Audit Failures/READ_CONTROL SYNCHRONIZE

From: Binesh Bannerjee (binesh-dated-1017664938.655328@hex21.com)
Date: 03/25/02 

From: Binesh Bannerjee <binesh-dated-1017664938.655328@hex21.com>
Date: 25 Mar 2002 12:42:25 GMT

Hi...
        OK, so I made myself a PDC, created a few users made the
NETLOGON, and PROFILE shares and home directories, and everything was
just fine. Then, I decided to tighten security on the boxes...

        I removed Everyone everywhere, and replaced it with Authenticated
Users on both registry keys and files, and by default, they have
RX/RX (on directories and files)... Then, I had to change HKEY_USERS/.DEFAULT
to allow full access by all authenticated users? (Why is this? I don't
understand why it needs this... (I went through each option (Query
Value, Set Value ... etc. and only full control worked... *shrug*)))
anyway, that's all great. Where I'm stumped is at the following
Audit entries: I get 600 of them each time a user logs in:
        Object Open:
                Object Server: Security
                Object Type: File
                Object Name: C:\WINNT\system32\CMD.EXE
                New Handle ID: -
                Operation ID: {0,244425}
                Process ID: 2156795904
                Primary User Name: SYSTEM
                Primary Domain: NT AUTHORITY
                Primary Logon ID: (0x0,0x3E7)
                Client User Name: binesh
                Client Domain: HEX21
                Client Logon ID: (0x0,0x3B029)
                Accesses READ_CONTROL
                        SYNCHRONIZE
                        ReadData (or ListDirectory)
                        ReadEA
                        ReadAttributes
                        WriteAttributes
                Privileges -

Now, the accesses... Is that a list of things it couldn't do?
Or is that like a stack trace of some function?

Anyway, why is it happening? And, how do I prevent it or at least
mask it from the logs, (if it's harmless)?

permissions on C:\WINNT\system32\CMD.EXE =
        Administrators Full Control (All)
        Authenticated Users Read(RX)
        SYSTEM Full Control (All)

It's not just the C:\WINNT\system32\CMD.EXE, tho, it's several files
(I THINK every file accessed...) I've turned off Last Access Timestamp
by adding the Registry key NtfsDisableLastAccessUpdate, so that shouldn't
be it... I'm stumped!

Any ideas/suggestions?
Thanks,
Binesh Bannerjee
        

Relevant Pages

  • Re: [SLE] pure-ftpd
    ... > I have the pure-ftpd server up and running. ... > user logs in they are seeing other files in addition to what is in ... These files ARE in their home directories - in Kong check "show hidden ... > access and read permission to all dot file or something else. ...
    (SuSE)
  • Re: TIF
    ... Shenan. ... I've heard that this setting is valid until any user logs on to the computer. ... > Use this method and alter the registry keys of other profile: ...
    (microsoft.public.windowsxp.general)
  • login/logut problems
    ... We had a user that was created a few days ago, but whoever created the ... user did not create the home directories. ... directory is created once the user logs in. ... home directory was created when that user logged in at the command ...
    (SunManagers)