SUMMARY We're being required to enable auditing for Failure in the "Privilege Use" category on a stand-alone Vista box. When we do so, we get many apparently spurious "Audit Failure" messages. Is there any known technique which will address this issue while leaving said auditing enabled?
ENVIRONMENT Windows Vista, Service Pack 2 Stand-alone computer No network, no Internet, no domain UAC AAM is enabled REPRODUCTION 1. From an elevated command prompt: AUDITPOL /SET /CATEGORY:"Privilege Use" /FAILURE:ENABLE 2. Observe events in "Security" log in Windows Event Viewer. INVESTIGATION We get a dozen or so of Event 4674 Failure, "An operation was attempted on a privileged object", during system startup. See <http://pastebin.com/f3c78ec41> for an example. The subject is always SYSTEM, the executable is always "LSASS.EXE". They all mention "SeSecurityPrivilege" in the description. That's "Manage Audit and Security Log", according to MSKB 245207. We could probabbly live with this, since it seems to be confined to startup. But we get Event 4673 Failure, "A privileged service was called", at any time. See <http://pastebin.com/f757bf3be>. They all mention "SeTcbPrivilege" in the description. (MSKB says "Act as part of the operating system".) "LSASS.EXE" and "SYSTEM" are again the most common sources, but I've also seen SVCHOST.EXE and EXPLORER.EXE, and the PCADMIN user I was logged in as. While it seems to be logged in spurts, overall, the trend seems to be roughly 100 events per hour. That will be much harder to explain away. I tried auditing just subcategory "Sensitive Privilege Use", but the same behavior results. I've tried it in a clean install of Vista in a VM, and got the same behavior, even with UAC at the defaults. I can't turn off AAM entirely because we also need FRV to make the app software work, and turning off AAM also turns off FRV. Microsoft's official stance on this appears to be that privilege use auditing in Windows is broken, and you just shouldn't use it. Really: "Do not enable auditing for privilege use because of the high volume of events that this configuration would generate." (http://technet.microsoft.com/en-us/library/cc875806.aspx) "These are high volume events, which typically do not contain sufficient information to act upon since they do not describe what operation occurred." (http://technet.microsoft.com/en-us/library/cc875806.aspx) Unfortunately, I'm told that we can't get approved for these systems with privilege auditing disabled. It's a DoD requirement. Meanwhile, the security inspectors really, *really* dislike seeing logs full of "Audit Failure" messages. Anyone have any ideas? -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
