Re: Enable Security Auditing using VBSCRIPT

From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
Date: Wed, 6 Jun 2007 10:05:12 -0700

"Jef Dye" <JefDye@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9D653D73-3979-4F17-898D-470E947716C8@xxxxxxxxxxxxxxxx

I looked threw all of the info on the link but none of it covers the
adding
of audit functions to a folder or drive. Does anyone have any other ideas?

Actually, what Slav provided in link is relevant. One just needs to
access the SACL instead of the DACL in the SD. That is, where that
sample uses "DACL = wmiSecurityDescriptor.DACL" one would
instead use "SACL = wmiSecurityDescriptor.SACL"
Since what you get is of Win32_ACE Wmi class, the rest of the
code is no different in what properties and methods may be used
or how.

If you go to microsoft.com/downloads and get the xcacls.vbs script
you will have a code that can modify any aspect of a DACL. It is a
trivial modification per the above info to manipulate the SACL instead
of the DACL and the xcacls.vbs provides examples of doing so.

You may need to do some reading branching off from
http://msdn2.microsoft.com/en-us/library/aa384905.aspx
which is a link on the page to which Slav pointed you.

Roger

"S. Pidgorny <MVP>" wrote:

SACL manipulation can be done using WMI.
http://msdn2.microsoft.com/en-us/library/aa393592.aspx gives an idea and
some sample code.

--
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"Jef Dye" <JefDye@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3B1487BC-7019-477A-A7E6-F53852F46E91@xxxxxxxxxxxxxxxx

I have a project for Windows XP and 2003 where I need to enable auditing
to
record failed access on the C:\ or some if its folders. I wan to do it
with
VBSCRIPT. Does anyone have a script to do that?

Normally, you would set this by selecting properties of a folder, and
clicking on the security tab. Next click on Advanced and then the
Auditing
tab. Click Add and then type in "everyone" and click OK. Finally,
select
the
Failed Full Control check box and click OK, OK, and OK.

Thanks. Jef

Prev by Date: Re: Secedit command-line tool question
Next by Date: Forefront Client Security
Previous by thread: Re: Secedit command-line tool question
Next by thread: Forefront Client Security
Index(es):
- Date
- Thread

Relevant Pages

Re: Cant set a DACL on a folder that was NULLed.
... it sets a non-NULL but empty DACL which would not give anyone access. ... the linked MSDN article clearly implies the owner should ... be able to open the folder with WRITE_DACL and READ_CONTROL - I don't know ... I am still interested in why explorer can read the rights of the ...
(microsoft.public.platformsdk.security)
Re: NULL DACL versis Empty DACL and Owner implcit access
... created by SYSTEM impersonating me and *I* am the owner, ... I tried using SetNamedSecurityInfo to set the DACL of a folder to NULL. ... Microsoft Online Community Support ...
(microsoft.public.platformsdk.security)
Re: Cant set a DACL on a folder that was NULLed.
... So NULL DACL is no security at all, ... the linked MSDN article clearly implies the owner ... should be able to open the folder with WRITE_DACL and READ_CONTROL - I ... I assume you are running it under the owner's account. ...
(microsoft.public.platformsdk.security)
Re: NULL DACL versis Empty DACL and Owner implcit access
... That is what led me to believe it was an empty or NULL DACL. ... to create a file in that folder. ... a NULL DACL or all denied if it is an empty DACL. ... Microsoft Online Community Support ...
(microsoft.public.platformsdk.security)
Re: Setting filedirectory SACL
... Thank you Shawn. ... This is all true but I am looking for code sample and ... everything I can find is DACL related. ... for failure and some for failure and success you will get two different SACL ...
(microsoft.public.win2000.security)