Re: Help with Security Logs

From: Eric Fitzgerald [MSFT] (ericf_at_online.microsoft.com)
Date: 05/21/03 

Date: Wed, 21 May 2003 11:27:30 -0700

Hi Vanguyver,

"Object Server: Security" means that the event was generated by the security
reference monitor in the kernel.

"Object Type: File" is self-explanatory.

"Object Name:" is self-explanatory. The unusual path is caused by the fact
that you're probably using a hard link or drive letter redirection-
including the "real" drive letter would have resulted in an ambiguous or
uninterpretable audit.

New Handle ID is a data structure that is given by the OS to the accessing
program, and keeps track of this file for that program until the program
closes the handle or exits. Handle ID can be used to correlate this event
with other events related to the same file, for example, object close (562)
events.

Operation ID is used to correlate multiple file operations that are part of
a single higher-level file operation; it is irrelevant to this event.

Process ID is used to identify the process that accessed the file. Since
you don't have the associated event 592 (process create), I can't tell you
what process ID #8 is at that point in time. To get process creation events
you need to enable "Process Tracking Success" audit policy.

Primary User is the user context that actually performed the access; in this
case a service or OS component running as LocalSystem (assuming that the
machine's name is ACE\FP02).

Client User is the user on behalf of whom the file was accessed. In this
case, it appears that ACE\br38 actually requested the access from some
service or component.

The Logon ID fields for Primary User and Client User identify a unique logon
session. For instance, if the user logs on to a machine locally and
remotely at the same time, there will be two logon events and two Logon IDs
for that user account. The Logon ID is a very good way to correlate an
event with the associated logon event, or with other events that occurred
during the same logon session. A full-text query of your log for
"(0x0,0x24E45288)" would show you everything that ACE\br38 did during that
logon session.

Accesses indicate the granted access mask for the operation. ACE\br38 asked
for (and was granted): READ_CONTROL (read security descriptor), ReadData,
ReadAttributes, and ReadEA (read extended attributes).

Privileges indicates whether any special privileges were used to access the
file, in this case, none.

Essentially, what happened was this:
User ACE\br38 requested read access to a file named "desktop.ini" using
process #8 (or a process which made a request of process #8), which is some
system service. The file was accessed via a hard link or drive letter
redirection. This is a hidden, system file in most folders, which controls
how the Explorer window is displayed for the directory which is being
viewed. Explorer opens this file automatically, if it exists, when you view
a directory.

Eric

"Vanguyver" <vanguyver@hotmail.com> wrote in message
news:055701c31f19$069494b0$a301280a@phx.gbl...
> Can someone please help me read the security log file
> below?
>
> I enabled logging on a particular user's home directory.
> This person believes someone is access their files. I
> have noticed that if someone logs on to the Server that
> stores the user's home, within a few minutes that
> security log show something like the one below. I am not
> sure what the file means. I have not seen anyone access
> any files within the user's folder other than the user.
>
> Sometimes there nothing displayed after the username(sc98
> \)
>
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name:
> \Device\HarddiskDmVolumes\PhysicalDmVolumes\BlockV
> olume1\users\sc98\desktop.ini
> New Handle ID: 984
> Operation ID: {0,619102837}
> Process ID: 8
> Primary User Name: FP02$
> Primary Domain: ACE
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: br38
> Client Domain: ACE
> Client Logon ID: (0x0,0x24E45288)
> Accesses READ_CONTROL
> ReadData (or ListDirectory)
> ReadEA
> ReadAttributes
>
> Privileges -
>

Relevant Pages

  • Critical Errors in Security Log
    ... The first error is an Event ID: 673 and Source being Security. ... Primary User Name: ... Primary Logon ID: ... Client User Name: ...
    (microsoft.public.windows.server.sbs)
  • Re: Logon Error - Event ID 533
    ... The suggestion regarding security logs should not apply if the overwrite option has been selected and you have the default maximum of 512 kb. ... How to Set Log Size and Overwrite Options ... The user cannot logon and no Profile folder is made, ... screen whether with a domain account or a local account from the ...
    (microsoft.public.windowsxp.help_and_support)
  • RE: Logon Issue - could someone explain please
    ... I understand that you get security event 540 ... When a user connects to the shared folder on the SBS server, ... logon auditing, ...
    (microsoft.public.windows.server.sbs)
  • Re: Help, Ive been hacked
    ... ID: 540 Source: Security ... > Event Type: Failure Audit ... > Event Category: Account Logon ... Your computer was not able to renew its address from the network ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Cant delegate/share to a group
    ... Try changing the Distribution group to a security group. ... The client operation failed". ... > Event Type: Success Audit ... > Successful Network Logon: ...
    (microsoft.public.backoffice.smallbiz2000)