0

Trying to audit which AD-user who actually restart a service on a particular service.
The service (MyService) is using a serviceaccount to run and get access to different resources.

I want to audit when my user or any actual human user manually start / stop / restart the service and to be able to get that information in an "Event" in EventViewer to later setup an alert or filtered view to see who and when modified the service running state.

I found these instructions which seem well-detailed:
https://support.qlik.com/articles/000058520

On the server (Windows Server 2019) itself (i.e. not through a GPO):

  1. MMC > Security Templates > C:\Users$USER\Documents\Security\Templates
    1.1 "New Template" > "MyServiceSecurityTemplate"
    1.2 "MyServiceSecurityTemplate" > "System Services" > "MyService" > "Properties"
    1.3
    "Define this policy setting in the template" = Checked
    "Select service startup mode: Automatic"
    ^ I.e. the service should always start with the server so we just control how the service start OR does it relate to which service startup events it logs?
    I.e. that it only logs when the service it started automatically and NOT when it is stopped / started / restarted manually?
    1.4 "Edit Security" > "Advanced" > "Auditing" > "Add" >
    "Principal: "
    "Type: Success"
    "Basic Permissions: Start, stop and pause"
    "OK" > "Apply" > "OK"> "Apply" > "OK" > "OK" > Prompt:
    "Security Policy. You are about to change the security setting for this service... Do you want to continue?" >
    "Yes" > "Apply" > "OK"

  2. Local Group Policy Editor > Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration > System Audit Policies - Local Group Policy Object > Object Acces:
    "Audit Handle Manipulation" and "Audit Other Objects Access Events" > "Properties"
    "Configure the selected events to be audited:
    Audit all success" > "Apply" > "OK"

  3. EventViewer > Windows Logs > Security:
    Filter for EventID 4656

No events found for that filter....

Why is that?

TheSwede86
  • 21
  • 3
  • I don't see where the security template is applied to the system. – Greg Askew Nov 29 '20 at 16:03
  • I just assume creating it locally and then editing different values in the template applies it after saving the changes in the template? – TheSwede86 Nov 29 '20 at 16:05
  • No the security settings need to be imported into the security database to go into effect. That is what the Security Configuration and Analysis tool does. – Greg Askew Nov 29 '20 at 16:35
  • There is a free tool that will configure this in a more friendly way. Using SCA/templates is a bit archaic. https://www.coretechnologies.com/products/WindowsServiceAuditor/ – Greg Askew Nov 29 '20 at 16:39
  • @GregAskew Thank you so much for your replies and suggestions. I prefer to make it work using the native tools in Windows and I added the "Security Configuration and Analysis" in MMC and then created a database and applied the template I created and restarted the server. Now I can see events with eventid 4656 but sadly no events for the particular service I configured when I restart it. Weird. I'll try and read up a bit more on this, probable me who is missing something. – TheSwede86 Nov 29 '20 at 17:08

0 Answers0