My laptop’s security log is getting full of access events where NETWORK SERVICE is listening for incoming traffic.
The audit policy for ‘Audit object access’ is set for failure and I want to disable it. It fails because the windows firewall is preventing connection.
When I go to the GPO editor the checkboxes for changing the settings are grayed out. My id on the laptop is a member of the administrators group.
How can I disable the auditing of these events?
Is it a domain member?
Yes, it is.
If it’s set in a domain group policy you won’t be able to change it locally.
Ahh, that could be it. The only person that can change it is a domain admin?
Yes.
>When I go to the GPO editor the checkboxes for changing the settings are grayed out.
When its grayed out it means you do not have permission because it is inheriting a domain policy. If youre a local admin you can get around this, but considering its a work laptop you’re best leaving it alone.
Even if you’re a local admin, any changes will be reset the next time that the machine connects to the domain.
Yep, but a startup script fixes that.
The settings will be re-applied from the domain GPO not only at startup, but periodically at 90 minute intervals (assuming the default policy is left alone). There are some settings that don’t process in the background, like Software Installation and Folder Redirection, but the audit settings are not among them.
You can specify an update rate from 0 to 64,800 minutes, or disable it entirely, at the GPO, but I can’t quite picture how a local admin’s startup script could stop the process. Could you explain?
I forgot about the interval. Okay, schedule it every x mins via the built in schedular or use a script. Assuming the user knows the reg key that needs to change:
apply.ahk
loop {
sleep 60000
RegWrite, insert key and data here
}
Compile that as an .exe and put it in startup. Local admins need to be non-local admins or permissions taken from those keys explicitly if you want security.
This reduces the problem but doesn’t eliminate it. If the refresh kicks off at 10:06, and your script doesn’t run until 10:09, he’s got three minutes worth of wrong audit settings in existence.