Re: Problems configuring security for services
From: Karl Levinson [x y] MVP (levinson_k@excite.com)
Date: 10/23/02
- Next message: JB: "Auto logout"
- Previous message: Karl Levinson [x y] MVP: "Re: Problems configuring security for services"
- In reply to: Chris Weldon: "Re: Problems configuring security for services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Karl Levinson [x y] MVP" <levinson_k@excite.com> Date: Wed, 23 Oct 2002 16:58:13 -0400
PS information on how to enable auditing, just in case:
===========
Note that to enable logging of access to files or registry settings, you
must both enable logging in the overall computer policy AND also add
auditing settings on individual folders or registry keys in the NTFS
security properties in Windows Explorer or the REGEDT32 registry editor.
[Using REGEDIT will not work.] To log file access, the files must be on an
NTFS-formatted partition.
Note also that to enable logging of security events on a Windows domain, you
must change the auditing policy on all domain controllers. Changing the
auditing policy on the computers in the domain enables logging of failed
logins to the computers using local accounts and would not necessarily log
attempts to log into the domain.
Consider changing the Windows event log settings to be appropriate for your
environment. Consider increasing the maximum log size to retain more
information. Be careful not to log too much, or you might find that your
logs contain only a few minutes or hours worth of data. Finally, check the
logs to be sure logs are really being captured.
For more information on enabling and configuring auditing, see the articles
below:
http://nsa1.www.conxion.com/win2k/download.htm a.k.a. http://www.nsa.gov
[look for the NSA Security Recommendation Guides for Windows 2000 and
also Group Policy]
http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/
13w2kadc.asp
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310399 - XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300549 - 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q248260 - 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q301640 - 2000, file
access settings
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q300958 - 2000,
monitoring for unauthorized user access
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q157238 - NT
http://www.labmice.net/troubleshooting/EventLog.htm
[Thanks to Thomas Deml and others]
"Chris Weldon" <chrisweldon@yahoo.com> wrote in message
news:b47101c27ab8$34041890$36ef2ecf@tkmsftngxa12...
> Thanks for all the information Karl!
>
> Do you know of any good references for setting permissions
> on services in 2000? I assumed that as long as
> BUILTIN\Administrators and SYSTEM had Full Control
> permissions things would work okay, but I guess this isn't
> the case.
>
> Thanks again for your help,
>
> Chris
>
> >-----Original Message-----
> >"Chris Weldon" <chrisweldon@yahoo.com> wrote in message
> >news:aab701c27a06$17f4d930$3aef2ecf@TKMSFTNGXA09...
> >> I've been working with Security Configuration and
> Analysis
> >> and Security Templates on a Windows 2000 Advanced Server
> >> computer and I set the security on all of the servics
> >> using a template and now I'm getting an error in the
> >> analysis log after it tries to analize the General
> Service
> >> Settings, "General Service analysis completed with
> error",
> >> then at the end of the log it says, "----Un-intialize
> >> analysis engine... Warning 5: Access is denied. Error
> >> occurs."
> >>
> >> What's the easiest way to troubleshoot this and figure
> out
> >> which service is causing the problem? Basically, I
> >> removed the permissions on the all the services for
> >> Authenticated Users, Users, Power Users, and Everyone.
> I
> >> pretty much just left BUILTIN\Administrators and SYSTEM
> >> permissions in place.
> >
> >Fixing problems that were caused by group policy
> templates is rarely easy or
> >quick.
> >
> >You could try enabling auditing on all files and registry
> settings to try to
> >see in the Security Event Log what exactly is being
> denied access. If you
> >give up, there is also a way to undo the security
> settings to try to reset
> >the group policy back to the state of a fresh new install
> of Windows. More
> >info below:
> >
> >Note that to enable logging of access to files or
> registry settings, you
> >must both enable logging in the overall computer policy
> AND also add
> >auditing settings on individual folders or registry keys
> in the NTFS
> >security properties in Windows Explorer or the REGEDT32
> registry editor.
> >[Using REGEDIT will not work.] To log file access, the
> files must be on an
> >NTFS-formatted partition.
> >
> >Note also that to enable logging of security events on a
> Windows domain, you
> >must change the auditing policy on all domain
> controllers. Changing the
> >auditing policy on the computers in the domain enables
> logging of failed
> >logins to the computers using local accounts and would
> not necessarily log
> >attempts to log into the domain.
> >
> >Consider changing the Windows event log settings to be
> appropriate for your
> >environment. Consider increasing the maximum log size to
> retain more
> >information. Be careful not to log too much, or you might
> find that your
> >logs contain only a few minutes or hours worth of data.
> Finally, check the
> >logs to be sure logs are really being captured.
> >
> >For more information on enabling and configuring
> auditing, see the articles
> >below:
> >http://nsa1.www.conxion.com/win2k/download.htm a.k.a.
> http://www.nsa.gov
> >[look for the NSA Security Recommendation Guides for
> Windows 2000 and also
> >Group Policy]
> >http://www.microsoft.com/technet/prodtechnol/windows2000se
> rv/deploy/confeat/
> >13w2kadc.asp
> >http://support.microsoft.com/default.aspx?scid=kb;en-
> us;Q310399 - XP
> >http://support.microsoft.com/default.aspx?scid=kb;en-
> us;Q300549 - 2000
> >http://support.microsoft.com/default.aspx?scid=kb;en-
> us;Q248260 - 2000
> >http://support.microsoft.com/default.aspx?scid=kb;en-
> us;Q301640 - 2000, file
> >access settings
> >http://support.microsoft.com/default.aspx?scid=kb;en-
> us;Q300958 - 2000,
> >monitoring for unauthorized user access
> >http://support.microsoft.com/default.aspx?scid=kb;en-
> us;Q157238 - NT
> >http://www.labmice.net/troubleshooting/EventLog.htm
> >[Thanks to Thomas Deml and others]
> >
> >How to apply the default Group Policy templates:
> >[Note that you may have to reinstall some software and/or
> may have
> >additional problems after running the procedures below]
> >http://support.microsoft.com/default.aspx?scid=kb;en-
> us;Q313205 [recommended
> >first]
> >http://support.microsoft.com/default.aspx?scid=kb;en-
> us;Q266118 [recommended
> >second]
> >
> >
> >.
> >
- Next message: JB: "Auto logout"
- Previous message: Karl Levinson [x y] MVP: "Re: Problems configuring security for services"
- In reply to: Chris Weldon: "Re: Problems configuring security for services"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
