Audit Privilege Use - Windows 2003 Security Guide

Giganews Newsgroups
Subject: Audit Privilege Use - Windows 2003 Security Guide
Posted by:  Gareth (gareth@newsgroup.nospam)
Date: Thu, 3 Apr 2008


I'd like some clarification on auditing privilege use on Windows 2003.

I'm currently performing some security testing. On a Windows 2003 Server
within the Local Security Policy > Local Policies > Audit policy I have
enabled both success and failure auditing for 'Audit Privilege Use'. No Group
Policy is in use.

To test the setting, I have logged on to a server as an administrator, reset
the system time and performed a shutdown. The events are logged as expected.
I then log on as a non-administrative user who does not have rights to change
the system time or to shut the system down. Using the non-admin user account,
I attempt to change the system time and also attempt to shut the system down.
Nothing is logged within the security log.

The Windows Server 2003 Security Guide states 'Failed use of a user right is
an indicator of a general network problem, and can often indicate an
attempted security breach'

It would appear that the Audit Privilege Use auditing doesn't actually pick
up on people trying to perform actions for which they do not have rights, is
this correct ? So the failure auditing option would only indicate that a user
who has the required privileges have failed to use them and therefore this is
much more likely to be a configuration (or other technical) problem rather
than an attempted security violation ?

Thanks in advance for any help / thoughts offered.