Website under construction

115 
CHAPTER 4 | Security and identity 

Audit PNP Activity Found in the Detailed Tracking category, you can use the Audit PNP Activity 
subcategory to audit when plug-and-play detects an external device. Only Success audits are 
recorded for this category. 
Additional changes have been made in Windows Server 2016 that expose more information to help 
you identify and address threats quickly. The following table provides more information: 
Area 
Improvements 
Kernel Default 
Audit Policy 
In previous releases, the kernel depended on the LSA to retrieve information 
in some of its events. In Server 2016, the process creation events audit policy 
is automatically turned on until an actual audit policy is received from the 
LSA. This results in better auditing of services that might start before the LSA 
starts 
Default process 
Security ACL 
(SACL) to 
LSASS.exe 
A default process, SACL was added to LSASS.exe to log processes attempting 
to access LSASS.exe. The SACL is L"S:(AU;SAFA;0x0010;;;WD)". You can turn 
this on under Advanced Audit Policy Configuration|Object Access|Audit Kernel 
Object. 
New fields in the 
sign-in event 
The sign-in event ID 4624 has been updated to include more verbose 
information to make them easier to analyze. The following fields have been 
added to event 4624: 

MachineLogon String: yes or no 
If the account that signed in to the PC is a computer account, this field 
will be yes; otherwise, the field is no. 

ElevatedToken String: yes or no 
If the account that signed in to the PC is an administrative sign-in, this 
field will be yes; otherwise, the field is no. Additionally, if this is part of a 
split token, the linked login ID (LSAP_LOGON_SESSION) will also be 
shown. 


Download 13,37 Mb.

Do'stlaringiz bilan baham: