Microsoft Windows Common Criteria Evaluation Microsoft Windows 10 Version 1511 Operational Guidance

Yüklə 290,96 Kb.

səhifə	3/8
tarix	14.10.2017
ölçüsü	290,96 Kb.
	#4531

1 2 3 4 5 6 7 8

3.1Audit Events

3.Managing Audits

This section contains the following Common Criteria SFRs:

Audit Data Generation (FAU_GEN.1), Security Audit Event Selection (FAU_SEL.1)
Extended: Audit Storage Protection (FAU_STG_EXT.1)
Specifications of Management Functions (FMT_SMF_EXT.1)

3.1Audit Events

The following required audits are described for FAU_GEN.1:

Description	Id
Start-up and shutdown of the audit functions	Windows Logs/Security: 4608, 1100
All administrative actions
Startup and shutdown of the OS and kernel	Windows Logs/Security: 4608, 1100
Insertion or removal of removable media	Microsoft- Windows-Kernel-PnP/Device Configuration: 410
Establishment of a synchronizing connection	Windows Logs -> System Source: Schannel : 36880 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
Specifically defined auditable events from table 10
Audit records reaching [assignment: integer value less than 100] percentage of audit capacity, [assignment: other auditable events derived from this profile	Windows Logs/Security: 1103

Table 1: FAU_GEN.1 audits
The following table correlates the set of administrative operations described in this document with their associated audits. Section FMT_SMF_EXT.1 has test procedures to produce these audits.

Administrative Action	Id
configure password policy: minimum password length minimum password complexity maximum password lifetime	Windows Logs/Security: 4739
configure session locking policy: screen-lock enabled/disabled screen lock timeout number of authentication failures	Windows Logs/Security: 4657
enable/disable the VPN protection: across device [~~b. on a per-app basis~~ c. no other method]	Windows Logs/Security: Enable: 4651, 5451 Disable: 4655, 5452
enable/disable [Wi-Fi, Bluetooth]	WiFi: Microsoft-Windows-WLAN-AutoConfig/Operational Id 11001 (enable) 11004 (disable) Bluetooth: Windows Logs/Security: 4657
enable/disable [camera, microphone]: across device [ ~~b. on a per-app basis~~ c. no other method]	Camera: Windows Logs/Security: 4657 Microphone: Microsoft-Windows-Audio/Operational: 65
specify wireless networks (SSIDs) to which the TSF may connect	Microsoft-Windows-WLAN-AutoConfig/Operational: 14001
configure security policy for each wireless network: [selection: specify the CA(s) from which the TSF will accept WLAN authentication server certificate(s), specify the FQDN(s) of acceptable WLAN authentication server certificate(s)] security type authentication protocol client credentials to be used for authentication	Windows Logs/Security: 4656
transition to the locked state	Windows Logs/Security: 4800
TSF wipe of protected data	Success: System: 12 Failure: Wipe Failure Screen System: 4502
configure application installation policy by [selection: restricting the sources of applications, ~~specifying a set of allowed applications based on [assignment: application characteristics] (an application whitelist),~~ denying installation of applications]	Windows Logs/Security: 4657
import keys/secrets into the secure key storage	Microsoft-Windows-CAPI2/Operational: 90
destroy imported keys/secrets and [[any other keys/secrets]] in the secure key storage	System: 12
import X.509v3 certificates into the Trust Anchor Database	Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational: 1006
remove imported X.509v3 certificates and [[any other X.509v3 certificates]] in the Trust Anchor Database	Microsoft-Windows-CertificateServicesClient-Lifecycle-System: 1004
enroll the TOE in management	Microsoft-Windows-SystemSettingsThreshold/Operational: 510
remove applications	Microsoft-Windows-AppXDeploymentServer/Operational: 472
update system software	Windows Logs/Setup: 1, 2, 3
install applications	Microsoft-Windows-AppXDeploymentServer/Operational 400
remove Enterprise applications	Microsoft-Windows-AppXDeploymentServer/Operational: 472
configure the Bluetooth trusted channel: disable/enable the Discoverable mode (for BR/EDR) change the Bluetooth device name [selection: d. disable/enable Advertising (for LE), i. no other Bluetooth configuration]	Windows Logs/Security: 4657
enable/disable display notification in the locked state of: [ email notifications, calendar appointments, ~~contact associated with phone call notification,~~ text message notification, other application-based notifications, ~~all notifications~~]	Windows Logs/Security: 4657
enable/disable all data signaling over [USB hardware ports]	Windows Logs/Security: 4657
enable/disable [none]
enable/disable developer modes	Windows Logs/Security: 4657
enable data-at rest protection	Windows Logs/System: Id 24667
enable removable media’s data-at-rest protection	Windows Logs/System: Id 24579
~~enable/disable bypass of local user authentication~~	N/A
wipe Enterprise data	N/A
~~approve [import, removal] by applications of X.509v3 certificates in the Trust Anchor Database~~	N/A
configure whether to establish a trusted channel or disallow establishment if the TSF cannot establish a connection to determine the validity of a certificate	4950
~~enable/disable the cellular protocols used to connect to cellular network base stations~~	N/A
read audit logs kept by the TSF	Windows Logs/Security: 4673
configure [certificate] used to validate digital signature on applications	Import certificate: Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational: 1006 Remove certificate: Microsoft-Windows-CertificateServicesClient-Lifecycle-System: 1004
approve exceptions for shared use of keys/secrets by multiple applications	Microsoft-Windows-AppXDeploymentServer/Operational 400
approve exceptions for destruction of keys/secrets by applications that did not import the key/secret	Microsoft-Windows-AppXDeploymentServer/Operational 400
configure the unlock banner	Windows Logs/Security: 4657
configure the auditable items	Windows Logs/Security: 4719
retrieve TSF-software integrity verification values	Windows Logs/Security: 4657
~~enable/disable [selection:~~ ~~USB mass storage mode,~~ ~~USB data transfer without user authentication,~~ ~~USB data transfer without authentication of the connecting system]~~	N/A
enable/disable backup to [remote system]	Windows Logs/Security: 4657
~~enable/disable [selection:~~ ~~Hotspot functionality authenticated by [selection: pre-shared key, passcode, no authentication~~], ~~USB tethering authenticated by [selection: pre-shared key, passcode, no authentication~~]]	N/A
~~approve exceptions for sharing data between [selection: application processes, groups of application processes]~~	N/A
~~place applications into application process groups based on [assignment: application characteristics]~~	N/A
enable/disable location services: across device [ ~~b. on a per-app basis~~ c. no other method]	Windows Logs/Security: 4657
[~~none~~]	N/A

Table 2: Administrative Actions audits

Requirement	Description	Additional Record Contents	Log: Event Id
FAU_SEL.1	All modifications to the audit configuration that occur while the audit collection functions are operating.	No additional Information.	Windows Logs/Security: 4719
FCS_CKM_EXT.1	[generation of a REK]	No additional Information.	Windows Logs/System: 24
FCS_CKM_EXT.5	Success or failure of the wipe.	No additional Information.	Windows Logs/System: Success: 12 Failure: 4502
FCS_CKM.1(1)	Failure of key generation activity for authentication keys.	No additional Information.	Microsoft-Windows-Crypto-NCrypt: 4
FCS_HTTPS_EXT.1	Failure of the certificate validity check.	Issuer Name and Subject Name of certificate. [No additional information].	Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
FCS_RBG_EXT.1	Failure of the randomization process.	No additional information.	Windows Logs -> System: 20
FCS_STG_EXT.1	Import or destruction of key. [No other events]	Identity of key. Role and identity of requestor.	Import: Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient/Lifecycle-System: 1006 Destruction: Windows Logs/System: 12
FCS_STG_EXT.3	Failure to verify integrity of stored key.	Identity of key being verified.	Microsoft-Windows-Crypto-NCrypt: 3 (Task Category: Open Key Failure)
FCS_TLSC_EXT.1	Failure to establish an EAP-TLS session.		Windows Logs -> System : 36888 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 41 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 30
FCS_TLSC_EXT.1	Establishment/termination of an EAP-TLS session.		Establishment : Windows Logs -> System : 36880 Termination : Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf: 1793
FCS_TLSC_EXT.2	Failure to establish a TLS session.	Reason for failure.	Windows Logs -> System : 36888 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 41 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 30
	Failure to verify presented identifier.	Presented identifier and reference identifier.	Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
	Establishment/termination of a TLS session.	Non-TOE endpoint of connection.	Establisment : Windows Logs -> System Source: Schannel : 36880 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 Termination : Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf: 1793
FDP_DAR_EXT.1	Failure to encrypt/decrypt data.	No additional information.	Windows Logs -> System : 24588
FDP_STG_EXT.1	Addition or removal of certificate from Trust Anchor Database.	Subject name of certificate.	Applications and Services Logs -> Microsoft -> Windows: Import: : CAPI2: 90 Removal: CertificateServicesClient-Lifecycle-System / Operational: 1004
FDP_UPC_EXT.1	Application initiation of trusted channel.	Name of application. Trusted channel protocol. Non-TOE endpoint of connection.	HTTPS/TLS: Applications and Services Windows Logs -> System Source: Schannel : 36880 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 Bluetooth: Windows Logs -> System: 8
FIA_AFL_EXT.1	Excess of authentication failure limit.	No additional information.	Exceeding failure limit: Windows Logs/Security:4740
FIA_BLT_EXT.1	User authorization of Bluetooth device. User authorization for local Bluetooth service.	User authorization decision. Bluetooth address and name of device. Bluetooth profile. Identity of local service.	Windows Logs/System (BTHUSB): 8 Windows Logs/System (UserPnp): 20001
FIA_BLT_EXT.2	Initiation of Bluetooth connection.	Bluetooth address and name of device.	Windows Logs/System (BTHUSB): 8
FIA_BLT_EXT.2	Failure of Bluetooth connection.	Reason for failure.	Windows Logs/System (BTHUSB): 16
FIA_UAU_EXT.2	Action performed before authentication.	No additional information.	N/A due to no selection in Security Target
FIA_UAU_EXT.3	User changes Password Authentication Factor.	No additional information.	Windows Logs/Security: 4723
FIA_X509_EXT.1	Failure to validate X.509v3 certificate.	Reason for failure of validation.	Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
FIA_X509_EXT.2	Failure to establish connection to determine revocation status.	No additional information.	Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11
FMT_SMF_EXT.1	Change of settings.	Role of user that changed setting. Value of new setting.	See Table 2: Administrative Actions audits
	Success or failure of function.	Role of user that performed function. Function performed. Reason for failure	See Table 2: Administrative Actions audits
	Initiation of software update.	Version of update.	Windows Logs/System: 19
	Initiation of application installation or update.	Name and version of application.	Microsoft-Windows-AppXDeploymentServer/Operational: 400
FMT_SMF_EXT.2	Unenrollment.	Identity of administrator. Remediation action performed.	Un-enroll: Microsoft-Windows-SystemSettingsThreshold/Operational: 511
FPT_AEX_EXT.4	Blocked attempt to modify TSF data.	Identity of subject. Identity of TSF data.	Windows Logs/Security: 4656
FPT_NOT_EXT.1	[Measurement of TSF software].	[Integrity verification value].	Attestation log file
FPT_TST_EXT.1	Initiation of self-test. Failure of self-test.		Windows Logs/System: 20
FPT_TST_EXT.2	Start-up of TOE.	Boot Mode.	Windows Logs/System: 12
FPT_TST_EXT.2	[Detected integrity violations].	[The TSF code that caused the integrity violation].	Recovery Screen
FPT_TUD_EXT.2	Success or failure of signature verification for software updates.		Windows Logs/Setup: 1, 2, 3
FPT_TUD_EXT.2	Success or failure of signature verification for applications.		Microsoft-Windows-AppXDeploymentServer/Operational: 400/404 for success/failure
FTA_TAB.1	Change in banner setting.	No additional information.	Windows Logs/Security: 4657
FTA_WSE_EXT.1	All attempts to connect to access points.	Identity of access point.	Microsoft-Windows-WLAN-AutoConfig/Operational log event: 8001, 8003
FTP_ITC_EXT.1	Initiation and termination of trusted channel.	Trusted channel protocol. Non-TOE endpoint of connection.	IPSec: Windows Logs/Security: 4651, 5451, 4655, 5452 HTTP/TLS: Applications and Services Windows Logs -> System Source: Schannel : 36880 Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational: 11 Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf: 1793 EAP-TLS/802.1x/802.11-2012: Microsoft-Windows-WLAN-AutoConfig/Operational: 8001, 8003

Table 3: Audits for Security Target Table 10

Log location

Message

Fields

Windows Logs -> Setup

Initiating changes for package

Logged:

PackageIdentifier:

InitialPackageState: Resolved

IntendedPackageState: Installed

ErrorCode:

Windows Logs -> Setup

Package was successfully changed to the Installed state

Logged:

PackageIdentifier:

IntendedPackageState: Installed

ErrorCode:

Windows Logs -> Setup

Windows update could not be installed because … “The data is invalid”

Logged:

Commandline:

ErrorCode:

Microsoft-Windows-Crypto-NCrypt

Open key operation failed

Logged:

Provider Name:

Key Name:

Microsoft-Windows-Crypto-NCrypt

Create key operation failed

Logged:

Provider Name:

Key Name:

Algorithm Name:

Windows Logs -> System

Source: BTHUSB

The remote adapter < remote bluetooth radio address> was successfully paired with the local adapter.

Logged:

EventData:

Windows Logs -> System

Source: BTHUSB

The remote adapter < remote bluetooth radio address> was added to the list of personal devices.

Logged:

EventData:

Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational

Build Chain

System/TimeCreated/SystemTime:

UserData/CertGetCertificateChain/Certificate/subjectName:

UserData/CertGetCertificateChain/CertificateChain/ChainElement/Certificate

TrustStatus -> ErrorStatus: 1>

Windows Logs -> System

The operating system started at system time .

Logged:
This event along with no other earlier events indicates a wipe has occurred.

Windows Logs -> System

Source: BTHUSB

The mutual authentication between the local Bluetooth adapter and a device with Bluetooth adapter address failed.

Logged:

Data:

Windows Logs -> System

Installation Successful: Windows successfully installed the following update:

Logged:

Security ID:

updateTitle:

updateGuid:

serviceGuid:

updateRevisionNumber:

Windows Logs -> System

Source: Kernel-Boot

The last boot’s success was .

Logged:

LastBootGood:

Windows Logs -> System

Source: Kernel-Boot

The OS loader advanced options menu was displayed and the user selected option

Logged:

OptionSelected:

Note: this event is recorded if the operating system was started in an auxiliary boot mode whereas its absence indicates the operating system started in normal boot mode.

Windows Logs -> System

Source: TPM

The Trusted Platform Module (TPM) status: and .

Logged:

Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational

Verify Chain Policy

System -> TimeCreated -> SystemTime:

UserData -> CertVerifyCertificateChainPolicy -> Certificate -> subjectName:

UserData -> Result value -> error:

Error 0x800B010F: The certificate’s CN name does not match the passed value.

Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational

Verify Revocation

System -> TimeCreated -> SystemTime:

UserData -> CertVerifyRevocation -> Certificate -> subjectName:

UserData -> RevocationStatus -> error: 2>

Applications and Services Logs -> Microsoft -> Windows -> Audio -> Operational

Audio device state changed

Logged:

User ID:

New State: <1 for enabled, 2 for disabled>

Applications and Services Logs -> Microsoft -> Windows -> CAPI2 -> Operational

Logged:

Security UserID:

Subject:

400

Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server -> Microsoft-Windows-AppXDeployment-Server/Operational

Deployment Add operation on Package
from: (<.appx pathname> ) finished successfully

Logged:

User ID:

PackageFullName:

Path: <.appx pathname>

404

Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server -> Microsoft-Windows-AppXDeployment-Server/Operational

AppX Deployment operation failed for package with error . The specific error text for this failure is: .

Logged:

User ID:

PackageFullName:

410

Applications and Services Logs -> Microsoft -> Windows -> Kernel-PnP -> Device Configuration

Device < DeviceInstanceId> was started

Logged:

Security ID:

DeviceInstanceId:

472

Applications and Services Logs -> Microsoft -> Windows -> AppXDeployment-Server -> Microsoft-Windows-AppXDeployment-Server /Operational

Moving package folder <%program files location%\
to <%deleted program files location%\
. Result:

Logged:

Security ID:

SourceFolderPath: <%program files location%\

DestinationFolderPath: <%deleted program files location%\

510

Applications and Services Logs -> Microsoft -> Windows -> SystemSettingsThreshold -> Operational

Attempted to turn on workplace device management. Result is ending at phase 3

Logged:

Security UserID:

ResultCode:

CorpDeviceOperationPhase: 3

511

Microsoft-Windows-SystemSettingsThreshold/Operational

Attempted to turn of workplace device management. Result is

Logged:

Security:

Remediation action removed Enterprise apps.

801

Applications and Services Logs -> Microsoft -> Windows -> Kernel-PnP -> Device Configuration

Enable PnP device.

830

Applications and Services Logs -> Microsoft -> Windows -> Kernel-PnP -> Device Configuration

Disable PnP device

1004

Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-User -> Operational
Applications and Services Logs -> Microsoft -> Windows -> CertificateServicesClient-Lifecycle-System -> Operational

A certificate has been deleted

Logged:

Security ID:

SubjectNames:

Thumbprint:

EKUs:

NotValidAfter: :

1006

A new certificate has been installed.

Logged:

Subject:

Thumbprint:

1015

Applications and Services Logs -> Microsoft -> Windows -> Wcmsvc -> Operational

Interface token applied

Logged:

Security ID:

Media type:

AutoProfiles:

1100

Windows Logs -> Security
Subcategory: Security State Change

The event logging service has shut down

Logged:

Keywords:

1103

Windows Logs -> System

The security audit log is now percent full.

Logged:

Keywords:

1104

Windows Logs -> System

The security audit log is full.

Logged:

Keywords:

1793

Applications and Services Logs -> Microsoft -> Windows -> SChannel-Events -> Perf

Logged:

3004

Windows Logs -> System

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

Logged:

Level:

Task category:

User:

Machine:

General Description:

4502

Microsoft-Windows-ResetEng

Attempt to restore the system to original condition has failed. Changes to the system have been undone.

Logged:

4608

Windows Logs -> Security
Subcategory: Security State Change

Startup of audit functions

Logged:

Task category:

Keywords:

4624

Windows Logs -> Security

Subcategory: Logon

An account was successfully logged on.

Logged:

Security ID:

Account Name:

Account Domain:

Workstation Name:

Logon Type:

LogonID:

Source Network Address:

4651

Windows Logs -> Security
Subcategory: IPsec Main Mode

IPsec main mode security association was established. A certificate was used for authentication.

Logged:

Task category:

Local Endpoint:

Remote Endpoint:

Keying Module Name:

Local Certificate:

Remote Certificate:

Cryptographic Information:

Keywords:

4655

Windows Logs -> Security
Subcategory: IPsec Main Mode

IPsec main mode security association ended

Logged:

Task category:

Local Endpoint:

Remote Endpoint:

Keying Module Name:

Keywords:

4656

Windows Logs/Security
Subcategory: Handle Manipulation

A handle to an object was requested.

Logged:

Security ID:

Object Name:

Accesses:

Access Mask:

Keywords:

4657

Windows Logs -> Security

Subcategory: Registry

Registry entry change

Logged:

Task category:

Security ID:

Object name:

Changes:

Keywords:

4673

Windows Logs -> Security

Subcategory: Sensitive Privilege Use / Non Sensitive Privilege Use

A privileged service was called.

Logged:

Security ID:

Account Name:

Account Domain:

Keywords:

4719

Windows Logs -> Security

Subcategory: Audit Policy Change

System audit policy was changed

Logged:

Task category:

Task Subcategory:

Subcategory GUID:

Security ID:

Account Name:

Account Domain:

Changes:

Keywords:

4723

Windows Logs -> Security

Subcategory: User Account Management

An attempt was made to change an account's password.

Logged:

Security ID:

Keywords:

4739

Windows Logs -> Security
Subcategory: Authentication Policy Change

Domain Policy was changed.

Logged:

Security ID:

Account Name:

Account Domain:

Category:

Subcategory:

Changes:

4740

Windows Logs -> Security
Subcategory: User Account Management

A user account was locked out

Logged:

Security ID:

Account Name:

Account Domain:

4800

Windows Logs -> Security
Subcategory: Logoff

The workstation was locked.

Logged:

Security UserID:

Account Name:

Account Domain:

4801

Windows Logs -> Security

Subcategory: Logon

The workstation was unlocked.

Logged:

Security ID:

Account Name:

Account Domain:

4950

Windows Logs -> Security

Subcategory: MPSSVC Rule-Level Policy Change

A Windows Firewall setting has changed.

Logged:

Security ID:

Value:

5058

Windows Logs -> Security
Subcategory: System Integrity

Key file operation

Logged:

Task category:

Subject:

Cryptographic Parameters:

Key file operation information:

5061

Windows Logs -> Security
Subcategory: System Integrity

Cryptographic operation.

Logged:

Task category:

Subject:

Cryptographic parameters:

Cryptographic operation:

5447

Windows Logs -> Security

Subcategory: Other Policy Change Events

Windows Filtering Platform filter has been changed

Logged:

Task category:

Change type:

Filter ID:

Filter Name:

Layer ID:

Layer Name:

Additional Information:

5450

Windows Logs -> Security

Subcategory: Filtering Platform Policy Change

Windows Filtering Platform sub-layer has been changed

Logged:

Task category:

Change type:

Sub-layer ID:

Sub-layer Name:

5451

Windows Logs -> Security
Subcategory: IPsec Quick Mode

IPsec quick mode security association was established

Logged:

Task category:

Local Endpoint:

Remote Endpoint:

Keying Module Name:

Cryptographic Information:

Keywords:

5452

Windows Logs -> Security
Subcategory: IPsec Quick Mode

IPsec quick mode security association ended

Logged:

Task category:

Local Endpoint:

Remote Endpoint:

Cryptographic Information:

Keywords:

5038

Windows Logs -> Security

Subcategory: System Integrity

Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.

Logged:

Task category:

File Name: < file failing integrity check>

5446

Windows Logs -> Security

Subcategory: Filtering Platform Policy Change

Windows Filtering Platform callout has been changed

Logged:

Task category:

Change type:

Callout ID:

Callout Name:

Layer ID:

Layer Name:

Keywords:

5447

Windows Logs -> Security

Subcategory: Other Policy Change Events

Windows Filtering Platform filter has been changed

Logged:

Task category:

Change type:

Filter ID:

Filter Name:

Layer ID:

Layer Name:

Additional Information:

5450

Windows Logs -> Security

Subcategory: Filtering Platform Policy Change

Windows Filtering Platform sub-layer has been changed

Logged:

Task category:

Change type:

Sub-layer ID:

Sub-layer Name:

8000

Microsoft-Windows-WLAN-AutoConfig/Operational

WLAN AutoConfig service started a connection to a wireless network

Logged:

Network Adapter:

8001

Microsoft-Windows-WLAN-AutoConfig/Operational

WLAN AutoConfig service has successfully connected to a wireless network

Logged:

SSID: (non-TOE endpoint of connection)

Authentication: WPA2-Enterprise (protocol)

802.1x Enabled: Yes (protocol)

8003

Microsoft-Windows-WLAN-AutoConfig/Operational

WLAN AutoConfig service has successfully disconnected from a wireless network

Logged:

SSID: < Wireless network name> (non-TOE endpoint of connection)

8003

Microsoft-Windows-WLAN-AutoConfig/Operational

WLAN AutoConfig service has successfully disconnectd from a wireless network

Logged:

Network Adapter:

11001

Microsoft-Windows-WLAN-AutoConfig/Operational

Wireless network association succeeded

Logged:

Network Adapter:

Local MAC address:

11004

Microsoft-Windows-WLAN-AutoConfig/Operational

Wireless security stopped

Logged:

Network Adapter:

Local MAC address:

11010

Applications and Services Logs -> Microsoft -> Windows -> WLAN-AutoConfig -> Operational

Wireless Security Started

Logged:

Network Adapter:

Local MAC Address:

14001

Microsoft-Windows-WLAN-AutoConfig/Operational

New Wireless Network Policy

Logged:

Applied Settings:

20001

Windows Logs -> System

Source: UserPnP

Driver Manager concluded the process to install driver for Device Instance ID

Logged:

Security UserID:

DeviceInstanceID:

SetupClass:

24579

Windows Logs -> System

Encryption of volume : completed

Logged:

Security UserID:

Volume:

24667

Windows Logs -> System

Bitlocker finalization sweep completed for volume :

Logged:

Security UserID:

Volume:

24588

Windows Logs -> System

The conversion operation on volume encountered a bad sector error.

Logged:

Volume:

36880

Windows Logs -> System

Source: Schannel

An SSL client handshake completed successfully. The negotiated cryptographic parameters are as follows.

Logged:

Protocol:

CipherSuite:

36888

Windows Logs -> System

Source: Schannel

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is %1.

Logged:

Reason for failureProtocol:

The following are the possible error codes:

Description	Error Code Value
Unexpected message	10
Bad record MAC	20
Record overflow	22
Decompression fail	30
Handshake failure	40
Illegal parameter	47
Unknown CA	48
Access denied	49
Decode error	50
Decrypt error	51
Protocol version	70
Insufficient security	71
Internal error	80
Unsupported extension	110

Recovery Screen

Windows Logs -> System and Display

System event Id 20 is recorded by source Kernel-Boot indicating event data “LastBootGood” as “false”. This event together with the indication of the TSF executable causing the failed boot on the Recovery screen.

Wipe Failure Screen

Display

There was a problem resetting your PC. No changes were made.

On logon a message is displayed to the user indicating that the recovery operation of the system failed.

Bitlocker recovery

Display

Bitlocker recovery

On startup a message is displayed requesting the Bitlocker recovery key

Table 4: Audit Descriptions

Yüklə 290,96 Kb.

Dostları ilə paylaş:

1 2 3 4 5 6 7 8