In today’s Ask the Admin, I’ll look at two new audit events in Windows Server 2016 that can help identify malicious activity, as well as other general auditing improvements.
Windows 10 included some improvements to auditing and new events. Those changes are naturally now available as part of Windows Server 2016. Let’s start with two new Advanced Audit Policy Configuration subcategories: Audit Group Membership and Audit PNP Activity.
Audit Group Membership in the Logon/Logoff category provides group membership information from users’ logon tokens. For an event to be logged an action must occur, on the device or session where the user is logged in, that enumerates group membership. When the logon is interactive, the event information is recorded on the PC where the user logs in. For network logons, the information is recorded on the device where the accessed resource resides. The Audit Logon setting must also be enabled for Audit Group Membership to work.
Audit PNP Activity Event 6416 is new in the Detailed Tracking category and writes an event to the log when the plug and play subsystem detects an external device. Only Success audits are logged. Auditing for PnP activity is particularly useful on servers, where in general, external devices should not be attached without an approved change request.
What follows explains improvements to audit policies that existed in earlier versions of Windows Server.
Windows Server 2016 automatically enables auditing of process creation events until the Local Security Authority (LSA) has started, at which point it uses the audit settings as defined in policy. This behavior differs from previous versions of Windows where process creation events were only written to the log once the LSA had started, potentially leaving events unaudited.
Windows Server 2016 adds two new Security Account Manager (SAM) audit events, ID 4798 and ID 4799. Attempts to access the SAM database might indicate the presence of a malicious actor on your network, so auditing has been improved to include monitoring of SAM APIs that perform read/write operations on the database. In previous versions of Windows Server, only write operations could be audited.
The Boot Configuration Database (BCD) controls how Windows Server is started, and a new event (ID 4826) has been added to track these changes:
Windows Server 2016 includes a default process SACL on the Local Security Authority Subsystem Service (LSASS) to track processes that try to access the service. Access attempts against can indicate malicious activity intended to steal credentials from memory. Audit Kernel Object can be found under Advanced Audit Policy Configuration\Object Access.
Event ID 4624 has been expanded to include more logon event information, including a list of groups in the user’s logon token, and a string to indicate whether an elevated or split token was used.
For more comprehensive information on all the events in Windows Server 2016, you can download a reference paper from Microsoft’s website here. For more information on configuring advanced auditing in Windows Server, see How Do I Enable Advanced Audit Policy Configuration in Windows Server? on the Petri IT Knowledgebase.