Re: Audit Failures/READ_CONTROL SYNCHRONIZE

• Previous message: Binesh Bannerjee: "Re: Audit Failures/READ_CONTROL SYNCHRONIZE"
• In reply to: Jonathan: "Re: Audit Failures/READ_CONTROL SYNCHRONIZE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Binesh Bannerjee" <binesh@hex21.com>
Date: 26 Mar 2002 06:19:53 GMT

Jonathan <jonsteph283@hotmail.com> wrote:
: You're auditing File and Object Access; you've enabled Auditing on the files
: in the Winnt\System32 directory, and you're complaining about audit events
: in your Security log? :-)

: That particular audit event indicates that the SYSTEM requested a handle to
: the file CMD.EXE. When it did so, it requested the following accesses:

: READ_CONTROL
: SYNCHRONIZE
: ReadData (or ListDirectory)
: ReadEA
: ReadAttributes
: WriteAttributes

: You didn't include the entire event, so I can't tell if this is a Success or
: Failure audit.

OK, I just replicated the problem on another box... (The real boxes
are back to their usual people login as Administrator state...)

I replaced security on all files in c:\winnt with
        Administrators Full Control
        Authenticated Users Read
        SYSTEM Full Control
enable auditing on all files in c:\winnt
        Read Failure
        Write Success Failure
        Execute Failure
        Delete Success Failure
        Change Permission Success Failure
        Take Ownership Success Failure

and Audit policy is Audit These Events
        Logon and Logoff Success Failure
        File and Object Access Failure
        Use of User Rights Failure
        User/Group Management Success Failure
        Security Policy Changes Success Failure
        Restart,Shutdown,System Success Failure
        Process Tracking Failure

And, here's the event generated when I logon as
a regular old user:

        
        Date: 03/26/02 Event ID: 560
        Time: 12:59:40 AM Source: Security
        User: user Type: Failure Audit
        Computer: VMWARE Category: Object Access

        Object Open:
                Object Server: Security
                Object Type: File
                Object Name: C:\WINNT\system32\syncui.dll
                New Handle ID: -
                Operation ID: {0,104099}
                Process ID: 2153051808
                Primary User Name: user
                Primary Domain: VMWARE
                Primary Logon ID: (0x0,0x18C7A)
                Client User Name: -
                Client Domain: -
                Client Logon ID: -
                Accesses READ_CONTROL
                        SYNCHRONIZE
                        ReadData (or ListDirectory)
                        ReadEA
                        ReadAttributes
                        WriteAttributes
                        
                Privileges -

What am I doing wrong?

I don't see cmd.exe in there, but, my guess is that's because I don't run
any cmd scripts on this box... On the real ones I had a PDC serving login
scripts, and that probably called cmd.exe....

Thanks,
Binesh

: You can't mask events out of the security log in Event Viewer. You could
: export the events to a database on a regular basis and then filter the
: records in the database to suit you.

: I recommend that you take a look at this book in order to learn how and why
: to configure auditing on Windows NT:
: http://www.amazon.com/exec/obidos/ASIN/157231818X/qid=1017082254/sr=8-2/ref=
: sr_8_7_2/102-1580918-9288917

: -- Jonathan

• Next message: Binesh Bannerjee: "Re: Audit Failures/READ_CONTROL SYNCHRONIZE"
• Previous message: Binesh Bannerjee: "Re: Audit Failures/READ_CONTROL SYNCHRONIZE"
• In reply to: Jonathan: "Re: Audit Failures/READ_CONTROL SYNCHRONIZE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]