Re: How to determine who changed permissions on a directory?
- From: CJ in Buffalo <CJinBuffalo@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sun, 16 Sep 2007 18:24:03 -0700
Thanks for the suggestions - I have obtained both documents and am reading
them now.
"Jon Holvoet" wrote:
You will never get a real clear reading out of it. But with a decent.
understanding you can get far. I will quote one of my ancient posts, where
you might find some usefull information.
I really advice this as a must-reading if you want to really understand the
auditing events, and it will answer your questions below
[quote]
I used the "Security Monitoring and Attack Detection Planning Guide" from
technet to implement and better understand this. A lot of reading, but a
real aid in determining what to monitor and what not.
The URL is :
http://www.microsoft.com/technet/security/guidance/auditingandmonitoring/securitymonitoring/default.mspx
And as an external source I can also advice
http://www.ultimatewindowssecurity.com/
They have the Windows Server 2003 Security log revealed, which is a great
work for a deeper understanding, and even offer multimedia training.
Bad part is, they aren't free, but the good part is, they are not expensive
at all.
First source should definitely get you started, and the second can be a
handy add-on if you want to dig deeper.
[/quote]
--
Jon Holvoet
MCSA / MCSE Security
Comptia Security+
CISSP
"CJ in Buffalo" <CJinBuffalo@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C40A54EA-610F-44C8-A4A3-026550EE8B48@xxxxxxxxxxxxxxxx
I need to be able to determine with certainty who made a change to a
directory, and what the change was.
Here is the situation: I have some directories where the permissions were
changed, causing all kinds of problems until they were fixed back to their
correct settings. I am pretty confident that I know what directory,
approximately what time, and who - I just need to be able to prove it.
We do have auditing turned on with these settings:
Audit Account Logon events - Success, Failure
Audit Account Management - Failure
Audit Directory Service Access - Failure
Audit Logon Events - Failure
Audit Object Access - Success, Failure
Audit Policy Change - Success, Failure
Audit Privilege Use - Success, Failure
Audit Process Tracking - Failure
Audit System Events - Success, Failure
I've done some playing around with creating directories, changing
permissions, etc. and then looking to see what was logged. I do have
Event
ID 560, 567 and 576 events logged when I do these sorts of things. But I
can't say I fully understand what is in the event. I was hoping for
something like "User Joe added Group OfficeParty to G:\ABC with
Read-Write-Delete permissions", but the events are little more cryptic
than
that.
So let's say I had a directory and deleted user XYZ and group ABC from the
ACL - is there a way I can tell that this was done (and specifically tell
that user XYZ was deleted, not just that some object was deleted)?
Let's say I had a directory and added a user with List Folder and Write
permissions (not Read) - what would the pattern be for that?
These are pretty much always going to be done by somebody right-clicking
on
a network shared folder, going to the security tab, and then adding or
removing users or groups there.
Is there a way to replace one ACL with another, so that some IDs that had
access before no longer have it, but there was never a DELETE object event
logged?
The server in question is Windows 2003 SP1.
I have been using Event Comb MT, and I do have a saved copy of the
Security
Event Log that covers the time period in question.
For example, I have an event like this. How can I tell what exactly user
JoeSchmoe did on the G:\ABC\Junk directory on Server1?
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 9/13/2007
Time: 9:51:38 PM
User: MYDOMAIN\JoeSchmoe
Computer: SERVER1
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: G:\ABC\Junk
Handle ID: 18852
Operation ID: {0,329353281}
Process ID: 4
Image File Name:
Primary User Name: SERVER1$
Primary Domain: MYDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: JoeSchmoe
Client Domain: MYDOMAIN
Client Logon ID: (0x0,0x138FB0D5)
Accesses: READ_CONTROL
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x20080
Or similarly for this one:
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 567
Date: 9/13/2007
Time: 9:51:38 PM
User: MYDOMAIN\JoeSchmoe
Computer: SERVER1
Description:
Object Access Attempt:
Object Server: Security
Handle ID: 18852
Object Type: File
Process ID: 4
Image File Name:
Accesses: WRITE_DAC
Access Mask: 0x40000
Any help would be appreciated - Thanks!
- References:
- How to determine who changed permissions on a directory?
- From: CJ in Buffalo
- Re: How to determine who changed permissions on a directory?
- From: Jon Holvoet
- How to determine who changed permissions on a directory?
- Prev by Date: Re: AntiVerGear - How to remove
- Next by Date: Re: How to determine who changed permissions on a directory?
- Previous by thread: Re: How to determine who changed permissions on a directory?
- Next by thread: Re: How to determine who changed permissions on a directory?
- Index(es):
Relevant Pages
|
