinary action. Use of this or any other DoD interest computer system constitutes a consent to monitoring at all times. 2. Implementing: To implement a logon banner on Windows 2000/XP, perform the following steps: a. Open Control-Panel and double-click Administrative

4 Tools b. Select Local Security Policy, Security Options and follow the steps below that apply to your version of Windows Windows XP: Step 1-For Windows XP, click on Interactive logon: Message title for users attempting to log on and enter the header (***DoD Warning Banner***) Step 2 -For Windows XP, click on Interactive logon: Message text for users attempting to log on and enter the text specified in step 1.1. (minus the header) Windows 2000: Step 1-For Windows 2000, click on Message title for users attempting to logon and enter the header (***DoD Warning Banner***) Step 2-For Windows 2000, click on Message text for users attempting to log on and enter the text specified in step 1.1. (minus the header) (This is an example of the logon banner title field on Windows XP:)

5 II. Restrict alternate boot device access and disable access (require authentication) to the system PROM/BIOS 1. Explanation In order to prevent unauthorized access attempts from alternate boot devices on the system, we must configure the system BIOS (aka PROM) to prevent booting from all devices (other than the approved system disk). Booting from network interfaces should also be disabled. A BIOS password must also be set and activated to prevent a user from changing these settings. 2. Implementation Modifying the PROM/BIOS settings differs from system to system. Consult your system hardware documentation for details on how to restrict which devices are boot-able and enable password protection of the PROM/BIOS. III. Configure File System Permissions 1. Verify that the file system is NTFS (convert if necessary) In the Windows operating system environment, a file system must be NTFS format to effectively audit file/system access attempts and setup security. Steps to verify that a Windows file system is NTFS: a. Double click on the My Computer Icon b. Select the hard disk (i.e. C: ) and right click c. Select Properties, In the General tab, the File system field should display NTFS d. Repeat steps a-c for all hard disks on the system

6 (Verifying that the file system is NTFS) Steps to convert a file system to NTFS: a. Click Start, Run b. Type convert c: /fs:ntfs in the Run dialog that opens and click ok (replace the c: with the letter of the drive to convert if multiple drives need to be converted) c. Repeat steps a-b for each disk on the system

7 (Converting a disk to NTFS) 2. Secure the Windows OS files and enabling auditing a. Open Windows Explorer and right click on the directory containing the Windows OS (usually either c:\windows or c:\winnt) b. Select Properties and click on the Security tab c. Verify that the permissions match the following (and no other access has been granted) Administrators (Group) - Full Control SYSTEM (Group) - Full Control Administrator (User) - Full Control Authenticated Users (Group) - Read/Execute (ONLY) d. Click the Advanced tab, click Permissions e. Make sure that the check box Reset permissions on all child objects and enable propagation of inheritable permissions is checked

8 f. Apply the settings by clicking ok followed by yes g. To prevent difficulties with printing for nonadministrative users, edit the permissions on the C:\windows\system32\spool and C:\windows\temp directories as follows: Right-click the directory, select Properties, and then select Security tab Select Authenticated Users and check Allow for Write access h. Enable auditing of the Windows OS directory: Open the Windows OS directory (C:\windows or c:\winnt) in Explorer and then right-click on it and select properties, advanced Click the auditing tab. Click add and select Authenticated Users Select all entries from the Failed column except Write Attributes and Write Extended Attributes The settings for auditing should match the following: (Settings for the Auditing of the Windows OS directory)

9 (Settings for auditing of the Windows OS directory) 3. Enable security and auditing for the SAM database, The Registry, Event Log Files (Audit Archive) and Anti virus software a. Setting security and auditing for the SAM database 1. Navigate to the SAM database via Windows explorer. (the SAM database resides in two directoriesc:\winnt\repair and c:\winnt\system32\config (or for Windows 2000) c:\windows\repair and c:\windows\system32\config 2. Right click the sam file and then click properities 2. Click on the Security tab 3. Ensure that the settings displayed when both files are examined match

10 the following (with no additional users having access to these files): (Security settings for the c:\windows\repair\sam and c:\windows\system32\config\sam files) b. Setting security and auditing for the registry 1. Secure remote access to the registry: a. Click on Start, Run and type rededt32.exe then click OK b. Open HKEY_Local_MACHINE\SYSTEM\ CurrentControlSet\Control\Secure PipeServers c. If a winreg key exists, select it and then select security, permissions (if not, skip to step f) d. Allow the Administrators (Group) full access, the System and Authenticated Users(Groups) read access, remove the Everyone (Group) if it is listed

11 e. Exit rededt32 and reboot the system. f. If the winreg key was not present, create a new one by selecting edit, add key and naming the key winreg g. Click the new key, select edit, add value and enter: Name: Description Type: REG_SZ Value: Registry Server h. Follow steps d and e above to secure the key 2. Enable auditing of specific keys and subkeys a. From step d (above), click the advanced button in the permissions window and enable auditing of specific keys and subkeys b. The HKEY_LOCAL_MACHINE\SYSTE M\CurrentControlSet\Control\Sec urepipeserver\winreg key should have auditing enabled 3. Limit access to the registry by restricting the number of users with Administrator access 4. Remove the registry editor from the system if possible to deter modification attempts 5. Disable Registry tools through GPO by setting the GPO, creating a group and assigning the GPO to all users (except Administrators). This will prevent the use of regedit and rededt32 (User Configuration\Administrative Templates\System) c. Audit archive folder security An Audit Archive folder should be created on the desktop of the person tasked with performing system audits. Logon as the Audit user, right-click on his/her

12 desktop and select new, folder, name the folder Audit Archive Limit permissions on this folder to the auditor and SYSTEM accounts. Right-click on the Audit Archive folder, click properties and select the security tab. Remove the access for the Administrators group. The only permissions granted to access the Audit Archive folder should be for the audit user and SYSTEM. (they will be listed in the Name list ) (Permissions for Audit Archive folder on Auditors desktop) **NOTE**(In this example, the Auditor has the user name Auditor. This is not recommended. The Auditor should have a genuine user name (i.e. DoeJ) then, under description the term Auditor can be used. This makes it clear as to who has been assigned the role of auditor for the system. d. Anti-virus Software Security and Auditing

13 The anti-virus software on the system must be protected from modification from anyone except the Administrator. The steps required to do this will differ based on the anti-virus product in use. The following steps provide an example of how to secure Symantec Norton Anti-virus. Securing other anti-virus products will require similar procedures (performed on different file/directory locations) Securing Norton Anti-virus and enabling auditing: Securing Anti-virus: 1. Right-click c:\program files\common files\symantec shared\ in Windows explorer 2. Select properties, then click the security tab 3. Verify that the following users/groups (and ONLY the following) have the permissions shown below: Administrators (Group) - Full Control Authenticated Users (Group) - Read and Execute SYSTEM - Full Control Enabling Auditing of the Anti-virus program: 1. Right-click c:\program files\common files\symantec shared\ in Windows Explorer 2. Click properties, click the security tab and click advanced 3. Click Auditing 4. Click Add, Authenticated Users 5. Select all entries in the failed column except Write Attributes and Write Extended Attributes

14 (Configuring auditing for Anti-virus software) IV. Set Security Policies, Settings, Rights Assignments and Special configuration options: 1. Security Settings/Policies/Settings Though not covered in this document, using domain security policies, the policy settings covered in this section can be implemented from the server and applied to it's clients. Additionally, creating a policy file template and using it on each system could assist in implementing the settings shown here.

15 a. Creating the local security policy: To create a local security policy for Windows 2000/XP, click start, settings, control panel, administrative tools and then double-click Local Security Policy You should see the following screen: (Local Security Settings Screen) Select (click) Account Policies, Password Policy and make sure the settings match the settings below: (Local Security Settings Password Policy)

16 Select (Click) Account Policies, Account Lockout Policy and make the settings match the following: Select (Click) Local Policies, Audit Policy and set the Local Audit Policy as follows:

17 Select (Click) User Rights Assignment (below Local Policies ), set the Local User Rights Assignment to permit only Administrators to modify the system time: (Modifying who can change the system time) 2. Rights Assignments and Special configuration options In order to allow a non-administrative user to perform audits, the Manage auditing and security log setting needs to have that user added. This can be done by double-clicking the Manage auditing and security log field within Local Security Settings, Local Policies, User Rights Assignment.

18 (Modifying who can manage auditing and security logs) A couple of special configuration options that need to be set are: a. Do not display last user name in logon screen: This is set from the Local Policies, Security Options portion of the Local Security Settings window. Double-click on Do not display last user name in logon screen and select Enabled

19 (Setting the Do not display last user name in logon screen ) b. Anti virus Software updates: The anti virus software must have it's virus signatures updated every thirty days (at minimum) by a user with Administrator access. The procedures to update virus signatures differ between manufacturers (refer to the documentation that came with your software for information on how to perform these updates) V. Notes about user accounts

20 Only required and approved system accounts should exist The Guest account (and any other unused system accounts) should be disabled a. Right-click on My Computer, select Manage, click Local Users and Groups, click Users b. Right-click on Guest, select properties and select Account is Disabled check-box (Disabling the Guest account) Users must be briefed and sign/submit a briefing statement PRIOR to having accounts created Choose a standard naming convention, for example: doej (last name first initial) Limit the number of users with Administrator access and create separate accounts for them to use when performing administrative tasks, for example: doej (normal account for day to day work), doej-admin (special Administrative account for administrator access)

21 Rename the built in Administrator account to the user name of the main system administrator (i.e. doej-admin) Re-validate user accounts at least once per year If a user no longer needs access to (or loses access to) the system for any reason, deactivate and/or remove his/her account immediately Remind users that they are NOT to write down, share or otherwise compromise the integrity of their account passwords VI. Configuring Event Viewer, Performing Security Audits and saving log files The following steps describe how the system auditor should review the system audit logs and then save them to a secure location (see Section III, Part 3, Step c ). This process is to be performed on a weekly basis. If possible, it is recommended that the administrator and the auditor be different users on the system. 1. The Event Viewer allows you to configure various options related to the security log. To ensure that all security relevant events are captured and none are overwritten, do the following: a. Right-click on My Computer, select Manage b. Within the Computer Management application click on System Tools, Event Viewer and right-click on Security c. Select properties d. Configure the settings to match the following: (leave all settings listed in the filter tab unchanged from their defaults)

22 (Settings for the Security Log file) ***NOTE*** Your system must have sufficient disk space to store all audit/security event information. It is also important that the Maximum log size be set high enough for your systems log activity. The 10240KB value is only a guideline. Past log file data (stored in the Audit Archive folder on the desktop of the user who performs the system audits) can be backed up to separate media, freeing space on the system drive. Remember that the log file data and any media on which it is recorded, must be classified at the same security level as the system it came from. 2. Performing an audit of the security events captured in the Event Viewer consists of three steps: a. Right-click on the My Computer folder, select Manage, Within the Computer Management application click on System Tools, Event Viewer and click Security b. Audited events will show in the right hand portion of the Computer Management program

23 c. Examine the audit data and take appropriate action for abnormal activity/events. (Talk to your ISSM about how to handle unusual or unexpected results) 3. Knowing what to look for and what constitutes abnormal activity is a skill that can be gained by education and experience. The following suggestions are given to assist in discovering potentially abnormal activity from captured in Windows audit logs. These suggestions are not all inclusive and cannot begin to replace experience. If you are inexperienced at reading audit logs, request assistance from someone that is more experienced. If you see something that you don't understand, ask your ISSM for guidance. a. Look for the following: multiple failed login attempts login/access attempts during unusual or non-standard hours (i.e. 2:am) attempts to access security files unknown user name login attempts account lockout attempts at modifying the system time attempts to access/modify the audit log files new account creation account modification (especially modification of security levels/groups) b. Common Event IDs and Descriptions: See Appendix B for a list of Event IDs and their meanings 4. Saving Log Files is an important part of the auditors job. These files must be kept for at least one year and should be treated as classified information (classified at the same level as the system they are created on). The steps to save and clear your event log are listed below (it is recommended that this be done each week after

24 reviewing the previous weeks events) a. Right-click on the My Computer folder, select Manage, Within the Computer Management application click on System Tools, Event Viewer b. Right-click on Security, select Clear all Events c. Click Yes when prompted with Do you want to save Security before clearing it? d. From the Save Security As screen, navigate to the desktop folder Audit Archive (created in Section III, Part 3, Step c ) e. Type the filename for the Event Log you are about to archive. Use the format EventLog-<MachineNameMonth-Day-Year>.evt (i.e. EventLog-SecretServer evt) f. Click Save to save the event log g. It is a good idea to verify that the event log saved properly (check for it in the Audit Archive folder on the auditors desktop)

25 VII. Policy review questions, Windows Event IDs The policy review questions were created to aid ISSMs/ISSOs in training their users. After training users on system access policies, it's a good idea to ask questions similar to the following and discuss the answers (auditing and using secure systems isn't difficult, keeping focused while training to do so can be). Additional questions are welcome and will be added to this list. Please mail them to: Darren.L.Bennett@saic.com (include answers and comments). 1. Policy review questions: Sample questions to ask users during training, security reviews and before DSS certification audits of classified systems: T or F: Allowing another user to access the system using your name/password is permitted as long as he/she has the appropriate clearance? False- Only the user whose name is associated with an account may access that account. Sharing passwords is a violation of security policy. If a user shares his account information with another user, it is difficult (if not impossible) to determine who was logged onto a classified system at a given time. Anti virus Signatures must be updated once every year on all systems? False- Anti virus Signatures must be updated at least MONTHLY Log files must be saved for 1 year? True- They must be saved (and treated as classified material of the same level as the system from which they came)

26 The SAM database is considered a security related file? True- The SAM database contains password and other security information. The SAM file must be secured and monitored. All passwords must be at least 12 characters long? False- While using a longer password is a good idea, all passwords must be at least 8 characters long (and meet complexity, history and other security requirements) Audit files rarely exceed 10240KB in size? False- The size of the audit files on a system can vary greatly. Be sure to check your file size regularly and ensure that you log all events that occur (This may even mean changing/increasing the 10240KB log file size we established in Event Viewer ). Audit files archived to tape (or other media) should be treated as classified (at the same level as the machine they were generated on)? True- Audit files contain security information and need to be treated appropriately

27 2. Windows Event IDs and their meanings To assist in interpreting System Audit files: (Taken from Event ID: 512 (0x0200) Description: Windows NT is starting up. Event ID: 513 (0x0201) Description: Windows NT is shutting down. All logon sessions will be terminated by this shutdown. Event ID: 514 (0x0202) Description: An authentication package has been loaded by the Local Security Authority. This authentication package will be used to authenticate logon attempts. Authentication Package Name: %1 Event ID: 515 (0x0203) Description: A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process Name: %1 Event ID: 516 (0x0204) Description: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits. Number of audit messages discarded: %1 Event ID: 517 (0x0205) Description: The audit log was cleared Primary Primary Domain: %2 Primary Logon ID: %3 Client User Name: %4 Client Domain: %5 Client Logon ID: %6

28 Event ID: 518 (0x0206) Description: An notification package has been loaded by the Security Account Manager. This package will be notified of any account or password changes. Notification Package Name: %1 Event ID: 528 (0x0210) Description: Successful Logon: Logon ID: %3 Logon Process: %5 Workstation Name: %7 Domain: %2 Logon Type: %4 Authentication Package: %6 Event ID: 529 (0x0211) Type: Failure Audit Description: Logon Failure Reason: Unknown user name or bad password Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 530 (0x0212) Type: Failure Audit Description: Logon Failure Reason: Account logon time Logon Type: %3 Authentication Package: %5 restriction violation Domain: %2 Logon Process: %4 Workstation Name: %6 Event ID: 531 (0x0213) Type: Failure Audit Description: Logon Failure Reason: Account currently disabled Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 532 (0x0214) Type: Failure Audit Description: Logon Failure Reason: The specified user Logon Type: %3 Authentication Package: %5 account has expired Domain: %2 Logon Process: %4 Workstation Name: %6

29 Event ID: 533 (0x0215) Type: Failure Audit Description: Logon Failure Reason: User not allowed to logon at this computer Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 534 (0x0216) Type: Failure Audit Description: Logon Failure Reason:The user has not been granted the requested logon type at this machine Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 535 (0x0217) Type: Failure Audit Description: Logon Failure Reason: The specified account's password has expired Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 536 (0x0218) Type: Failure Audit Description: Logon Failure Reason: The NetLogon component is not active Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 537 (0x0219) Type: Failure Audit Description: Logon Failure Reason: An unexpected error occurred during logon Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 538 (0x021A) Description: User Logoff Logon ID: %3 Event ID: 539 (0x021B) Domain: %2 Logon Type: %4.

30 Type: Failure Audit Description: Logon Failure Reason: Account locked out Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6 Event ID: 540 (0x021c) Description: Successful Network Logon Logon ID: %3 Logon Process: %5 Workstation Name: %7 Domain: %2 Logon Type: %4 Authentication Package: %6 Event ID: 541 (0x021d) Description: IKE security association established. Mode: %1 Peer Identity: %2 Filter: %3 Parameters: %4 Event ID: 542 (0x021e) Description: IKE security association ended. Mode: Data Protection (Quick mode) Filter: %1 Inbound SPI: %2 Outbound SPI: %3 Event ID: 543 (0x021f) Description: IKE security association ended. Mode: Key Exchange (Main mode) Filter: %1 Event ID: 544 (0x0220) Type: Failure Audit Description: IKE security association establishment failed because peer could not authenticate. The certificate trust could not be established. Peer Identity: %1 Filter: %2 Event ID: 545 (0x0221) Type: Failure Audit Description: IKE peer authentication failed. Peer Identity: %1 Filter: %2

31 Event ID: 546 (0x0222) Type: Failure Audit Description: IKE security association establishment failed because peer sent invalid proposal. Mode: %1 Filter: %2 Attribute: %3 Expected value: %4 Received value: %5 Event ID: 547 (0x0223) Type: Failure Audit Description: IKE security association negotiation failed. Mode: %1 Filter: %2 Failure Point: %3 Failure Reason: %4 Event ID: 560 (0x0230) Description: Object Open Object Server: %1 Object Name: %3 Operation ID:{%5,%6} Primary User Name: %8 Primary Logon ID: %10 Client Domain: %12 Accesses %14 Event ID: 561 (0x0231) Description: Handle Allocated Handle ID: %1 Process ID: %4 Event ID: 562 (0x0232) Description: Handle Closed Object Server: %1 Process ID: %3 Event ID: 563 (0x0233) Description: Object Open for Delete Object Server: %1 Object Name: %3 Operation ID:{%5,%6} Primary User Name: %8 Primary Logon ID: %10 Client Domain: %12 Accesses %14 Object Type: %2 New Handle ID: %4 Process ID: %7 Primary Domain: %9 Client 1 Client Logon ID: %13 Privileges %15 Operation ID:{%2,%3} Handle ID: %2 Object Type: %2 New Handle ID: %4 Process ID: %7 Primary Domain: %9 Client 1 Client Logon ID: %13 Privileges %15

32 Event ID: 564 (0x0234) Description: Object Deleted Object Server: %1 Process ID: %3 Handle ID: %2 Event ID: 565 (0x0235) Description: Object Open Object Server: %1 Object Type: %2 Object Name: %3 New Handle ID: %4 Operation ID:{%5,%6} Process ID: %7 Primary User Name: %8 Primary Domain: %9 Primary Logon ID: %10 Client 1 Client Domain: %12 Client Logon ID: %13 Accesses %14 Privileges %15 Properties:%16%17%18%19%20%21%22%23%24%25 Event ID: 566 (0x0236) Description: Object Operation Operation Type %1 Object Name: %3 Operation ID:{%5,%6} Primary Domain: %8 Client 0 Client Logon ID: %12 Object Type: %2 Handle ID: %4 Primary User Name: %7 Primary Logon ID: %9 Client Domain: %11 Requested Accesses %13 Event ID: 576 (0x0240) Description: Special privileges assigned to new logon: Domain: %2 Logon ID: %3 Assigned: %4 Event ID: 577 (0x0241) Description: Privileged Service Called Server: %1 Primary User Name: %3 Primary Logon ID: %5 Client Domain: %7 Privileges: %9 Service: %2 Primary Domain: %4 Client User Name: %6 Client Logon ID: %8 Event ID: 578 (0x0242) Description: Privileged object operation Object Server: %1 Object Handle: %2 Process ID: %3 Primary User Name: %4 Primary Domain: %5 Primary Logon ID: %6

33 Client User Name: %7 Client Logon ID: %9 Client Domain: %8 Privileges: %10 Event ID: 592 (0x0250) Description: A new process has been created New Process ID: %1 Image File Name: %2 Creator Process ID: %3 User Name: %4 Domain: %5 Logon ID: %6 Event ID: 593 (0x0251) Description: A process has exited Process ID: %1 Domain: %3 User Name: %2 Logon ID: %4 Event ID: 594 (0x0252) Description: A handle to an object has been duplicated Source Handle ID: %1 Source Process ID: %2 Target Handle ID: %3 Target Process ID: %4 Event ID: 595 (0x0253) Description: Indirect access to an object has been obtained Object Type: %1 Object Name: %2 Process ID: %3 Primary User Name: %4 Primary Domain: %5 Primary Logon ID: %6 Client User Name: %7 Client Domain: %8 Client Logon ID: %9 Accesses: %10 Description: User Right Assigned User Right: %1 Assigned By User Name: %3 Logon ID: %5 Event ID: 609 (0x0261) Description: User Right Removed User Right: %1 Removed By: User Name: %3 Logon ID: %5 Assigned To: %2 Domain: %4 Removed From: %2 Domain: %4

34 Event ID: 610 (0x0262) Description: New Trusted Domain Domain Name: %1 Established By: User Name: %3 Logon ID: %5 Event ID: 611 (0x0263) Description: Removing Trusted Domain Domain Name: %1 Removed By: User Name: %3 Logon ID: %5 Domain ID: %2 Domain: %4 Domain ID: %2 Domain: %4 Event ID: 612 (0x0264) Description: Audit Policy Change New Policy: Success Failure %1 %2 System %3 %4 Logon/Logoff %5 %6 Object Access %7 %8 Privilege Use %9 %10 Detailed Tracking %11 %12 Policy Change %13 %14 Account Management Changed By: 5 Domain Name: %16 Logon ID: %17 Event ID: 613 (0x0265) Description: IPSec policy agent started Ipsec Policy Agent: %1 Policy Source: Event Data: %3 Event ID: 614 (0x0266) Description: IPSec policy agent disabled Ipsec Policy Agent: %1 Event Data: Event ID: 615 (0x0267) Description: IPSEC PolicyAgent Service: Event Data: %1 Event ID: 616 (0x0268) %1 %2 %2

35 Type: Failure Audit Description: IPSec policy agent encountered a potentially serious failure. Event Data: %1 Event ID: Type: Description: Changed By: 617 (0x0269) Success Audit Kerberos Policy Changed Domain Name: %2 Logon ID: %3 Changes made: %4 '-' means no changes, otherwise each change is shown as: Parameter Name: (new value) (old value) Event ID: Type: Description: Changed By: 618 (0x026a) Success Audit Encrypted Data Recovery Policy Changed Domain Name: %2 Logon ID: %3 Changes made: %4 '-' means no changes, otherwise each change is shown as: Parameter Name: new value (old value) Event ID: Type: Description: Changed By: 619 (0x026b) Success Audit Quality of Service Policy Changed Domain Name: %2 Logon ID: %3 Changes made: %4 '-' means no changes, otherwise each change is shown as: Parameter Name: new value (old value) Event ID: 620 (0x026C) Description: Trusted Domain Information Modified: Domain Name: %1 Domain ID: %2 Modified By: User Name: %3 Domain: %4 Logon ID: %5 Event ID: 624 (0x0270) Description: User Account Created New Account Name: %1 New Account ID: %3 Event ID: 625 (0x0271) Description: User Account Type Change New Domain: %2 Privileges %7

36 Target Account Name: %1 Target Account ID: %3 New Type: %4 Caller Domain: %6 Target Domain: %2 Caller User Name: %5 Caller Logon ID: %7 Event ID: 626 (0x0272) Description: User Account Enabled Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Note Windows 2000 does not log event ID 626 explicitly. Results are logged as a part of event ID 642 in the description of the message. Event ID: 627 (0x0273) Description: Change Password Attempt Target Account Name: %1 Target Account ID: %3 Target Domain: %2 Event ID: 628 (0x0274) Description: User Account password set Target Account Name: %1 Target Account ID: %3 Target Domain: %2 Event ID: 630 (0x0276) Description: User Account Deleted: Target Account Name: %1 Target Account ID: %3 Target Domain: %2 Privileges: %7 Privileges: %7 Event ID: 631 (0x0277) Description: Security Enabled Global Group Created New Account Name: %1 New Domain: %2 New Account ID: %3 Privileges: %7

37 Event ID: 632 (0x0278) Description: Security Enabled Global Group Member Added Member Name: %1 Member ID: %2 Target Account Name: %3 Target Domain: %4 Target Account ID: %5 Caller User Name: %6 Caller Domain: %7 Caller Logon ID: %8 Privileges: %9 Event ID: 633 (0x0279) Description: Security Enabled Global Group Member Removed Member Name: %1 Member ID: %2 Target Account Name: %3 Target Domain: %4 Target Account ID: %5 Caller User Name: %6 Caller Domain: %7 Caller Logon ID: %8 Privileges: %9 Event ID: 634 (0x027A) Description: Security Enabled Global Group Deleted Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Privileges: %7 Event ID: 635 (0x027B) Description: Security Enabled Local Group Created New Account Name: %1 New Domain: %2 New Account ID: %3 Privileges: %7 Event ID: 636 (0x027C) Description: Security Enabled Local Group Member Added Member Name: %1 Member ID: %2 Target Account Name: %3 Target Domain: %4 Target Account ID: %5 Caller User Name: %6 Caller Domain: %7 Caller Logon ID: %8 Privileges: %9 Event ID: 637 (0x027D) Description: Security Enabled Local Group Member Removed Member Name: %1 Member ID: %2 Target Account Name: %3 Target Domain: %4

38 Target Account ID: %5 Caller User Name: %6 Caller Logon ID: %8 Caller Domain: %7 Privileges: %9 Event ID: 638 (0x027E) Description: Security Enabled Local Group Deleted Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Privileges: %7 Event ID: 639 (0x027F) Description: Security Enabled Local Group Changed Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Privileges: %7 Event ID: 640 (0x0280) Description: General Account Database Change Type of change: %1 Object Type: %2 Object Name: %3 Object ID: %4 Caller User Name: %5 Caller Domain: %6 Caller Logon ID: %7 Event ID: 641 (0x0281) Description: Security Enabled Global Group Changed Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Privileges: %7 Event ID: 642 (0x0282) Description: User Account Changed Target Account Name: %1 Target Account ID: %3 Target Domain: %2 Privileges: %7 Event ID: 643 (0x0283) Description: Domain Policy Changed: %1 modified Domain: %2 Domain ID: %3

39 Privileges: %7 Event ID: 644 (0x0284) Description: User Account Locked Out Target Account Name: %1 Caller Machine Name: %2 Target Account ID: %3 Event ID: 645 (0x0285) Description: Computer Account Created New Account Name: %1 New Account ID: %3 New Domain: %2 Privileges %7 Event ID: 646 (0x0286) Description: Computer Account Changed Target Account Name: %1 Target Account ID: %3 Caller User Name: %5 Caller Logon ID: %7 Target Domain: %2 Event ID: 647 (0x0287) Description: Computer Account Deleted Target Account Name: %1 Target Account ID: %3 Target Domain: %2 Caller Domain: %6 Privileges: %8 Privileges: %7 Event ID: 648 (0x0288) Description: Security Disabled Local Group Created Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Privileges: %7 Event ID: 649 (0x0289) Description: Security Disabled Local Group Changed Target Account Name: %1 Target Domain: %2

40 Target Account ID: %3 Privileges: %7 Event ID: 650 (0x028A) Description: Security Disabled Local Group Member Added Member Name: %1 Member ID: %2 Target Account Name: %3 Target Domain: %4 Target Account ID: %5 Caller User Name: %6 Caller Domain: %7 Caller Logon ID: %8 Privileges: %9 Event ID: 651 (0x028B) Description: Security Disabled Local Group Member Removed Member Name: %1 Member ID: %2 Target Account Name: %3 Target Domain: %4 Target Account ID: %5 Caller User Name: %6 Caller Domain: %7 Caller Logon ID: %8 Privileges: %9 Event ID: 652 (0x028C) Description: Security Disabled Local Group Deleted Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Privileges: %7 Event ID: 653 (0x028D) Description: Security Disabled Global Group Created New Account Name: %1 New Domain: %2 New Account ID: %3 Privileges: %7 Event ID: 654 (0x028E) Description: Security Disabled Global Group Changed Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Privileges: %7 Event ID: 655 (0x028F)

41 Description: Security Disabled Global Group Member Added Member Name: %1 Member ID: %2 Target Account Name: %3 Target Domain: %4 Target Account ID: %5 Caller User Name: %6 Caller Domain: %7 Caller Logon ID: %8 Privileges: %9 Event ID: 656 (0x0290) Description: Security Disabled Global Group Member Removed Member Name: %1 Member ID: %2 Target Account Name: %3 Target Domain: %4 Target Account ID: %5 Caller User Name: %6 Caller Domain: %7 Caller Logon ID: %8 Privileges: %9 Event ID: 657 (0x0291) Description: Security Disabled Global Group Deleted Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Privileges: %7 Event ID: 658 (0x0292) Description: Security Enabled Universal New Account Name: %1 New Account ID: %3 Event ID: 659 (0x0293) Description: Security Enabled Universal Target Account Name: %1 Target Account ID: %3 Event ID: 660 (0x0294) Description: Security Enabled Universal Member Name: %1 Target Account Name: %3 Target Account ID: %5 Caller User Name: %6 Caller Logon ID: %8 Group Created New Domain: %2 Privileges: %7 Group Changed Target Domain: %2 Privileges: %7 Group Member Added Member ID: %2 Target Domain: %4 Caller Domain: %7 Privileges: %9

42 Event ID: 661 (0x0295) Description: Security Enabled Universal Member Name: %1 Target Account Name: %3 Target Account ID: %5 Caller User Name: %6 Caller Logon ID: %8 Event ID: 662 (0x0296) Description: Security Enabled Universal Target Account Name: %1 Target Account ID: %3 Group Member Removed Member ID: %2 Target Domain: %4 Caller Domain: %7 Privileges: %9 Group Deleted Target Domain: %2 Privileges: %7 Event ID: 663 (0x0297) Description: Security Disabled Universal Group Created New Account Name: %1 New Domain: %2 New Account ID: %3 Privileges: %7 Event ID: 664 (0x0298) Description: Security Disabled Universal Group Changed Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Privileges: %7 Event ID: 665 (0x0299) Description: Security Disabled Universal Group Member Added Member Name: %1 Member ID: %2 Target Account Name: %3 Target Domain: %4 Target Account ID: %5 Caller User Name: %6 Caller Domain: %7 Caller Logon ID: %8 Privileges: %9 Event ID: 666 (0x029A) Description: Security Disabled Universal Group Member Name: %1 Member Target Account Name: %3 Target Target Account ID: %5 Caller User Name: %6 Caller Member Removed ID: %2 Domain: %4 Domain: %7

43 Caller Logon ID: %8 Privileges: %9 Event ID: 667 (0x029B) Description: Security Disabled Universal Group Deleted Target Account Name: %1 Target Domain: %2 Target Account ID: %3 Privileges: %7 Event ID: 668 (0x029C) Description: Group Type Changed Target Account Name: %1 Target Account ID: %3 Caller User Name: %5 Caller Logon ID: %7 Target Domain: %2 Event ID: 669 (0x029D) Description: Add SID History Source Account Name: %1 Target Account Name: %3 Target Account ID: %5 Caller User Name: %6 Caller Logon ID: %8 Source Account ID: %2 Target Domain: %4 Event ID: 670 (0x029E) Description: Add SID History Source Account Name: %1 Target Domain: %3 Caller User Name: %5 Caller Logon ID: %7 Caller Domain: %6 Privileges: %8 Caller Domain: %7 Privileges: %9 Target Account Name: %2 Target Account ID: %4 Caller Domain: %6 Privileges: %8 Event ID: 672 (0x02a0) Description: Authentication Ticket Granted Supplied Realm Name: %2 User ID: %3 Service Name: %4 Service ID: %5 Ticket Options: %6 Ticket Encryption Type: %7 Pre-Authentication Type: %8 Client Address: %9 Event ID: 673 (0x02a1) Description: Service Ticket Granted User Domain: %2

44 Service Name: %3 Ticket Options: %5 Client Address: %7 Event ID: 674 (0x02a2) Description: Ticket Granted Renewed Service Name: %3 Ticket Options: %5 Client Address: %7 Event ID: 675 (0x02a3) Type: Failure Audit Description: Pre-authentication failed Service Name: %3 Failure Code: %5 Service ID: %4 Ticket Encryption Type: %6 User Domain: %2 Service ID: %4 Ticket Encryption Type: %6 User ID: %2 Pre-Authentication Type: %4 Client Address: %6 Event ID: 676 (0x02a4) Type: Failure Audit Description: Authentication Ticket Request Failed Supplied Realm Name: %2 Service Name: %3 Ticket Options: %4 Failure Code: %5 Client Address: %6 Event ID: Type: Description: Description: 677 (0x02a5) Failure Audit Service Ticket Request Failed: Authentication Ticket Request Failed Supplied Realm Name: %2 Service Name: %3 Ticket Options: %4 Failure Code: %5 Client Address: %6 Event ID: 678 (0x02a6) Description: Account Mapped for Logon by: %1 Client Name: %2 Mapped Name:%3 Event ID: 679 (0x02a7) Type: Failure Audit Description: The name: %2 could not be mapped for logon by: %1 Event ID: 680 (0x02a8) Description: Account Used for Logon by: %1 Account Name: %2 Workstation: %3

45 Event ID: 681 (0x02a9) Type: Failure Audit Description: The logon to account: %2 by: %1 from workstation: %3 failed. The error code was: %4 Event ID: 682 (0x02aa) Description: Session reconnected to winstation: Domain: %2 Logon ID: %3 Session Name: %4 Client Name: %5 Client Address: %6 Event ID: 683 (0x02ab) Description: Session disconnected from winstation: Domain: %2 Logon ID: %3 Session Name: %4 Client Name: %5 Client Address: %6

46