Wow, Ben.. Gotta love Microsoft's stance on that one. We are still running stricty XP for our DoD (NISPOM) stuff due to the lack of support and knowledge on configuring Vista to be compliant.. Goes with out saying, once we heard mention of Windows 7 we were contemplating skipping Vista completely and I think this is may be the last nail in that coffin.
Sorry I don't have any bright ideas at the moment, but thanks for the heads up on this. I just hope it's not the same situation with Windows 7... Funny thing is, I also see some of the 'SeTcbPrivilege' failures on XP and was never really able to explain them, but they didn't occur nearly as often as what you're seeing on Vista, maybe one or two every hour, although it seemed pretty random. On Wed, Oct 14, 2009 at 1:35 PM, Ben Scott <[email protected]> wrote: > SUMMARY > > We're being required to enable auditing for Failure in the > "Privilege Use" category on a stand-alone Vista box. When we do so, > we get many apparently spurious "Audit Failure" messages. Is there > any known technique which will address this issue while leaving said > auditing enabled? > > ENVIRONMENT > > Windows Vista, Service Pack 2 > Stand-alone computer > No network, no Internet, no domain > UAC AAM is enabled > > REPRODUCTION > > 1. From an elevated command prompt: > > AUDITPOL /SET /CATEGORY:"Privilege Use" /FAILURE:ENABLE > > 2. Observe events in "Security" log in Windows Event Viewer. > > INVESTIGATION > > We get a dozen or so of Event 4674 Failure, "An operation was > attempted on a privileged object", during system startup. See > <http://pastebin.com/f3c78ec41> for an example. The subject is always > SYSTEM, the executable is always "LSASS.EXE". They all mention > "SeSecurityPrivilege" in the description. That's "Manage Audit and > Security Log", according to MSKB 245207. We could probabbly live with > this, since it seems to be confined to startup. > > But we get Event 4673 Failure, "A privileged service was called", at > any time. See <http://pastebin.com/f757bf3be>. They all mention > "SeTcbPrivilege" in the description. (MSKB says "Act as part of the > operating system".) "LSASS.EXE" and "SYSTEM" are again the most > common sources, but I've also seen SVCHOST.EXE and EXPLORER.EXE, and > the PCADMIN user I was logged in as. While it seems to be logged in > spurts, overall, the trend seems to be roughly 100 events per hour. > That will be much harder to explain away. > > I tried auditing just subcategory "Sensitive Privilege Use", but the > same behavior results. > > I've tried it in a clean install of Vista in a VM, and got the same > behavior, even with UAC at the defaults. I can't turn off AAM > entirely because we also need FRV to make the app software work, and > turning off AAM also turns off FRV. > > Microsoft's official stance on this appears to be that privilege use > auditing in Windows is broken, and you just shouldn't use it. Really: > > "Do not enable auditing for privilege use because of the high volume > of events that this configuration would generate." > (http://technet.microsoft.com/en-us/library/cc875806.aspx) > > "These are high volume events, which typically do not contain > sufficient information to act upon since they do not describe what > operation occurred." > (http://technet.microsoft.com/en-us/library/cc875806.aspx) > > Unfortunately, I'm told that we can't get approved for these systems > with privilege auditing disabled. It's a DoD requirement. Meanwhile, > the security inspectors really, *really* dislike seeing logs full of > "Audit Failure" messages. > > Anyone have any ideas? > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
