Wednesday, May 9, 2007

Who's that user changin' that key? It's me! It's me!

The gang at Microsoft did quite a number on auditing in Microsoft Vista and Longhorn Server. In addition to making legacy auditing events more granular in the Vista security log (e.g. containing more information), they've also added completely new events which will be well-received by administrators and compliance officers.

An example of one such new event is 4657 (Registry Value Changed). In Vista, if you set your audit policy correctly, you can tell Windows to log an event every time one or more values underneath a specific registry key are changed. Here's a sample of what the event looks like when it is logged:

A registry value was modified.

Security ID: DOMAIN\SomeUser
Account Name: SomeUser
Account Domain: DOMAIN
Logon ID: 0x11b8ffd

Object Name: \REGISTRY\MACHINE\SOFTWARE\AppVendor\ProgramName
Object Value Name: AdminEmail
Handle ID: 0x2e8
Operation Type: Existing registry value modified

Process Information:
Process ID: 0xb40
Process Name: C:\Windows\regedit.exe

Change Information:
Old Value Type: REG_SZ
Old Value:
New Value Type: REG_SZ
New Value:

Taking a look at the meat of the event, we can ascertain 1.) who changed the value, 2.) with what program, 3.) the name of the value, 4.) the old value data, and 5.) the new value data.

Pretty impressive. However, this does raise an interesting paradox. If certain registry data is so valuable that you want audit access to it, do you want that same data splashed into the event log? Yes, you can control access to the log, but having the data in the log to begin with raises some issues.

It might be cool if Microsoft had a tweak for this event that allowed it to be audited with everything BUT the value data included. Just a thought.

No comments: