Re: Tracking permission changes.

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 02/25/05 

Date: Thu, 24 Feb 2005 18:22:12 -0700

You are half-way there.
Turning on success (optionally failure) auditing for object
access is a pre-req that enables your receiving events on
NTFS permissions changes.
However, you also need to say what you want audited.
For this, use the Advanced view in the NTFS permissions
dilog, where you will see an Audit tab. There you would
want to add, for example in your scenario, audit success
for Everyone for use of the Permission to change permissions
(to narrow it down that far you need to use the special detail
edit windows after adding say Everyone Full, where you
would in the detail edit dialog uncheck all except for the
grant that allows changing permissions).
When setting such as this, you really want to make the
audit as narrow as possible so the event log is not left
swimming with unwanted information. Also, it is useful
to set the auditing at a very high level an have it inherited
everywhere below. For example, on my webservers, on
the disks that are for web content storage, I use an audit of
Everyone Full Fail, set at the drive root and inherited down
everywhere. This gives me a event in the infrequent event
where a web application is misbehaving or I have set the
web content authoring up incorrectly. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
MCSE (W2k3,W2k,Nt4)  MCDBA
"Adam Sandler" <corn29@excite.com> wrote in message
news:1109277984.403267.253890@z14g2000cwz.googlegroups.com...
> Hello,
>
> I'm a little stuck with keeping track/logging permission changes.  If a
> user right clicks on an object, selects Properties and the Security
> tab, and makes any kind of change, I'd like to see that get logged
> somewhere.  I've never been successfully able to do so... In
> frustration I've even turned on Success and Failure for all 9 auditing
> objects in the Local Security Settings.  I've also gone to all the
> hosts and confirmed the Effective Setting is what I expected based upon
> the configuration I've specified.  That hasn't helped at all.  Is what
> I want to happen even a Windows capability?  If a user does change a
> permission, and it does get logged, then what is the resulting Event
> ID?
>
> Thanks for your time!
>

Relevant Pages

  • Re: Audit files
    ... The other posters did a great job explaining what to do but FYI auditing ... fine tune what folders/files you are auditing and only audit the bare number ... of permissions needed to find the information that you need. ... > I need to audit any folders and files in a share drive. ...
    (microsoft.public.windows.server.security)
  • Re: peculiar problem: ping works, but cannot browse. Need help of network gurus.
    ... You probably have no idea how I am feeling having to ... I changed it's permissions and pinged ... felt the sweet taste of success when the page loaded, ... Your suggestions and hints were almost like ...
    (comp.os.linux.networking)
  • Re: AD auditing is giving too much info
    ... That is the nature of auditing object access. ... If you have to audit all ... for some permissions then you can reduce the number of events recorded. ...
    (microsoft.public.windows.server.security)
  • RE: Folder Permissions Audit Utility
    ... Besides Pedro's suggestion, you can enabled Change Permission auditing, if ... double-click "Audit object access". ... locate the file or folder you want to audit. ... <Thread-Topic: Folder Permissions Audit Utility ...
    (microsoft.public.windows.server.sbs)
  • Re: Exchange Databases will not mount
    ... not work - I suspect it is a problem with permissions, ... I moved them back to the C drive, and they mount OK. ... the 'effective permissions' are the same on both drives, ... >> success. ...
    (microsoft.public.windows.server.sbs)