| Author |
Message |
Chris Cooper
Guest
|
 Posted:
Sat Oct 29, 2005 12:28 am Post subject:
Auditing system time changes |
|
|
I need to audit failed attempts to change the system time. I'm running XP
Pro (SP2) in a standalone situation. I have failure auditing of system
events and of privilege use. I don't get a 520 event failure or a 577
SeSystemTimePrivilege failure in the Security Log when unprivileged users try
to change the system time.
If I turn on success auditing on these two categories, priveleged users do
generate success audit entries for these two event IDs.
Any help would be greatly appreciated... |
|
| Back to top |
|
 |
Wesley Vogel
Guest
|
| Posted:
Sun Oct 30, 2005 12:27 am Post subject:
Re: Auditing system time changes |
|
|
Failed attempts to change the system time may show up as Success 520.
Success 520 shows The system time was changed when you double click the
clock and then close Date and Time Properties without changing anything
whatsoever.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:242CF1CF-A1D6-478F-BCDD-CFC04C18C267@microsoft.com,
Chris Cooper <ChrisCooper@discussions.microsoft.com> hunted and pecked:
| Quote: | I need to audit failed attempts to change the system time. I'm running XP
Pro (SP2) in a standalone situation. I have failure auditing of system
events and of privilege use. I don't get a 520 event failure or a 577
SeSystemTimePrivilege failure in the Security Log when unprivileged users
try to change the system time.
If I turn on success auditing on these two categories, priveleged users do
generate success audit entries for these two event IDs.
Any help would be greatly appreciated... |
|
|
| Back to top |
|
|
Chris Cooper
Guest
|
| Posted:
Mon Oct 31, 2005 5:27 pm Post subject:
Re: Auditing system time changes |
|
|
I have seen that behavior, but my problem here is that non-privileged users
are denied permission from opening the Date and Time Properties. I also
tried using the DOS time command and also wrote a short C++ program that
called SetSystemTime(). None of these attempts to change the time are
successful for non-privileged users, but none of the attempts are logged as
Failures in the Security Log, either.
I'm desperate for an answer (even an "it won't work" if there is some
documentation from MS)...
Thanks
"Wesley Vogel" wrote:
| Quote: | Failed attempts to change the system time may show up as Success 520.
Success 520 shows The system time was changed when you double click the
clock and then close Date and Time Properties without changing anything
whatsoever.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:242CF1CF-A1D6-478F-BCDD-CFC04C18C267@microsoft.com,
Chris Cooper <ChrisCooper@discussions.microsoft.com> hunted and pecked:
I need to audit failed attempts to change the system time. I'm running XP
Pro (SP2) in a standalone situation. I have failure auditing of system
events and of privilege use. I don't get a 520 event failure or a 577
SeSystemTimePrivilege failure in the Security Log when unprivileged users
try to change the system time.
If I turn on success auditing on these two categories, priveleged users do
generate success audit entries for these two event IDs.
Any help would be greatly appreciated...
|
|
|
| Back to top |
|
|
Wesley Vogel
Guest
|
| Posted:
Wed Nov 02, 2005 1:49 am Post subject:
Re: Auditing system time changes |
|
|
Local Computer Policy\Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy\
Audit privilege use
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:A53A2DB1-85DB-4CD3-891D-8F473AC6F931@microsoft.com,
Chris Cooper <ChrisCooper@discussions.microsoft.com> hunted and pecked:
| Quote: | I have seen that behavior, but my problem here is that non-privileged
users are denied permission from opening the Date and Time Properties. I
also tried using the DOS time command and also wrote a short C++ program
that called SetSystemTime(). None of these attempts to change the time
are successful for non-privileged users, but none of the attempts are
logged as Failures in the Security Log, either.
I'm desperate for an answer (even an "it won't work" if there is some
documentation from MS)...
Thanks
"Wesley Vogel" wrote:
Failed attempts to change the system time may show up as Success 520.
Success 520 shows The system time was changed when you double click the
clock and then close Date and Time Properties without changing anything
whatsoever.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:242CF1CF-A1D6-478F-BCDD-CFC04C18C267@microsoft.com,
Chris Cooper <ChrisCooper@discussions.microsoft.com> hunted and pecked:
I need to audit failed attempts to change the system time. I'm running
XP Pro (SP2) in a standalone situation. I have failure auditing of
system events and of privilege use. I don't get a 520 event failure or
a 577 SeSystemTimePrivilege failure in the Security Log when
unprivileged users try to change the system time.
If I turn on success auditing on these two categories, priveleged users
do generate success audit entries for these two event IDs.
Any help would be greatly appreciated... |
|
|
| Back to top |
|
|
Chris Cooper
Guest
|
| Posted:
Thu Nov 03, 2005 1:28 am Post subject:
Re: Auditing system time changes |
|
|
Wes,
Unfortunately, I'm already auditing privilege use. I've played around a
little with an older Win2k system and have noticed that the pattern of
privilege requests is different. (I realize that Win2k does not have 520
events). Win2k does log failed attempts as 577 failures for
SeIncreaseBasePriority and SeSystemtimePrivilege (and success follow the same
pattern), where WinXP does not have any failures at all in the audit log.
The success pattern for WinXP is 577 SeSystemtimePrivilege, 520 System Time
has changed.
So I'm still stuck...
"Wesley Vogel" wrote:
| Quote: | Local Computer Policy\Computer Configuration\Windows Settings\Security
Settings\Local Policies\Audit Policy\
Audit privilege use
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:A53A2DB1-85DB-4CD3-891D-8F473AC6F931@microsoft.com,
Chris Cooper <ChrisCooper@discussions.microsoft.com> hunted and pecked:
I have seen that behavior, but my problem here is that non-privileged
users are denied permission from opening the Date and Time Properties. I
also tried using the DOS time command and also wrote a short C++ program
that called SetSystemTime(). None of these attempts to change the time
are successful for non-privileged users, but none of the attempts are
logged as Failures in the Security Log, either.
I'm desperate for an answer (even an "it won't work" if there is some
documentation from MS)...
Thanks
"Wesley Vogel" wrote:
Failed attempts to change the system time may show up as Success 520.
Success 520 shows The system time was changed when you double click the
clock and then close Date and Time Properties without changing anything
whatsoever.
--
Hope this helps. Let us know.
Wes
MS-MVP Windows Shell/User
In news:242CF1CF-A1D6-478F-BCDD-CFC04C18C267@microsoft.com,
Chris Cooper <ChrisCooper@discussions.microsoft.com> hunted and pecked:
I need to audit failed attempts to change the system time. I'm running
XP Pro (SP2) in a standalone situation. I have failure auditing of
system events and of privilege use. I don't get a 520 event failure or
a 577 SeSystemTimePrivilege failure in the Security Log when
unprivileged users try to change the system time.
If I turn on success auditing on these two categories, priveleged users
do generate success audit entries for these two event IDs.
Any help would be greatly appreciated...
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in