Re: Security Event Log (audit object access) logging too much?

From: Roc (mcnutt_at_aqssys.com)
Date: 06/04/03 

Date: Wed, 4 Jun 2003 13:19:49 -0500

It's actually a DOS app that when run, can chain to hundreds of other EXEs
and reads thousands of data files. When I looked at the code, it is *not*
opening them as read/write - it opens them read-only. (Why/How would an app
open an EXE r/w that it is chaining to, anyway?)

OpenMode doesn't seem to matter though - so I'm not sure how you mean the
"app" controls this priviledge behaviour, and you answer seems to describe
it as an OS issue...?

Thanks for the reply!

"Eric Fitzgerald [MSFT]" <ericf@online.microsoft.com> wrote in message
news:#UrSl7rKDHA.2312@TK2MSFTNGP09.phx.gbl...
> Hey Roc,
>
> You're really close. Event 560 is generated when a handle to an object is
> granted with the audited access (not when the access is performed).
>
> Depending on the application used, your audits might be reasonable or not.
> For instance, Notepad is really well-behaved and opens with least
privilege.
> Word is not very audit-friendly and performs multiple file i/o operations
> and generally requests more privilege than it needs.
>
> In Windows XP and Windows Server 2003, event 567 is logged when an
operation
> is actually performed on a file. This functionality won't be back-ported
to
> Windows 2000.
>
> Eric
>
>
> "Roc" <mcnutt@aqssys.com> wrote in message
> news:vds3m1b514bp8a@corp.supernews.com...
> > I've set up audit logging on my Windows 2000 SP3 file server.
> >
> > I want the security event log to log every time a file changes in a
> certain
> > subdirectory; meaning the data contained within the file is modified. I
> > also want file deletions logged.
> >
> > I set up the Audit Logging on the directory to log successful access by
> > "Everyone" and checked the boxes labeled "Create Files / Write Data",
> > "Create Folders / Append Data", "Delete Subfolders and Files", and
> "Delete".
> > I did not get the results I anticipated in the event log. I scaled back
> my
> > auditing this morning to include only the check boxes "Create Files /
> Write
> > Data" and "Delete", hoping this might fix my problem, but figured I'd
post
> > it looking for ideas anyhow...
> >
> > Specifically, my problem is that when I look at Event Log, it reports
> > something like the following: (results from dumpel.exe)
> >
> > "05/31/2003","07:51:24","Security","AUDITSUCCESS","Something",560,"Some
> >
>
user","SERVER","Security/File/\Device\HarddiskDmVolumes\PhysicalDmVolumes\Bl
> >
>
ockVolume1\Folder\path\WFM5B.EXE/1052/0/300835410/8/SERVER$/DOMAIN/(0x0,0x3E
> > 7)/username/DOMAIN/(0x0,0x11EC7581)/%%1538 %%4417 %%4418
> %%4420
> > %%4423 %%4424 /-/"
> >
> > Now, I know "username" did not *modify* the EXE, the person only ran the
> EXE
> > remotely from their workstation. This keeps happening over and over,
and
> it
> > pollutes the data I am trying to collect - I don't know if the file is
> > actually modified or just being "accessed". (The file server holds
> > thousands of EXEs, none of which are changed).
> >
> > My suspicion is that a handle to the server object is being created to
> serve
> > the workstation the actual file being accessed remotely. My audits are
> > logging the memory-based "copies" of the objects the workstation
requests,
> > and when the workstation closes the file, the object is deleted from
> > memory - and that delete is also logged in the Security log. This seems
> to
> > fit with what I'm seeing in the log - 2 entries per file that is
> > *accessed* - not just modified (well, the memory *is* modified, so
logging
> > appears correct - but I don't want to know about that stuff). Most of
my
> > files are not being modified or deleted - but how can I tell them apart?
> >
> > 1. Is this a correct assesment?
> > 2. And more importantly, can I audit only changes & deletes to files
like
> I
> > want?
> >
> > Thanks in advance for any help!!
> >
> > Roc
> >
> >
> >
>
>