Re: Audit Failures/READ_CONTROL SYNCHRONIZE

From: Binesh Bannerjee (binesh-dated-1017726143.c13ea8@hex21.com)
Date: 03/26/02 

From: Binesh Bannerjee <binesh-dated-1017726143.c13ea8@hex21.com>
Date: 26 Mar 2002 05:42:52 GMT

Jonathan <jonsteph283@hotmail.com> wrote:
: You're auditing File and Object Access; you've enabled Auditing on the files
: in the Winnt\System32 directory, and you're complaining about audit events
: in your Security log? :-)

(I'm clearly clueless, eh? hehe! :) Forgive me, I'm just a linux guy,
trying to tighten up these Windows clients!)

: That particular audit event indicates that the SYSTEM requested a handle to
: the file CMD.EXE. When it did so, it requested the following accesses:

: READ_CONTROL
: SYNCHRONIZE
: ReadData (or ListDirectory)
: ReadEA
: ReadAttributes
: WriteAttributes

: You didn't include the entire event, so I can't tell if this is a Success or
: Failure audit.

It was a failure... I've enabled auditing of all failures and only a few
successes.

: You can't mask events out of the security log in Event Viewer. You could
: export the events to a database on a regular basis and then filter the
: records in the database to suit you.

No, I'd rather not mask them, or write anything to mask either... What
I'd like is to eliminate (hopefully) any false positives. Basically
on a weekly basis, I'd like to look at the security logs, and if I see
any failures, that should be something that needs my attention, is all...
I suspect that there's something that has to be done NORMALLY, that I'm
denying permission to, and that's what's causing the log entries...

Why is system not allowed access to what it needs tho, given that it has
full control on the file? (The user wasn't system tho, the user was a
regular old user (not administrator) In terms of the permissions, what
right does that correspond to? (RWXPOD?) (Since, like I said
SYSTEM has full control, Administrators have full control and Authenticated
Users have RX,RX access (almost everywhere, except C:\WINNT\Repair and
C:\WINNT\$NtUninstall*)

: I recommend that you take a look at this book in order to learn how and why
: to configure auditing on Windows NT:
: http://www.amazon.com/exec/obidos/ASIN/157231818X/qid=1017082254/sr=8-2/ref=
: sr_8_7_2/102-1580918-9288917

I'll do that... Just placed the order... In the meantime tho, do you
know what permissions would be appropriate for the files, directories and
registry keys? I forgot about what settings I had for the registry keys,
but files and directories are as I mentioned... registry keys I replaced
Everyone with Authenticated Users, and I believe anything that I thought
would change was denied to Authenticated users, but SYSTEM and
Administrators had full control...

Thanks,
Binesh Bannerjee

: -- Jonathan

: "Binesh Bannerjee" <binesh-dated-1017664938.655328@hex21.com> wrote in
: message news:a7n5vh$ouf$1@bob.news.rcn.net...
:>
:> Hi...
:> OK, so I made myself a PDC, created a few users made the
:> NETLOGON, and PROFILE shares and home directories, and everything was
:> just fine. Then, I decided to tighten security on the boxes...
:>
:> I removed Everyone everywhere, and replaced it with Authenticated
:> Users on both registry keys and files, and by default, they have
:> RX/RX (on directories and files)... Then, I had to change
: HKEY_USERS/.DEFAULT
:> to allow full access by all authenticated users? (Why is this? I don't
:> understand why it needs this... (I went through each option (Query
:> Value, Set Value ... etc. and only full control worked... *shrug*)))
:> anyway, that's all great. Where I'm stumped is at the following
:> Audit entries: I get 600 of them each time a user logs in:
:> Object Open:
:> Object Server: Security
:> Object Type: File
:> Object Name: C:\WINNT\system32\CMD.EXE
:> New Handle ID: -
:> Operation ID: {0,244425}
:> Process ID: 2156795904
:> Primary User Name: SYSTEM
:> Primary Domain: NT AUTHORITY
:> Primary Logon ID: (0x0,0x3E7)
:> Client User Name: binesh
:> Client Domain: HEX21
:> Client Logon ID: (0x0,0x3B029)
:> Accesses READ_CONTROL
:> SYNCHRONIZE
:> ReadData (or ListDirectory)
:> ReadEA
:> ReadAttributes
:> WriteAttributes
:> Privileges -
:>
:> Now, the accesses... Is that a list of things it couldn't do?
:> Or is that like a stack trace of some function?
:>
:> Anyway, why is it happening? And, how do I prevent it or at least
:> mask it from the logs, (if it's harmless)?
:>
:> permissions on C:\WINNT\system32\CMD.EXE =
:> Administrators Full Control (All)
:> Authenticated Users Read(RX)
:> SYSTEM Full Control (All)
:>
:> It's not just the C:\WINNT\system32\CMD.EXE, tho, it's several files
:> (I THINK every file accessed...) I've turned off Last Access Timestamp
:> by adding the Registry key NtfsDisableLastAccessUpdate, so that shouldn't
:> be it... I'm stumped!
:>
:> Any ideas/suggestions?
:> Thanks,
:> Binesh Bannerjee
:>
:> 

-- 
#! /usr/local/bin/perl

printf("--\n");
system("/crypt/binesh/bin/fortune");
printf("\n");
printf("    PGP  Key: http://www.hex21.com/~binesh/binesh-public.asc\n");
printf("    SSH2 Key: http://www.hex21.com/~binesh/binesh-ssh2.pub\n");
printf("    SSH1 Key: http://www.hex21.com/~binesh/binesh-ssh1.pub\n");
printf("OpenSSH  Key: http://www.hex21.com/~binesh/binesh-openssh.pub\n");