Monday, April 23, 2007

Crash ... Into Me

Many of our high-security clients must enable the CrashOnAuditFail setting on their servers, as per government policy. In case you're not familiar with this setting, open up your Registry Editor, and visit the following key:


One of the values under this registry key is "CrashOnAuditFail" ... By default, this value is set to 0. If you set it to 1 (and I don't recommend you do, unless you have a test machine you're tinkering with), your system will Blue Screen as soon as the security log fills up, provided you have also prevented your workstation or server from overwriting events automatically in the security log. At that point, only an Administrator can log back on to the machine after a restart to clear the security log and reset the CrashOnAuditFail flag.

The purpose of this special setting is to prevent a computer from being used (e.g. logged into) by anyone other than administrators unless auditable events can be recorded in the security log. Thus, it is a very important setting in high-security networks.

Interestingly enough, Vista adds a new event related to this special registry value. In Vista (and presumably Longhorn server as well), Event ID 4621 gets logged when an administrator successfully recovers the system from a crash related to the Security log filling up. From a documentation and accountability standpoint, this is a nice new event that Vista brings to the table.

No comments: