The Windows Security Log Revealed

Chapter 11
Policy Change Events

The Policy Change audit category include six subcategories and provides notification of changes to important security policies on the local system, such as to the system’s audit policy or, in the case of DCs, trust relationships.

Policy Change Subcategories

Comment

Audit Policy Change

Policies that affect what gets reported and misc policies

Authentication Policy Change

Logon rights assignments

Authorization Policy Change

Privilege (rights) assignments

MPSSVC Rule Level Policy Change

Firewall Policy Changes

Filtering Platform Policy Change

Firewall used Windows Filtering Platform; May be used by others

Other Policy Change Events

One Windows Filtering Platform event

Audit Policy Change

Event ID

Title

4715

The audit policy (SACL) on an object was changed.

4719

System audit policy was changed.

4902

The Per-user audit policy table was created.

4904

An attempt was made to register a security event source.

4905

An attempt was made to unregister a security event source.

4906

The CrashOnAuditFail value has changed.

4907

Auditing settings on object were changed.

4912

Per User Audit Policy was changed.

Windows allows applications to report their own security events to the Security log by registering through Authorization Manager, using Local Security Authority (LSA) as a security event source. The application uses the AuthzRegisterSecurityEventSource function to register. Event IDs 4904 and 4905 indicate that applications have been registered and unregistered.

The event ID 4715 description, The audit policy (SACL) on an object was changed, is poorly worded. The event actually indicates that the security descriptor on an audit policy was changed, meaning that the ability to change an audit policy has been delegated or that such delegation has been removed. (You can use the auditpol /set /sd: command to delegate authority to the system's audit policy.) The event will show the old and new security descriptor in Security Descriptor Definition Language (SDDL) format. See http://msdn2.microsoft.com/en-us/library/aa379567.aspx for more information.

Event ID 4719 is an important event that indicates that the System audit policy was changed. This event tells you that one of the 50 policy subcategories was changed and gives you the details. If one of the nine primary categories is changed, you will see an event for each of the changed subcategories. An improvement to this event in Windows Server 2008 and later is that the event now shows both the old and new policy. If the policy was changed through Group Policy, the Subject will indicate the computer account that initiated the change. To determine who actually made the change, the applicable GPO must also be audited. (See chapter 9 for auditing changes to Group Policy.)

Event ID 4906 is logged when you change the value of the Audit: Shut down system immediately if unable to log security audits security option. This change can be used to make the system crash (i.e., “blue screen”) if the Security log fills and is configured not to overwrite or autobackup.

Whenever an audit policy is changed on a file or folder object, event ID 4907 records both the old and the new SACL. Instances of this event can be quite numerous on a system that is being set up or changed frequently but will help ensure continuous auditing. The event occurs even when Object Auditing is not set. The event does not record changes for the SACLs on DS objects.

Authentication Policy Change

The Authentication Policy Change subcategory events track any configuration changes that would affect how user accounts are authenticated and when password and lockout policies are conspicuously missing.

Event ID

Title

4706

A new trust was created to a domain.

4707

A trust to a domain was removed.

4713

Kerberos policy was changed.

4716

Trusted domain information was modified.

4717

System security access was granted to an account.

4718

System security access was removed from an account.

4865

A trusted forest information entry was added.

4866

A trusted forest information entry was removed.

4867

A trusted forest information entry was modified.

Trusted Domain Events

When a trust is created, removed, or modified on a domain, a Policy Change event occurs. The subject fields indicate who made the change. The other fields require a little translation as you can see in Event ID 4716.

Trusted Domain

Despite the word "Trusted" in the event description, the other domain in this trust relationship can be a trusting domain, a trusted domain, or both. (The New Trust Information will provide this information.) Under the Trusted Domain information, you’ll find the Domain Name, which states the DNS name of the domain, and the Domain ID, which states the pre-Windows 2000 (NetBIOS) name of the domain.

New Trust Information

The New Trust Information defines the type of trust after this change: whether it is one way or mutual, transitivity, and so forth. This information includes the Trust Type, Trust Direction and Trust Attributes, which are a bitwise value comprising any of the following:

  • TRUST_ATTRIBUTE_NON_TRANSITIVE 1
  • TRUST_ATTRIBUTE_UPLEVEL_ONLY 2
  • TRUST_ATTRIBUTE_FILTER_SIDS 4
  • TRUST_ATTRIBUTE_FOREST_TRANSITIVE 8

Trust Type Values

Type

Corresponding Value

Explanation

1

TRUST_TYPE_DOWNLEVEL

The other domain is pre-Win2k (NTLM only supported)

2

TRUST_TYPE_UPLEVEL

The other domain is Win2k or later (Windows Kerberos supported)

3

TRUST_TYPE_MIT

Other domain is actually an MIT Kerberos Realm (probably UNIX)

4

TRUST_TYPE_DCE

The trusted domain is a DCE realm

Trust Direction Values

Direction

Value

Disabled

0x0

Inbound

0x1

Outbound

0x2

Bidirectional

0x3

SID Filtering

This field documents the status of SID filtering for the trust relationship. SID filtering prevents DCs in one domain from making false claims about a user’s membership in groups. For more information see https://technet.microsoft.com/en-us/library/cc974396(v=ws.10).aspx.

 Forest Trust Events

The Trust Information fields in events that involve trusted forests are recorded in event IDs 4865 (Forest trust added), 4866 (Forest Trust Removed), and 4867 (Forest Trust Modified) and also require some explanation. The example event ID 4866 shows an instance that occurred upon a name-suffix routing change.

An explanation follows for elements in the Forest Trust Information entry:

  • Forest Root. The DNS name of the forest root domain of the other forest in this trust relationship.
  • Forest Root SID. The SID of the Forest Root: - usually translated to the pre-Win2k domain name.
  • Operation ID. The operation ID allows you to correlate all the events that are part of this operation
  • Entry Type. There are three possible entry types as shown in the table below.
  • Flags. The Flags value seems to always be 0.
  • Top Level Name. This domain is trusted or untrusted (excluded); see Entry Types 0 and 1.
  • DNS Name. See LSA_FOREST_TRUST_DOMAIN_INFO.
  • Name. See LSA_FOREST_TRUST_DOMAIN_INFO.
  • Domain SID. See LSA_FOREST_TRUST_DOMAIN_INFO.

Value

Entry Type

Comment

0

ForestTrustTopLevelName

This record identifies a domain (Top Level Name below) of the trusted forest that this forest trusts.

1

ForestTrustTopLevelNameEx

This record identifies a domain (Top Level Name below) of the trusted forest that this forest does not trust (excluded)

2

ForestTrustDomainInfo

This record contains an LSA_FOREST_TRUST_DOMAIN_INFO structure which includes

Sid

DnsName

NetbiosName

Windows logs event ID 4713 when it detects a change to the domain's Kerberos policy. Kerberos policy is defined in GPOs that are linked to the root of the domain under Computer Configuration\Windows Settings\Security Settings\Account Policy\Kerberos Policy.

Unfortunately, the Subject fields in event ID 4713 don't identify who actually changed the policy; Kerberos policy isn't directly configured by administrators. Instead, Kerberos policy is edited in a GPO, which then is applied to the computer. Therefore, this event always shows the local computer as the entity that changed the policy (the computer is the security principal under which gpupdate runs).

System Security Access Events

Some rights are extremely powerful, to the point of giving the user administrator-equivalent authority. Event IDs 4717 and 4718 log changes to 10 configurable logon rights such as Access this computer from the network or Logon as a service. Other rights such as Change the system time or Take ownership of files and other objects are not granted. (These other rights fall under the Authorization Policy Change subcategory.) The first column shows the name of each of the 10 logon rights as it appears on the Local Security Policy or Group Policy MMC. The second column lists the actual system name of each right; this is the name that appears in the event. A human can figure this difference out pretty easily, but a computer program (such as an event filter) needs assistance. As is often the case, Windows is inconsistent with wording. For example, “Access this computer” really means “log on.”

Name in MMC

System Name

Access this computer from the network

SeNetworkLogonRight

Allow log on locally

SeInteractiveLogonRight

Allow log on through Terminal Services

SeRemoteInteractiveLogonRight

Deny access this computer from the network

SeDenyNetworkLogonRight

Deny log on as a batch job

SeDenyBatchLogonRight

Deny log on as a service

SeDenyServiceLogonRight

Deny log on locally

SeDenyInteractiveLogonRight

Deny log on through Terminal Services

SeDenyRemoteInteractiveLogonRight

Log on as a batch job

SeBatchLogonRight

Log on as a service

SeServiceLogonRight

Note that Deny rights are included. The description in event ID 4718 (System security access was removed from an account) might seem to indicate that a right was removed, but this interpretation is a little misleading in the case of Deny logon rights. Someone might actually be granted access when a Deny logon right is removed. If there is a conflict in which both Deny and Allow rights are assigned, the Deny right takes precedence.

In Chapter 10, we talked about the use of rights and privileges. The settings that were shown in Trust Direction values chart generate an event when the policy is changed either through Group Policy or Local Security Settings. These two events don’t tell you the real user who assigned or revoked the right or rights; the Subject field always lists SYSTEM for the local computer.

Authorization Policy Change

When User Rights—that is, privileges other than logon rights—are assigned, an event is generated in the Authorization Policy Change subcategory.

Event ID

Title

4704

A user right was assigned.

4705

A user right was removed.

4714

Encrypted data recovery policy was changed.

Event ID 4704 occurs when a privilege (aka right) is assigned; event ID 4705 occurs when a user privilege is revoked. Don’t confuse event ID 4704 and event ID 4705 with the Privilege Use events described in Chapter 10. Event ID 4704 and event ID 4705 log the assignment or revocation of a user right, whereas Privilege Use events log the actual use of such rights.

These two Policy Change events log the user or group that was the target of the change, as well as the system name of the right or rights that were assigned or revoked. You can refer to the chart above in the System Security Access Events section to cross reference a right’s system and friendly names. Like event ID 4717, these two events don’t tell you the real user who assigned or revoked the right or rights; the Subject field always lists SYSTEM for the local computer. As with logon rights, the privilege name in the MMC differs from the system name of the privilege; the system name is the one that appears in the event.

Name in MMC

System Name

Adjust memory quotas for a process

SeIncreaseQuotaPrivilege

Add workstations to domain

SeMachineAccountPrivilege

Manage auditing and security log

SeSecurityPrivilege

Take ownership of files or other objects

SeTakeOwnershipPrivilege

Load and unload device drivers

SeLoadDriverPrivilege

Profile system performance

SeSystemProfilePrivilege

Change the system time

SeSystemtimePrivilege

Profile single process

SeProfileSingleProcessPrivilege

Increase scheduling priority

SeIncreaseBasePriorityPrivilege

Create a pagefile

SeCreatePagefilePrivilege

Back up files and directories

SeBackupPrivilege

Restore files and directories

SeRestorePrivilege

Shut down the system

SeShutdownPrivilege

Debug programs

SeDebugPrivilege

Modify firmware environment values

SeSystemEnvironmentPrivilege

Bypass traverse checking

SeChangeNotifyPrivilege

Force shutdown from a remote system

SeRemoteShutdownPrivilege

Remove computer from docking station

SeUndockPrivilege

Enable computer and user accounts to be trusted

SeDelegationPrivilege

Perform volume maintenance tasks

SeManageVolumePrivilege

Impersonate a client after authentication

SeImpersonatePrivilege

Create global objects

SeCreateGlobalPrivilege

Increase a process working set

SeIncreaseWorkingSetPrivilege

Change the time zone

SeTimeZonePrivilege

Create symbolic links

SeCreateSymbolicLinkPrivilege

Event ID 4714 indicates that the specified computer's Security Settings\Public Key Policies\Encrypting File System Data Recovery Agent policy was modified. When an administrator modifies the data-recovery policy for the Encrypting File System (EFS), Windows logs event ID 4714 and specifies the old and new values for the policy. This event is important because anyone who can edit a GPO can add himself or herself as a data recovery agent to one or more computers, thereby accessing information that has been encrypted by other users. Sometimes Windows logs event ID 4717 when nothing has changed, so examine the description of the event to determine its relevance.

MPSSVC Rule Level Policy Change

Events in the chatty MPSSVC Rule Level Policy Change subcategory document the current configuration of the Windows Firewall (aka MPSSVC) whenever it starts, as well as any changes to its configuration.

Event ID

Title

4944

The following policy was active when the Windows Firewall started.

4945

A rule was listed when the Windows Firewall started.

4946

A change has been made to Windows Firewall exception list. A rule was added.

4947

A change has been made to Windows Firewall exception list. A rule was modified.

4948

A change has been made to Windows Firewall exception list. A rule was deleted.

4949

Windows Firewall settings were restored to the default values.

4950

A Windows Firewall setting has changed.

4951

A rule has been ignored because its major version number was not recognized by Windows Firewall.

4952

Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall.

4954

Windows Firewall Group Policy settings has changed. The new settings have been applied.

4956

Windows Firewall has changed the active profile.

4957

Windows Firewall did not apply the following rule:

4958

Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer:

Filtering Platform Policy Change

The events in the Filtering Platform Policy Change subcategory document the current configuration of the Windows Filtering Platform (WFP) whenever it starts, as well as any changes to its configuration. WFP is used by Windows Firewall and other software and can filter and modify TCP/IP packets, monitor or authorize connections, filter Internet Protocol security (IPsec)-protected traffic, and filter remote procedure calls (RPCs).

Event ID

Title

5440

The following callout was present when the Windows Filtering Platform Base Filtering Engine started.

5441

The following filter was present when the Windows Filtering Platform Base Filtering Engine started.

5442

The following provider was present when the Windows Filtering Platform Base Filtering Engine started.

5443

The following provider context was present when the Windows Filtering Platform Base Filtering Engine started.

5444

The following sub-layer was present when the Windows Filtering Platform Base Filtering Engine started.

5446

A Windows Filtering Platform callout has been changed.

5448

A Windows Filtering Platform provider has been changed.

5449

A Windows Filtering Platform provider context has been changed.

5450

A Windows Filtering Platform sub-layer has been changed.

Other Policy Change Events

The lone event in the Policy Change category should have been in the Windows Filtering Platform subcategory.

Event ID

Title

5447

A Windows Filtering Platform filter has been changed.

Bottom Line

Policy Change events provide a few important notifications, such as changes to audit policy, user right assignments, EFS recovery policy, and trust relationships. Unfortunately, many of these events only notify you of such changes; though they might specify the before and after values for the changed settings, they don’t tell you who caused the change. To track down the user behind the change, you’ll have to examine the Directory Service events that we described in Chapter 9, to look for recent changes to GPOs. The policies that relate to the Windows Firewall and Filtering Platform will produce many events if these subcategories are enabled, so for most environments, we recommend disabling them. Remember, you use Auditpol to selectively disable the subcategories that you don’t need.

Next Chapter

Back to top

Supercharger Free Edition


Centrally manage WEC subscriptions.

Free.

 

 

Additional Resources