NT Gatekeeper: Enabling Auditing for User Rights That NT Doesn't Audit by Default

I recently read that some Windows NT user rights can't be audited, so system actions that involve these rights could occur undetected. Is this statement true, and if so, for which user rights? Can I enable auditing for these rights?

The statement is absolutely true. By default, NT doesn't audit use of the rights that Table 1, page 12, lists. (The table also shows which accounts have these rights by default.)

Microsoft disabled auditing for these rights for two reasons. First, NT doesn't audit the use of certain rights by default because doing so isn't practical. For example, auditing Bypass traverse checking doesn't return much information when this right is given to the Everyone group—which it is, by default. Rights such as Debug programs, Create a token object, Replace process level token, and Generate security audits aren't used in regular day-to-day systems operations. Because the use of these rights is so exceptional and because only an Administrator can assign these rights to an account, NT doesn't log their use by default.

Second, disabling auditing for the rights in Table 1 reduces the number of event messages written to the NT Security log. If a system automatically audited the use of the Backup files and directories user right, the system would write an event to the Security log for every individual directory and file backup operation. The same problem applies to the Restore files and directories user right. Obviously, if you performed daily backups on a file server, its Security log would fill up quickly.

Because Backup files and directories and Restore files and directories are used during day-to-day operations, Microsoft provides a way to enable auditing of their use. (You can't enable auditing for the other user rights in Table 1.) To enable auditing for these two rights, open a registry editor on the systems on which you want to log related events, and go to the HKEY_ LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey. Add the FullPrivilegeAuditing (of type REG_BINARY) value and set it to the binary value 1. This setting becomes effective after you restart the Local Security Authority (LSA) and the system. You also need to ensure that auditing for success or failure of Use of User Rights is turned on in your NT audit policy. Figure 3 shows a sample event ID 578 (Success Audit) message for the privileged use of the Backup files and directories user right.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.