From Windows Internals Part 1, 7th edition. Get your copy here
You can use a command to enable global audit policy.
1. If you didn’t already do so in the previous experiment, open the Local Security Policy editor, navigate to the Audit Policy settings, double-click Audit Object Access, and enable auditing for both success and failure. On most systems, SACLs specifying object access auditing are uncommon, so few if any object-access audit records will be produced at this point.
2. In an elevated command prompt window, enter the following command. This will produce a summary of the commands for setting and querying global audit policy.
auditpol /resourceSACL
Output
Usage: AuditPol /resourceSACL
[/set /type:<resource> [/success] [/failure] /user:<user>
[/access:<access flags>] [/condition:<expression>]]
[/remove /type:<resource> /user:<user> [/type:<resource>]]
[/clear [/type:<resource>]]
[/view [/user:<user>] [/type:<resource>]]
This command configures settings for global object access auditing. The
corresponding object access subcategory needs to be enabled for the events
to be generated by the system. Type auditpol /set /? for more information.
Commands
/? Displays Help for the command.
/set Adds a new entry to or updates an existing entry in the
resource system access control list for the resource type specified.
/remove Removes all entries for the given user from the global
object access auditing list specified by the resource type.
/clear Removes all entries from the global object access auditing
list for the specified resource type.
/view Lists the global object access auditing entries for the
specified resource type and user. Specifying a user is
optional.
Arguments
/type The resource for which object access auditing is being
configured. The supported argument values are File and
Key. Note that these values are case sensitive.
File: Directories and files.
Key: Registry keys.
/success Specifies success auditing.
/failure Specifies failure auditing.
/user Specifies a user in one of the following forms:
– DomainName\Account (such as DOM\Administrators)
– StandaloneServer\Group
– Account (see LookupAccountName API)
– {S-1-x-x-x-x}. x is expressed in decimal, and the entire
SID must be enclosed in curly braces.
For example: {S-1-5-21-5624481-130208933-164394174-1001}
Warning: If SID form is used, no check is done to verify the existence of this account.
/access Specifies a permission mask that can be specified in one of two forms:
– A sequence of simple rights:
Generic access rights:
GA – GENERIC ALL
GR – GENERIC READ
GW – GENERIC WRITE
GX – GENERIC EXECUTE
Access rights for files:
FA – FILE ALL ACCESS
FR – FILE GENERIC READ
FW – FILE GENERIC WRITE
FX – FILE GENERIC EXECUTE
Access rights for registry keys:
KA – KEY ALL ACCESS
KR – KEY READ
KW – KEY WRITE
KX – KEY EXECUTE
For example: ‘/access:FRFW’ will enable audit events
for read and write operations.
– A hex value representing the access mask (such as 0x1200a9).
This is useful when using resource-specific bit masks
that are not part of the SDDL standard. If omitted,
Full access is used.
/condition Appends an attribute based expression like the following:
Document sensitivity is HBI (“High”)
“(@Resource.Sensitivity == \”High\”)”
Examples
auditpol /resourceSACL /set /type:Key /user:MYDOMAIN\myuser /success
auditpol /resourceSACL /set /type:File /user:MYDOMAIN\myuser /success
/failure /access:FRFW
auditpol /resourceSACL /set /type:File /user:everyone /success
/failure /access:FRFW /condition:”(@Resource.Sensitivity == \”High\”)”
auditpol /resourceSACL /type:File /clear
auditpol /resourceSACL /remove /type:File
/user:{S-1-5-21-56248481-1302087933-1644394174-1001}
auditpol /resourceSACL /type:File /view
auditpol /resourceSACL /type:File /view /user:MYDOMAIN\myuser
3. In the same elevated command prompt window, enter the following commands. On a typical system, each of these commands will report that no global SACL exists for the respective resource type. (Note that the and keywords are case-sensitive.)
auditpol /resourceSACL /type:File /view
auditpol /resourceSACL /type:Key /view
4. In the same elevated command prompt window, enter the following command. This will set a global audit policy such that all attempts to open files for write access (FW) by the indicated user will result in audit records, whether the open attempts succeed or fail. The user name can be a specific user name on the system, a group such as Everyone, a domain-qualified user name such as domainname\username, or a SID.
auditpol /resourceSACL /set /type:File /user:yourusername /success /failure /access:FW
While running under the user name indicated, use Explorer or other tools to open a file. Then look at the security log in the system event log to find the audit records.
6. At the end of the experiment, use the command to remove the global SACL you created in step 4, as follows:
auditpol /resourceSACL /remove /type:File /user:yourusername
The global audit policy is stored in the registry as a pair of system access control lists in HKLM\SECURITY\Policy\GlobalSaclNameFile and HKLM\SECURITY\Policy\GlobalSaclNameKey. You can examine these keys by running Regedit.exe under the System account, as described in the “Security system components” section earlier in this chapter. These keys will not exist
until the corresponding global SACLs have been set at least once. The global audit policy cannot be overridden by SACLs on objects, but object-specific SACLs can allow for additional auditing. For example, global audit policy could require auditing of read access by all users to all files, but
SACLs on individual files could add auditing of write access to those files by specific users or by more specific user groups.
To read more, see the book.