RE: [Full-Disclosure] M$ - so what should they do?

From: Eric Paynter (eric_at_arcticbears.com)
Date: 06/22/04

  • Next message: Bruce Ediger: "RE: [Full-Disclosure] M$ - so what should they do?"
    To: full-disclosure@lists.netsys.com
    Date: Mon, 21 Jun 2004 20:31:19 -0700 (PDT)
    
    

    On Mon, June 21, 2004 6:14 pm, Stuart Fox (DSL AK) said:
    > You've got some valid points but there is one thing that you've overlooked
    > - auditing.
    [...]
    > Having said that, I've never actually met anyone who uses the registry
    > auditing, but I'm sure they're out there.

    I actually knew a group who once tried to use Windows auditing. After
    working on it for months they gave up. I never got the full details of
    why, but apparently it doesn't work exactly as expected. Something to do
    with the fact that in some cases, it logs what you *could have done*
    rather than what you *actually did*. In other words, if in the audit logs,
    when it says it granted permission to do something, that doesn't mean you
    actually did it. Just that you were granted permission to do it, which to
    many implies that you did it. However, it wouldn't hold up in court as
    evidence of something having been done.

    > It tends to be more related to issues such as dll's needing to be
    > registered etc.

    Registered where? ;-)

    -Eric

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html


  • Next message: Bruce Ediger: "RE: [Full-Disclosure] M$ - so what should they do?"

    Relevant Pages

    • Re: Software unavailable for different users under XP-pro
      ... registry that limited users cannot access. ... to enable the system's own object access auditing feature for any ... > for object access (enabling auditing for failure should be sufficient, ... > log out of the Admin account, log in as the limited user. ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Setting up security etc so Kids can play games...Need Help!!
      ... to enable auditing for access failures by users when running ... this approach involves modifying machine policy, registry ... for object access (enabling auditing for failure should be sufficient, ... modify security settings on the registry keys where failure ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Security settings
      ... to enable the system's own object access auditing feature for any ... suspected file and registry locations that might be accessed by the ... you can then modify the security settings on only those resources to ... > for object access (enabling auditing for failure should be sufficient, ...
      (microsoft.public.windowsxp.security_admin)
    • Re: Exchange 2007 sp2 auditing problem
      ... in the registry i found a bogus key, that must have been created when i ran ... It looks like i can set the auditing level i need by ... The set-itemproperty is just doing the same thing. ...
      (microsoft.public.exchange.admin)
    • RE: [Full-Disclosure] M$ - so what should they do?
      ... Each config is named after its application, ... > it's easy to know which is which, and if you need to restore ... Because of the registry... ... you can configure auditing on individual keys, so that if you want to you ...
      (Full-Disclosure)