Microsoft security advisory: Update to improve Windows command-line auditing: February 10, 2015

Summary

Microsoft is announcing the availability of an update for supported editions of Windows 7, Windows Server 2008R2, Windows 8, and Windows Server 2012. This update expands the Audit Process Creation policy to include the command information that is passed to every process. This is a new feature that provides valuable information to help administrators investigate, monitor, and troubleshoot security-related issues on their networks.

Introduction

Microsoft has released a Microsoft security advisory about this issue for IT professionals. The security advisory contains additional security-related information. To view the security advisory, go to the following Microsoft website:

More Information

This update adds a new feature to Windows that expands the Audit Process Creation policy. This new feature, when it is enabled and configured, creates an event log every time that a process is created, and it includes the command-line information that's passed to that process. These events are logged in existing event ID 4688 and in the Windows Security log. Monitoring these events can provide valuable information to help administrators troubleshoot and investigate security-related activities.

After this update is applied and configured, a new element within security event 4688 will appear with the name of Process Command Line, as shown in the following screen shot:


Event 4688

To take full advantage of this feature, administrators must follow these steps:
  1. Enable the Audit Process Creation policy.
  2.  Enable the "Include command line in process creation events" feature. 
For more information about how to configure these two features, see the Configuration section.


Background on the Audit Process Creation policy

The Audit Process Creation policy is a security audit policy that determines whether the operating system generates an audit event when a process is created. By default, this policy is not configured and no audit events are logged when processes are created. When this policy is enabled, event ID 4688 is generated and logged in the Windows Security log. Enabling this policy is required to make the expanded command-line auditing feature that's described in this security advisory work. For more information about the Audit Process Creation Policy, see the following Mimcrosoft TechNet article: 

Configuration

Enabling Audit Process Creation

To enable the Audit Process Creation policy, edit the following Group Policy settings:
Policy configurationDetails
Policy locationComputer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Configuration\Detailed Tracking
Policy nameAudit Process Creation
Default settingNot Configured (not enabled)
Supported onWindows 7 and later versions
DescriptionThis security policy setting determines whether the operating system generates audit events when a process is created (starts) and the name of the program or user who created it.
These audit events can help you understand how a computer is being used and to track user activity.
Event volume: Low to medium, depending on system usage

Enabling the "Include command line in process creation events" feature

To enable the new feature that's described in this Knowledge Base article, edit the following Group Policy settings:
Policy configurationDetails
Policy locationAdministrative Templates\System\Audit Process Creation
SettingInclude command line in process creation events
Default settingNot Configured (not enabled)
Supported onWindows 7 and later versions
DescriptionThis policy setting determines what information is logged in security audit events when a new process is created.

This setting applies only when the Audit Process Creation policy is enabled. If you enable this policy setting, the command-line information for every process will be logged in plain text in the Security log as part of Audit Process Creation event 4688, "a new process has been created," on the workstations and servers on which this policy setting is applied.

If you disable or do not configure this policy setting, the process's command-line information is not included in Audit Process Creation events.

Default: Not configured

Note When this policy setting is enabled, any user who has read access to the security events can read the command-line arguments for any successfully created process. Command-line arguments may contain sensitive or private information such as passwords or user data.
Note When you configure and use Advanced Audit Policy Configuration settings, you must confirm that the settings are not overwritten by basic audit policy settings. Event 4719 is logged when the settings are overwritten.

The basic audit policy settings can be checked by going to Computer Configuration\Policies\Windows Settings\Security Settings\Audit Policy. You can make sure that the Advanced Audit Policy Configuration settings are not overwritten by enabling the Audit: Force audit policy subcategory settings (Windows Vista or later versions) to override audit policy category settings in the following location:

Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options
If you do not already have a formal plan about how to deploy and use a security audit policy in your environment, we strongly recommend that you read the Security auditing documentation on TechNet and also in the Additional resources section.

Additional resources

For more information, go to the following Microsoft websites:

Microsoft Download Center links

The following files are available for download from the Microsoft Download Center.

Security update for Windows 7 (KB3004375)

Download Download the package now.

Security update for Windows 7 for x64-based Systems (KB3004375)

Download Download the package now.

Security update for Windows Embedded Standard 7 (KB3004375)

Download Download the package now.

Security update for Windows Embedded Standard 7 for x64-based Systems (KB3004375)

Download Download the package now.

Security update for Windows Server 2008 R2 x64 Edition (KB3004375)

Download Download the package now.

Security update for Windows Server 2008 R2 for Itanium-based Systems (KB3004375)

Download Download the package now.

Security update for Windows 8 (KB3004375)

Download Download the package now.

Security update for Windows 8 for x64-based Systems (KB3004375)

Download Download the package now.

Security update for Windows Server 2012 (KB3004375)

Download Download the package now.

Release Date: February 10, 2015

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Known issues with this security update

  • After you apply this update, Microsoft System Center Configuration Manager clients that report to a particular server or subset of servers may repeatedly become inactive. You may also notice that the clients do not send inventory information for 30 days or more and that the data in the Inventoryagent.log file is static. Additionally, the ClientIDManagerStartup.log file displays repeated occurrences of the following error:

    [RegTask] - Client is not registered. Sending registration request for GUID:4874BD6C-CB98-4EEB-9F4F-721CC65B25C3 ...
    [RegTask] - Client is registered. Server assigned ClientID is GUID:4874BD6C-CB98-4EEB-9F4F-721CC65B25C3. Approval status 1
    SetRegistrationState failed (0x80071770)
    [RegTask] - Sleeping for 15360 seconds ...

    To resolve this issue, apply one of the following security updates:
    3023562 MS15-010: Description of the security update for Windows kernel mode driver: February 10, 2015

    3046049 MS15-031: Vulnerability in SChannel could allow security feature bypass: March 10, 2015
    This will update your version of cng.sys. After you apply either of these updates and then restart the computer, the affected client will successfully send up a heartbeat and update the inventory data. This action will also enable the client to remain active.
  • After you apply this update, some web server applications may fail with decryption errors that resemble the following:

    Failed to decrypt using provider 'DataProtectionConfigurationProvider'. Error message from the provider: The specified file could not be decrypted. (Exception from HRESULT: 0x80071771)


    To resolve this issue, install security update 3046049. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
    3046049 MS15-031: Vulnerability in SChannel could allow security feature bypass: March 10, 2015


  • After you apply this update, Microsoft System Center Configuration Manager clients that report to a particular server or subset of servers may repeatedly become inactive. You may also notice that the clients do not send inventory information for 30 days or more and that the data in the Inventoryagent.log file is static. Additionally, the ClientIDManagerStartup.log displays repeated occurrences of the following error:






    [RegTask] - Client is not registered. Sending registration request for GUID:4874BD6C-CB98-4EEB-9F4F-721CC65B25C3 ...
    [RegTask] - Client is registered. Server assigned ClientID is GUID:4874BD6C-CB98-4EEB-9F4F-721CC65B25C3. Approval status 1
    SetRegistrationState failed (0x80071770)
    [RegTask] - Sleeping for 15360 seconds ...




    To resolve this issue, apply either of the following security updates:
    3023562 MS15-010: Description of the security update for Windows kernel mode driver: February 10, 2015



    3046049 MS15-031: Vulnerability in SChannel could allow security feature bypass: March 10, 2015




    This will update your version of cng.sys. After you apply either of these updates and then restart the computer, the affected client will successfully send up a heartbeat and update the inventory data. This action will also enable the client to remain active.





File information

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

Windows 7 and Windows Server 2008 R2 file information
Windows 8 and Windows Server 2012 file information
File hash information
Properties

Article ID: 3004375 - Last Review: Jul 6, 2015 - Revision: 1

Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Datacenter, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Standard, Windows Server 2012 Essentials, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows Server 2012 Foundation, Windows 8 Enterprise, Windows 8 Pro, Windows 8, Windows RT, Windows Server 2008 R2 Service Pack 1, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Standard, Windows Web Server 2008 R2, Windows Server 2008 R2 Foundation, Windows 7 Service Pack 1, Windows 7 Ultimate, Windows 7 Enterprise, Windows 7 Professional, Windows 7 Home Premium, Windows 7 Home Basic, Windows 7 Starter

Feedback