Re: Security Event Log (audit object access) logging too much?

From: Roc (mcnutt_at_aqssys.com)
Date: 06/06/03

  • Next message: God Bless Texas: "Re: Islam hacks Vatican? Let's Not Be Sentimental!" 
    Date: Fri, 6 Jun 2003 13:43:59 -0500

    "- AJS" <a smith att window products dit com> wrote in message
    news:3edf8913$1_1@127.0.0.1...
    > "Roc" <mcnutt@aqssys.com> wrote:
    > >I've set up audit logging on my Windows 2000 SP3 file server.
    > >
    > >I want the security event log to log every time a file changes in a
    certain
    > >subdirectory; meaning the data contained within the file is modified. I
    > >also want file deletions logged.
    > >
    > >I set up the Audit Logging on the directory to log successful access by
    > >"Everyone" and checked the boxes labeled "Create Files / Write Data",
    > >"Create Folders / Append Data", "Delete Subfolders and Files", and
    "Delete".
    > >I did not get the results I anticipated in the event log. I scaled back
    my
    > >auditing this morning to include only the check boxes "Create Files /
    Write
    > >Data" and "Delete", hoping this might fix my problem, but figured I'd
    post
    > >it looking for ideas anyhow...
    > >
    > >Specifically, my problem is that when I look at Event Log, it reports
    > >something like the following: (results from dumpel.exe)
    > >
    > >"05/31/2003","07:51:24","Security","AUDITSUCCESS","Something",560,"Some
    >
    >user","SERVER","Security/File/\Device\HarddiskDmVolumes\PhysicalDmVolumes\B
    l
    >
    >ockVolume1\Folder\path\WFM5B.EXE/1052/0/300835410/8/SERVER$/DOMAIN/(0x0,0x3
    E
    > >7)/username/DOMAIN/(0x0,0x11EC7581)/%%1538 %%4417 %%4418
    %%4420
    > >%%4423 %%4424 /-/"
    > >
    > >Now, I know "username" did not *modify* the EXE, the person only ran the
    EXE
    > >remotely from their workstation. This keeps happening over and over, and
    it
    > >pollutes the data I am trying to collect - I don't know if the file is
    > >actually modified or just being "accessed". (The file server holds
    > >thousands of EXEs, none of which are changed).
    > >
    > >My suspicion is that a handle to the server object is being created to
    serve
    > >the workstation the actual file being accessed remotely. My audits are
    > >logging the memory-based "copies" of the objects the workstation
    requests,
    > >and when the workstation closes the file, the object is deleted from
    > >memory - and that delete is also logged in the Security log. This seems
    to
    > >fit with what I'm seeing in the log - 2 entries per file that is
    > >*accessed* - not just modified (well, the memory *is* modified, so
    logging
    > >appears correct - but I don't want to know about that stuff). Most of my
    > >files are not being modified or deleted - but how can I tell them apart?
    > >
    > >1. Is this a correct assesment?
    > >2. And more importantly, can I audit only changes & deletes to files like
    I
    > >want?
    >
    >
    > Hi Mike,
    >
    > A couple things come to mind.
    >
    > 1) The Audit events should only be tripped by File Write, File Delete
    > processes, not removal from memory after Execution. I do Not know the
    cause of
    > the log entries, but they do not match my own quick testing of the same
    setup.
    >
    > 2) To 'Save Changes' in many documents requires Delete priv's in order to
    > remove the old copy. MS Word is one such app.
    >
    > 3) Let's fix your issue, and then audit.
    >
    > Consider using XCACLS.EXE from the resource kit, and work from the
    following
    > assumption: You need to secure all files in %Path% with an .EXE extension.
    >
    > First, run the following to APPLY Everyone=Read&Execute only on
    %Path%\*.EXE.
    >
    > XCACLS %PATH%\*.EXE /G Everyone:RXE /T /E /C /Y
    >
    > Test that a bit. It does a lot more than the GUI Security Editor. Read the
    doc
    > and pay special attention to Directory Inherritance.
    >
    > Now, audit for Failed: {Write, Delete, Change} events and you should be
    good to
    > go.
    >
    > HTH,
    > - AJS

    This will not work in my situation. There are often times when the users
    will need to modify the data files that control how this software
    application runs (it's a DOS app and we're the vendor). I'm trying to
    produce a list of files every day that were intentionally modified, get that
    list in a database and eventually provide a report... As I said, there are
    potentially thousands of files changing every month, so finding a technical
    way to produce a report would be extremely beneficial for my users.

    The problem is, the audit log is reporting files are being modified when
    they clearly are not - people are simply running the application and event
    560s are being logged. My point about the EXE is that it is clear they are
    only running the application (they're not programmers, they cannot modify an
    EXE, but they could delete it. At first I thought the EXE was deleted, but
    I checked the directory and it was still there).

    MS told me (cross-posted it to another group): "You're really close. Event
    560 is generated when a handle to an object is granted with the audited
    access (not when the access is performed)." They said that this was changed
    in Win 2003 so that "real" modifies/deletes are recorded with an even 567,
    but this will not be backported to Win 2000.

    Any other ideas would be welcome, I didn't plan on upgrading that server for
    several months.

    Roc

  • Next message: God Bless Texas: "Re: Islam hacks Vatican? Let's Not Be Sentimental!"