Re: Security Event Log (audit object access) logging too much?

From: - AJS (a)
Date: 06/05/03

Date: 5 Jun 2003 13:16:51 -0500

"Roc" <> wrote:
>I've set up audit logging on my Windows 2000 SP3 file server.
>I want the security event log to log every time a file changes in a certain
>subdirectory; meaning the data contained within the file is modified. I
>also want file deletions logged.
>I set up the Audit Logging on the directory to log successful access by
>"Everyone" and checked the boxes labeled "Create Files / Write Data",
>"Create Folders / Append Data", "Delete Subfolders and Files", and "Delete".
>I did not get the results I anticipated in the event log. I scaled back my
>auditing this morning to include only the check boxes "Create Files / Write
>Data" and "Delete", hoping this might fix my problem, but figured I'd post
>it looking for ideas anyhow...
>Specifically, my problem is that when I look at Event Log, it reports
>something like the following: (results from dumpel.exe)
>7)/username/DOMAIN/(0x0,0x11EC7581)/%%1538 %%4417 %%4418 %%4420
>%%4423 %%4424 /-/"
>Now, I know "username" did not *modify* the EXE, the person only ran the EXE
>remotely from their workstation. This keeps happening over and over, and it
>pollutes the data I am trying to collect - I don't know if the file is
>actually modified or just being "accessed". (The file server holds
>thousands of EXEs, none of which are changed).
>My suspicion is that a handle to the server object is being created to serve
>the workstation the actual file being accessed remotely. My audits are
>logging the memory-based "copies" of the objects the workstation requests,
>and when the workstation closes the file, the object is deleted from
>memory - and that delete is also logged in the Security log. This seems to
>fit with what I'm seeing in the log - 2 entries per file that is
>*accessed* - not just modified (well, the memory *is* modified, so logging
>appears correct - but I don't want to know about that stuff). Most of my
>files are not being modified or deleted - but how can I tell them apart?
>1. Is this a correct assesment?
>2. And more importantly, can I audit only changes & deletes to files like I

Hi Mike,

A couple things come to mind.

1) The Audit events should only be tripped by File Write, File Delete
processes, not removal from memory after Execution. I do Not know the cause of
the log entries, but they do not match my own quick testing of the same setup.

2) To 'Save Changes' in many documents requires Delete priv's in order to
remove the old copy. MS Word is one such app.

3) Let's fix your issue, and then audit.

Consider using XCACLS.EXE from the resource kit, and work from the following
assumption: You need to secure all files in %Path% with an .EXE extension.

First, run the following to APPLY Everyone=Read&Execute only on %Path%\*.EXE.

XCACLS %PATH%\*.EXE /G Everyone:RXE /T /E /C /Y

Test that a bit. It does a lot more than the GUI Security Editor. Read the doc
and pay special attention to Directory Inherritance.

Now, audit for Failed: {Write, Delete, Change} events and you should be good to


----== Posted via Newsfeed.Com - Unlimited-Uncensored-Secure Usenet News==---- The #1 Newsgroup Service in the World! >100,000 Newsgroups
---= 19 East/West-Coast Specialized Servers - Total Privacy via Encryption =---