WinSecWiki

WinSecWiki » Windows Security Settings » Local Policies » User Rights Assignment » User Rights In-Depth » Generate security audits

Generate security audits

Expand / Collapse
 
     

Generate security audits


AKA: SeAuditPrivilege, Generate security audits

Note: This is an admin-equivalent right.

Default assignment: Local System (This default assignment does not show up in Local Security Policy. It is implicit.)

This extremely sensitive right allows you to report events to the security log using the ReportEvent() API. Malicious uses of this right would include filling up or flushing out the security log to hide destroy record of unauthorized activity, forging of false audit trails or simple denial of service.

No account should have this right with very special exceptions. For instance some log management products (e.g. Secure Vantage) leverage log management infrastructure originally created for the Windows security log to handle other security logs such as SQL Server’s with a process that requires this right to port SQL Server security log entries into the Windows security log. Such exceptions should be carefully investigated to ensure the application and account that uses this right is secure.

Use of this right does not generate security log entries but any user with this right at the time of logon will generate event ID 576.

By default this right is not audited even if you enable Audit privilege use. See Full Privilege Auditing.

User Comments

Click to subscribe to comments RSS feed...

No Member Photo
View Members Profile...,Posted By by Stanley Allen added Tuesday, November 10, 2009


I don't think this works any more... See this page: http://support.microsoft.com/kb/891749
Helpful? YesYes NoNo

Add Your Comments


Name: *
Email Address:
Web Address:
Verification Code:
*
 

Details
Article not rated yet.
Article has been viewed 1,852 times.
Options