Re: Audit Object Access

From: Celina (it@permasteelisa.com.hk)
Date: 04/15/03 

From: "Celina" <it@permasteelisa.com.hk>
Date: Tue, 15 Apr 2003 09:52:35 +0800

Steve, Thanks for your help.
I check against the setting of "Audit the access of global system objects"
in local security policy. The local & effective status is disable. For the
object name/type entries, I can't find the file/folder in the system. Seens
they are the system objects because the entries repeated to generate from
time to time. I don't know where should I disable it. -- celina

"Steven L Umbach" <n9rou@attbi.com> 撰寫於郵件
news:n9Gma.215901$Zo.40717@sccrnsc03...
> Hi Selena. From what I read recently just enabling auditing of
> object access can generate a lot of entries because W2K will do auto
> auditing of what is called "base system objects". You can check your
local
> security policy for the effective setting under security options for
"audit
> the access of global system objects". If it is enabled or not defined try
to
> disable it at proper security level and see if that helps reduce amount of
> entries. Also remember you can create a filter view in event viewer to
make
> it easier to find particular entries. Also in event 560 check object
> name/type entries (file in particular) to double check if any auditing is
> enabled that you might not know about. -- Steve
>
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/561.asp
>
> "Celina" <it@permasteelisa.com.hk> wrote in message
> news:OBY1fJlADHA.2820@TK2MSFTNGP11.phx.gbl...
> > Steve,
> >
> > I only enable "Aduit Object Access" in Local Security policy and run
> Secedit
> > to refresh the policy. No file/folder is set to audit at the moment.
> > However, once the policy enable. A lot of entries are generated. Here
is
> > the log entries details.
> >
> > 1.
> > Event ID: 562
> > User: Administrator
> > Category: Object Access
> > Description:
> > Object Server: Security
> > Handle ID: 180
> > Process ID: 4264
> >
> > 2.
> > Event ID: 562
> > User: Administrator
> > Category: Object Access
> > Description:
> > Object Server: Security
> > Handle ID: 92
> > Process ID: 4264
> >
> > 3.
> > Event ID: 560
> > User: Administrator
> > Category: Object Access
> > Description:
> > Object Server: Security
> > Object Type: Desktop
> > Object Name: \Default
> > Handle ID: 92
> > Operation ID: {0,383179252}
> > Process ID: 4264
> > ...
> > Accesses DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Read Objects....
> >
> > 4.
> > Event ID: 560
> > User: Administrator
> > Category: Object Access
> > Description:
> > Object Server: Security
> > Object Type: WindowStation
> > Object Name: \Windows\WindowStations\WinSta0
> > Handle ID: 180
> > Operation ID: {0,383179249}
> > Process ID: 4264
> > ...
> > Accesses DELETE READ_CONTROL WRITE_DAC WRITE_OWNER Read Objects....
> >
> > Any idea?
> >
> > "Steven L Umbach" <n9rou@attbi.com> 撰寫於郵件
> > news:txqma.448109$F1.65305@sccrnsc04...
> > > File and folder auditing can generate a LOT of entries. I do
> some
> > > folder auditing , and a single event for one file can generate six or
> so
> > > entries because of all the system processes involved in
> > > accessing/creating/deleting files. The best you can to is to try to
> audit
> > an
> > > absolute minimum of files and folders with and absolute minimum of
> entries
> > > in the access list. When setting audit permissions pay attention to
the
> > > "apply onto" drop down box. If you select files/folders/and subfolders
> > > (which is default) on a folder you could potentially be auditing
> thousands
> > > of files. --- Steve
> > >
> > > http://www.jsifaq.com/SUBI/tip4000/rh4002.htm
> > >
> > > "Celina" <it@permasteelisa.com.hk> wrote in message
> > > news:#pp40JiADHA.1612@TK2MSFTNGP11.phx.gbl...
> > > > Steve,
> > > >
> > > > I change the "Aduit Object Access" in domain controller security
> policy
> > to
> > > > "not defined" and in local policy to "Success". Then, select the
> folder
> > > > which I want to audit and in security policy, just select the
"Delete"
> > > > checkbox in "Success" colume. Run Secedit to refresh the policy.
No
> > > action
> > > > is done but the security log fill up a lot of entries with event id
> 560
> > &
> > > > 562 and the user is administrator. However, the result is the same.
> > > >
> > > >
> > > > "Steven L Umbach" <n9rou@attbi.com> 撰寫於郵件
> > > > news:eMLla.152627$OV.236673@rwcrnsc54...
> > > > > Sounds like you are auditing all file access and not just
> > > > deletions.
> > > > > See link about ID descriptions. You need to fine tune what you
want
> to
> > > > audit
> > > > > on what files. If you want to audit just a specific domain
> controller
> > > you
> > > > > need to change domain controller policy to "not defined" for
> auditing
> > > > > object access so that it will not override local policy. --
Steve
> > > > >
> > > > > "Celina" <it@permasteelisa.com.hk> wrote in message
> > > > > news:eG9skN$$CHA.2032@TK2MSFTNGP12.phx.gbl...
> > > > > > I want to enable auditing files & folder deletion on a Win2k
> server
> > > > which
> > > > > is
> > > > > > also the domain controller. I try to enable object access in
> Local
> > > > > Security
> > > > > > Policy but no audit event logged. I find that the Effective
> Setting
> > > > > retain
> > > > > > "no auditing" even the Local Setting is "Success". But when I
> > enable
> > > > > object
> > > > > > access in Domain Controller Security Policy. The event log fill
> up
> > a
> > > > lot
> > > > > of
> > > > > > entries with event id 560 & 562 and the user is administrator
> (more
> > > than
> > > > a
> > > > > > thousand entries). However, nothing had been change or modify
in
> > the
> > > > > files
> > > > > > & folder directory from administrator account. Anyone encounter
?
> > > Why
> > > > > will
> > > > > > it happens & how to disable these messages.
> > > > > >
> > > > > > Thanks in advance.
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>