Re: Audit Failures/READ_CONTROL SYNCHRONIZE
From: Jonathan (jonsteph283@hotmail.com)Date: 03/25/02
- Next message: Dave Fraleigh: "NT 4 / W2K Password Extraction"
- Previous message: Jonathan: "Re: IIS Security and other security info"
- In reply to: Binesh Bannerjee: "Audit Failures/READ_CONTROL SYNCHRONIZE"
- Reply: Binesh Bannerjee: "Re: Audit Failures/READ_CONTROL SYNCHRONIZE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Jonathan" <jonsteph283@hotmail.com> Date: Mon, 25 Mar 2002 18:52:16 GMT
You're auditing File and Object Access; you've enabled Auditing on the files
in the Winnt\System32 directory, and you're complaining about audit events
in your Security log? :-)
That particular audit event indicates that the SYSTEM requested a handle to
the file CMD.EXE. When it did so, it requested the following accesses:
READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes
You didn't include the entire event, so I can't tell if this is a Success or
Failure audit.
You can't mask events out of the security log in Event Viewer. You could
export the events to a database on a regular basis and then filter the
records in the database to suit you.
I recommend that you take a look at this book in order to learn how and why
to configure auditing on Windows NT:
http://www.amazon.com/exec/obidos/ASIN/157231818X/qid=1017082254/sr=8-2/ref=
sr_8_7_2/102-1580918-9288917
-- Jonathan
"Binesh Bannerjee" <binesh-dated-1017664938.655328@hex21.com> wrote in
message news:a7n5vh$ouf$1@bob.news.rcn.net...
>
> Hi...
> OK, so I made myself a PDC, created a few users made the
> NETLOGON, and PROFILE shares and home directories, and everything was
> just fine. Then, I decided to tighten security on the boxes...
>
> I removed Everyone everywhere, and replaced it with Authenticated
> Users on both registry keys and files, and by default, they have
> RX/RX (on directories and files)... Then, I had to change
HKEY_USERS/.DEFAULT
> to allow full access by all authenticated users? (Why is this? I don't
> understand why it needs this... (I went through each option (Query
> Value, Set Value ... etc. and only full control worked... *shrug*)))
> anyway, that's all great. Where I'm stumped is at the following
> Audit entries: I get 600 of them each time a user logs in:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: C:\WINNT\system32\CMD.EXE
> New Handle ID: -
> Operation ID: {0,244425}
> Process ID: 2156795904
> Primary User Name: SYSTEM
> Primary Domain: NT AUTHORITY
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: binesh
> Client Domain: HEX21
> Client Logon ID: (0x0,0x3B029)
> Accesses READ_CONTROL
> SYNCHRONIZE
> ReadData (or ListDirectory)
> ReadEA
> ReadAttributes
> WriteAttributes
> Privileges -
>
> Now, the accesses... Is that a list of things it couldn't do?
> Or is that like a stack trace of some function?
>
> Anyway, why is it happening? And, how do I prevent it or at least
> mask it from the logs, (if it's harmless)?
>
> permissions on C:\WINNT\system32\CMD.EXE =
> Administrators Full Control (All)
> Authenticated Users Read(RX)
> SYSTEM Full Control (All)
>
> It's not just the C:\WINNT\system32\CMD.EXE, tho, it's several files
> (I THINK every file accessed...) I've turned off Last Access Timestamp
> by adding the Registry key NtfsDisableLastAccessUpdate, so that shouldn't
> be it... I'm stumped!
>
> Any ideas/suggestions?
> Thanks,
> Binesh Bannerjee
>
>
- Next message: Dave Fraleigh: "NT 4 / W2K Password Extraction"
- Previous message: Jonathan: "Re: IIS Security and other security info"
- In reply to: Binesh Bannerjee: "Audit Failures/READ_CONTROL SYNCHRONIZE"
- Reply: Binesh Bannerjee: "Re: Audit Failures/READ_CONTROL SYNCHRONIZE"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
