Windows Event ID 4717 – Microsoft-Windows-Security-Auditing: System Security Access Was Granted

Start by examining the specific details of Event ID 4717 to understand what access was granted and to whom.

1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
2. Navigate to Windows Logs → Security
3. Filter for Event ID 4717 by right-clicking the Security log and selecting Filter Current Log
4. Enter 4717 in the Event IDs field and click OK
5. Double-click on a 4717 event to view detailed information including:
   • Subject account name and domain
   • Target account or object
   • Access rights granted
   • Process name and ID
   • Logon ID for correlation

Use PowerShell to query recent events:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4717} -MaxEvents 50 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap

Analyze Event ID 4717 alongside related security events to understand the complete security context.

1. Identify the Logon ID from the 4717 event details
2. Search for related events using the same Logon ID:

# Replace 0x12345 with the actual Logon ID from your 4717 event
$LogonId = '0x12345'
Get-WinEvent -FilterHashtable @{LogName='Security'} | Where-Object {$_.Message -like "*$LogonId*"} | Select-Object TimeCreated, Id, Message

3. Look for these correlated events:
   • Event ID 4624 (Successful logon)
   • Event ID 4672 (Special privileges assigned)
   • Event ID 4648 (Logon using explicit credentials)
   • Event ID 4625 (Failed logon attempts)
4. Create a timeline of events to understand the security operation sequence

Investigate the process or service that requested the security access to determine if the privilege assignment is legitimate.

1. Extract the process information from the Event ID 4717 details
2. Verify the process legitimacy using PowerShell:

# Check running processes and their security context
Get-Process | Where-Object {$_.ProcessName -eq 'ProcessNameFromEvent'} | Select-Object Id, ProcessName, Path, StartTime

# Verify digital signature of the process
Get-AuthenticodeSignature -FilePath "C:\Path\To\Process.exe"

3. Check if the process is a known system service:

Get-Service | Where-Object {$_.ServiceName -like '*ServiceName*'} | Select-Object Name, Status, StartType, ServiceType

4. Review the process security context and privileges:

# Check process privileges (requires administrative access)
whoami /priv

# For specific process analysis, use Process Monitor or Process Explorer

5. Validate against your organization's approved software inventory

Enhance your security monitoring by configuring detailed audit policies to capture more context around Event ID 4717.

1. Open Local Security Policy or Group Policy Management Console
2. Navigate to Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration
3. Configure these audit subcategories:
   • Audit Security System Extension - Success and Failure
   • Audit Security State Change - Success and Failure
   • Audit System Integrity - Success and Failure
4. Apply the policy using PowerShell:

# Enable advanced security auditing
auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable
auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable
auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable

# Verify current audit settings
auditpol /get /category:"System"

5. Configure Windows Event Forwarding for centralized monitoring:

# Configure event forwarding subscription
wecutil cs subscription.xml

# Check subscription status
wecutil gs SubscriptionName

Set up automated monitoring to detect unusual patterns in Event ID 4717 occurrences that might indicate security issues.

1. Create a PowerShell script for continuous monitoring:

# Monitor Event ID 4717 with alerting
$Query = @"

  
    *[System[EventID=4717]]
  

"@

# Register event watcher
Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4717" -Action {
    $Event = $Event.SourceEventArgs.NewEvent
    Write-Host "Security access granted: $($Event.Message)"
    # Add your alerting logic here
}

2. Configure Windows Event Log forwarding to SIEM systems
3. Set up custom views in Event Viewer for quick analysis:

# Custom view XML for Event Viewer

  
    *[System[EventID=4717 and TimeCreated[timediff(@SystemTime) <= 86400000]]]
  

4. Create scheduled tasks for regular security access reviews:

# Create scheduled task for daily security review
$Action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\SecurityReview.ps1"
$Trigger = New-ScheduledTaskTrigger -Daily -At "06:00AM"
Register-ScheduledTask -TaskName "Daily Security Access Review" -Action $Action -Trigger $Trigger