Chapter 12
System Events
The System category and its subcategories provide an eclectic mix of events that are relevant to security. For
example, Windows logs event ID 4608 when the system starts up.
|
System Subcategories
|
Comment
|
|
Security State Change
|
Startup, Shutdown and time change
|
|
Security System Extension
|
Includes new services and authentication packages
|
|
Security Integrity Events
|
Major hash and encrypt events
|
|
IPsec Driver Events
|
Track failure of IPsec system
|
|
Other System Events
|
Track failure of Windows firewall service
|
Security State Change
Events in the Security State Change subcategory track keys system changes, such as system clock changes and the startup
and shutdown of the system. These events are important because a Windows system
is completely vulnerable while shut down—at the mercy of anyone who has
physical access and the proper skill. Every event uses the system time, so a
change in system time could obscure or hide malicious actions or cause
authentication problems (Kerberos depends on a synchronization of time between
other systems).
|
Event ID
|
Title
|
|
4608
|
Windows is starting up
|
|
4609
|
Windows is shutting down
|
|
4616
|
The system time was changed
|
Security System Extension
The Windows security infrastructure supports extensibility
through various types of plug-ins, and the Security System Extension subcategory
logs all activity of such plug-ins. The Windows security infrastructure is
designed to be modular and to facilitate new, plug-in security functionality
from Microsoft and third-party vendors. These plug-ins can be authentication
packages, trusted logon processes, or notification packages. Because the
plug-ins are completely trusted modules of code that augment the operating
system, Windows logs each plug-in as it loads, using the events in this
subcategory.
|
Event ID
|
Title
|
|
4610
|
An authentication package has been loaded by the Local Security Authority
|
|
4611
|
A trusted logon process has been registered with the Local Security Authority
|
|
4614
|
A notification package has been loaded by the Security Account Manager
|
|
4622
|
A security package has been loaded by the Local Security Authority
|
|
4697
|
A service was installed in the system
|
When a service is installed on the system, event ID 4697 is generated. Note that in Windows Server 2003, Detailed Tracking
event ID 601 logged this activity. The change control event is important
because new services are significant extensions of the software that runs on a
server and the roles that software performs.
The Subject section of this event shows the user who
installed the new service. However, for services that are installed as part of
native Windows components, the Subject section often identifies the local
system (SYSTEM); therefore, you can't determine who actually initiated the
installation.
The Service Name field in this event indicates the
internal system name of the new service. Use the sc query command to get
a cross-reference of service names and their more familiar display names. The Service
File Name field indicates the executable that was used to start the service.
The Service Type value identifies which service type was installed on the
system.
|
Service Type
|
System Name of Service Type
|
Description
|
|
0x4
|
SERVICE_ADAPTER
|
Reserved
|
|
0x2
|
SERVICE_FILE_SYSTEM_DRIVER
|
File system driver service
|
|
0x1
|
SERVICE_KERNEL_DRIVER
|
Driver service
|
|
0x8
|
SERVICE_RECOGNIZER_DRIVER
|
Reserved
|
|
0x10
|
SERVICE_WIN32_OWN_PROCESS
|
Service that runs in its own process
|
|
0x20
|
SERVICE_WIN32_SHARE_PROCESS
|
Service that shares a process with one or more other
services
|
|
0x110
|
SERVICE_INTERACTIVE_PROCESS
SERVICE_WIN32_OWN_PROCESS
|
Same as 0x10 but allowed to interact with desktop
|
|
0x120
|
SERVICE_INTERACTIVE_PROCESS
SERVICE_WIN32_SHARE_PROCESS
|
Same as 0x20 but allowed to interact with desktop
|
The Service Start Type value defines whether the service
starts automatically when the computer starts and during which phase of system
startup the service starts.
|
Start Type
|
Description
|
|
2
|
SERVICE_AUTO_START
|
A service started automatically by the service control
manager during system startup
|
|
0
|
SERVICE_BOOT_START
|
A device driver started by the system loader. This value
is valid only for driver services
|
|
3
|
SERVICE_DEMAND_START
|
Manual startup
|
|
4
|
SERVICE_DISABLED
|
Disabled service
|
|
1
|
SERVICE_SYSTEM_START
|
A device driver started by the IoInitSystem
function. This value is valid only for driver services
|
The Service Account field indicates under which account
the service runs.
Although this event monitors only new services, you can use
the Object Access category to audit existing service-related events such as
starts, stops, and modifications by. To enable auditing on a service, you can
use a Security Template or the SubInACL tool. (You can download SubInACL from
Microsoft.)
Security Integrity Events
The Security Integrity Events subcategory logs at least three
events that can affect the overall integrity of the system.
|
Event ID
|
Title
|
|
5038
|
Code integrity determined that the image hash of a file is not valid.
|
|
5056
|
A cryptographic self test was performed.
|
|
5061
|
Cryptographic operation.
|
Event ID 5038 lists the path and file name of the image in
question. This could mean that the hash was corrupted either intentionally or a
possible Input/Output error in the system.
Event ID 5056 and 5061 seem to be part of normal operation
of the system. Auditing may be needed for compliance purposes.
IPsec Driver Events
The IPsec Driver Events subcategory tracks activity that relates
to the operation of the IPsec system service. If the IPsec
Services fail to start or shut down, the security risk is increased so it’s a
good idea to track these events. For events that relate to IPsec network
traffic, see the IPsec subcategories (discussed in Chapter 5).
|
Event ID
|
Title
|
|
5478
|
IPsec Services has started successfully
|
|
5479
|
IPsec Services has been shut down successfully
|
|
5480
|
IPsec Services failed to get the complete list of network interfaces on the computer
|
|
5483
|
IPsec Services failed to initialize RPC server. IPsec Services could not be started
|
|
5484
|
IPsec Services has experienced a critical failure and has been shut down
|
|
5485
|
IPsec Services failed to process some IPsec filters on a plug-and-play event for network interfaces
|
Other System Events
The events in the Other System Events subcategory are a hodgepodge dominated by Windows Firewall system service activity,
which would seem to belong elsewhere. As with all subcategories, you must use Auditpol
to enable or disable these events.
|
Event ID
|
Title
|
|
4615
|
Invalid use of LPC port
|
|
5024
|
The Windows Firewall Service has started successfully
|
|
5025
|
The Windows Firewall Service has been stopped
|
|
5027
|
The Windows Firewall Service was unable to retrieve the security policy from the local storage
|
|
5028
|
The Windows Firewall Service was unable to parse the new security policy
|
|
5029
|
The Windows Firewall Service failed to initialize the driver
|
|
5030
|
The Windows Firewall Service failed to start
|
|
5032
|
Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network
|
|
5033
|
The Windows Firewall Driver has started successfully
|
|
5034
|
The Windows Firewall Driver has been stopped
|
|
5035
|
The Windows Firewall Driver failed to start
|
|
5037
|
The Windows Firewall Driver detected critical runtime error. Terminating.
|
|
5058
|
Key file operation
|
|
5059
|
Key migration operation
|
Bottom Line
It’s worth enabling the System category so that you have
an audit trail of system restarts, new services, and the failure of some
critical operations. Enabling the Audit system events policy does not
create an undue amount of noise.