WinSecWiki » Windows Security Settings » Local Policies » Audit Policy » Audit object access

Removable Storage Devices

whsmith — Mon, 17 Jun 2013 16:51:59 GMT

In Windows Server 2012 and Windows 8, when a user attempts to access a removable storage device Success audit Event 4663 or Failure audits Event 4656 is generated each time. Failure events will not be generated unless Audit Handle Manipulation is also configured.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4656	A handle to an object was requested
4663	An attempt was made to access an object

Handle Manipulation

whsmith — Mon, 17 Jun 2013 15:27:01 GMT

This category logs one and only one event. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

In Server 2012, to log removable storage device failure events, handle manipulation must also be enabled.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4690	An attempt was made to duplicate a handle to an object

Other Object Access Events

whsmith — Tue, 28 Aug 2012 17:09:08 GMT

This is a hodgepodge of miscellaneous Object Access events. The most valuable event in this category are the ones allowing you to monitor changes to Scheduled Tasks and file deletion. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4656	A handle to an object was requested
4658	The handle to an object was closed
4659	A handle to an object was requested with intent to delete
4660	An object was deleted
4663	An attempt was made to access an object
4664	An attempt was made to create a hard link.
4691	Indirect access to an object was requested
4698	A scheduled task was created
4699	A scheduled task was deleted.
4700	A scheduled task was enabled.
4701	A scheduled task was disabled
4702	A scheduled task was updated.

Filtering Platform Connection

whsmith — Tue, 28 Aug 2012 17:07:33 GMT

As the name would indicate, this category logs events associated with network connections permitted or blocked by Windows Firewall and the lower level Windows Filtering Platform. What's it doing in the higher level Object Access category? Who knows. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
5031	The Windows Firewall Service blocked an application from accepting incoming connections on the network.
5154	The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
5155	The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
5156	The Windows Filtering Platform has allowed a connection
5157	The Windows Filtering Platform has blocked a connection
5158	The Windows Filtering Platform has permitted a bind to a local port.
5159	The Windows Filtering Platform has blocked a bind to a local port.

Filtering Platform Packet Drop

whsmith — Tue, 28 Aug 2012 17:04:56 GMT

As the name would indicate, the category logs events associated with packets blocked by Windows Firewall and the lower level Windows Filtering Platform. What's it doing in the higher level Object Access category? Who knows. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
5152	The Windows Filtering Platform blocked a packet.
5153	A more restrictive Windows Filtering Platform filter has blocked a packet.

File Share

whsmith — Tue, 28 Aug 2012 17:03:00 GMT

This category logs one and only one event. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
5140	A network share object was accessed.

Application Generated

whsmith — Tue, 28 Aug 2012 16:57:30 GMT

This category apparently logs provides a way for applications to report audit events to the security log and is no doubt related to Authorization Manager. I've not researched this category and welcome any help from the community in documenting it. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

This category is also used by the LOGbinder family of agents for reporting application audit events from SharePoint, SQL Server and more.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4665	An attempt was made to create an application client context.
4666	An application attempted an operation
4667	An application client context was deleted
4668	An application was initialized.
10-59	SharePoint Audit Events Generated by LOGbinder SP

Certification Services

whsmith — Tue, 28 Aug 2012 16:54:07 GMT

Certification Services is the built-in Certification Authority and related PKI functionality in Windows Server and this category provides exhaustive auditing of related activity. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4868	The certificate manager denied a pending certificate request.
4869	Certificate Services received a resubmitted certificate request.
4870	Certificate Services revoked a certificate.
4871	Certificate Services received a request to publish the certificate revocation list (CRL).
4872	Certificate Services published the certificate revocation list (CRL).
4873	A certificate request extension changed.
4875	Certificate Services received a request to shut down.
4876	Certificate Services backup started.
4877	Certificate Services backup completed.
4878	Certificate Services restore started.
4879	Certificate Services restore completed.
4880	Certificate Services started.
4881	Certificate Services stopped.
4882	The security permissions for Certificate Services changed.
4883	Certificate Services retrieved an archived key.
4884	Certificate Services imported a certificate into its database.
4885	The audit filter for Certificate Services changed.
4886	Certificate Services received a certificate request.
4887	Certificate Services approved a certificate request and issued a certificate.
4888	Certificate Services denied a certificate request.
4889	Certificate Services set the status of a certificate request to pending.
4890	The certificate manager settings for Certificate Services changed.
4891	A configuration entry changed in Certificate Services.
4892	A property of Certificate Services changed.
4893	Certificate Services archived a key.
4894	Certificate Services imported and archived a key.
4895	Certificate Services published the CA certificate to Active Directory Domain Services.
4896	One or more rows have been deleted from the certificate database.
4897	Role separation enabled
4898	Certificate Services loaded a template.
4899	A Certificate Services template was updated.
4900	Certificate Services template security was updated.

SAM

whsmith — Tue, 28 Aug 2012 16:51:33 GMT

This category allows you to track access to objects in the SAM (Security Account Manager) where local users and groups are stored on non-domain controller systems. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4658	The handle to an object was closed
4660	An object was deleted
4661	A handle to an object was requested
4663	An attempt was made to access an object

Kernal Object

whsmith — Tue, 28 Aug 2012 16:47:21 GMT

This sub-category is probably only of interest to developers. An example of a kernel object is a security token. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

	4656	A handle to an object was requested
	4658	The handle to an object was closed

Registry

whsmith — Tue, 28 Aug 2012 16:22:24 GMT

This category allows you to track access to registry keys and values. To configure this on Server 2008 and Vista you must use auditpol. Windows 7 and Server 2008 R2 and later can use Group Policy.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4656	A handle to an object was requested
4657	A registry value was modified
4658	The handle to an object was closed
4660	An object was deleted
4663	An attempt was made to access an object

File System

whsmith — Tue, 28 Aug 2012 16:19:11 GMT

This category allows you to track access to files and folders. To enable or disable this category you must use the auditpol command.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
4656	A handle to an object was requested
4658	The handle to an object was closed
4660	An object was deleted
4663	An attempt was made to access an object
4685	The state of a transaction has changed
4985	The state of a transaction has changed.

Detailed File Share

whsmith — Tue, 28 Aug 2012 16:12:48 GMT

This category does not exist prior to R2 of Windows Server 2008 or Windows 7.

This category logs one and only one event. Windows 7 and Server 2008 R2 and later can use Group Policy to enable it.

Coverage on events generated by this category are currently in the Security Log Encyclopedia:

Event ID	Title
5145	A network share object was checked to see whether client can be granted desired access.

OVERVIEW: Audit Object Access

instantasp@gmail.com — Thu, 02 Apr 2009 18:20:22 GMT

The Audit object access policy handles auditing access to all objects outside AD. The first use you might think of for the policy is file and folder auditing, but you can use it to audit access to any type of Windows object including registry keys, printers, and services. Furthermore, auditing access to an object such as a crucial file requires you to enable more than just this category; you must also enable auditing for the specific objects you want to track. To configure an object’s audit policy, open the object's Properties, select the Security tab, click Advanced, and then select the Auditing tab. Be warned: This policy can really bog down your server if you enable it on too many objects.

The following is an excerpt from my book , The Windows Server Security Log Revealed :

You can use the Object Access Security log category to audit any and all attempts to access files and other Windows objects. The only auditable objects not covered by this category are AD objects, which you can track by using the Directory Service category. In addition to tracking files, you can track success and failure access attempts on folders, services, registry keys, and printer objects. The way in which you define Object Access audit policy and the format of information recorded in the Security log for this category are closely related to the structure of the ACLs that all objects use to define who can access the object and how.

When you enable the Audit object access events policy for a given computer, Windows doesn’t immediately begin auditing all access events for all objects because the system would immediately grind to a halt. Activating object access auditing is a two-step procedure. First, enable the Audit object access events policy on the system that contains the objects you want to monitor. Second, select specific objects and define the types of access you want to monitor. you make these selections in the object’s audit settings, which you’ll find on the object's Advanced Security Settings dialog box. For instance, Figure 7-1 displays the audit settings for a folder named Accounting Data.

Figure 7‑1 Object audit policy

For a list of Event IDs generated by this category, see the Security Log Encyclopedia.

Bottom Line

Windows XP, 2000 and 2003: I don’t recommend enabling this policy unless you have specific objects and permissions types planned for auditing.
Windows Server 2008 and Vista: I don't recommend managing audit policy at this level because too much noise is generated. Use subcategories instead. See Audit Category: Object Access (Windows Server 2008 and Vista).