WinSecWiki > Security Settings > Local Policies > Audit Policy > Privilege Use
Audit Privilege Use
The Audit privilege use policy tracks the exercise of user rights. Microsoft uses the terms privilege, right, and permission inconsistently. In this policy's case, privilege refers to the user rights you find in the Local Security Policy under Security Settings\Local Policies\User Right Assignment.
By default Windows does not audit these privileges (see Audit: Audit the use of backup and restore privilege ) even if this policy is enabled:
The following is an exerpt from my book, The Windows Security Log Revealed :
You can use the Privilege Use category to track the exercise of user rights. Microsoft uses the terms privilege, right, and permission inconsistently. In this case, privileges refer to the user rights you find in Local Security Policy under Security Settings\Local Policies\User Right Assignment, as Figure 10‑1 shows.
Figure 10‑1 User rights configuration
|
For a list of Event IDs generated by this category, see the Security Log Encyclopedia.
Bottom line
- This category generates a lot of noise and I usually recommend leaving it disabled. In fact, Microsoft security log guy, Eric Fitzgerald, even as much as says this audit policy and its events are useless because there’s no “central reference” of which operations are actually controlled by each privilege.
- Of course, on Windows Server 2008 and Vista, you can configure auditing of these events using subcategories. See Audit Category: Privilege Use (Windows Server 2008 and Vista).
Child articles:
Back to top