Re: Security Event Log (audit object access) logging too much?

From: Eric Fitzgerald [MSFT] (ericf_at_online.microsoft.com)
Date: 06/10/03 

Date: Mon, 9 Jun 2003 18:07:53 -0700

Nope, I mean that it is an app issue. If event 560 says that the handle was
opened with Write Data access, then I guarantee you that the application
requested, either directly or via an API that was translated to such a call,
write access to the file.

Eric

"Roc" <mcnutt@aqssys.com> wrote in message
news:vdse26i96stv9f@corp.supernews.com...
> It's actually a DOS app that when run, can chain to hundreds of other EXEs
> and reads thousands of data files. When I looked at the code, it is *not*
> opening them as read/write - it opens them read-only. (Why/How would an
app
> open an EXE r/w that it is chaining to, anyway?)
>
> OpenMode doesn't seem to matter though - so I'm not sure how you mean the
> "app" controls this priviledge behaviour, and you answer seems to describe
> it as an OS issue...?
>
> Thanks for the reply!
>
>
>
>
> "Eric Fitzgerald [MSFT]" <ericf@online.microsoft.com> wrote in message
> news:#UrSl7rKDHA.2312@TK2MSFTNGP09.phx.gbl...
> > Hey Roc,
> >
> > You're really close. Event 560 is generated when a handle to an object
is
> > granted with the audited access (not when the access is performed).
> >
> > Depending on the application used, your audits might be reasonable or
not.
> > For instance, Notepad is really well-behaved and opens with least
> privilege.
> > Word is not very audit-friendly and performs multiple file i/o
operations
> > and generally requests more privilege than it needs.
> >
> > In Windows XP and Windows Server 2003, event 567 is logged when an
> operation
> > is actually performed on a file. This functionality won't be
back-ported
> to
> > Windows 2000.
> >
> > Eric
> >
> >
> > "Roc" <mcnutt@aqssys.com> wrote in message
> > news:vds3m1b514bp8a@corp.supernews.com...
> > > I've set up audit logging on my Windows 2000 SP3 file server.
> > >
> > > I want the security event log to log every time a file changes in a
> > certain
> > > subdirectory; meaning the data contained within the file is modified.
I
> > > also want file deletions logged.
> > >
> > > I set up the Audit Logging on the directory to log successful access
by
> > > "Everyone" and checked the boxes labeled "Create Files / Write Data",
> > > "Create Folders / Append Data", "Delete Subfolders and Files", and
> > "Delete".
> > > I did not get the results I anticipated in the event log. I scaled
back
> > my
> > > auditing this morning to include only the check boxes "Create Files /
> > Write
> > > Data" and "Delete", hoping this might fix my problem, but figured I'd
> post
> > > it looking for ideas anyhow...
> > >
> > > Specifically, my problem is that when I look at Event Log, it reports
> > > something like the following: (results from dumpel.exe)
> > >
> > >
"05/31/2003","07:51:24","Security","AUDITSUCCESS","Something",560,"Some
> > >
> >
>
user","SERVER","Security/File/\Device\HarddiskDmVolumes\PhysicalDmVolumes\Bl
> > >
> >
>
ockVolume1\Folder\path\WFM5B.EXE/1052/0/300835410/8/SERVER$/DOMAIN/(0x0,0x3E
> > > 7)/username/DOMAIN/(0x0,0x11EC7581)/%%1538 %%4417 %%4418
> > %%4420
> > > %%4423 %%4424 /-/"
> > >
> > > Now, I know "username" did not *modify* the EXE, the person only ran
the
> > EXE
> > > remotely from their workstation. This keeps happening over and over,
> and
> > it
> > > pollutes the data I am trying to collect - I don't know if the file is
> > > actually modified or just being "accessed". (The file server holds
> > > thousands of EXEs, none of which are changed).
> > >
> > > My suspicion is that a handle to the server object is being created to
> > serve
> > > the workstation the actual file being accessed remotely. My audits
are
> > > logging the memory-based "copies" of the objects the workstation
> requests,
> > > and when the workstation closes the file, the object is deleted from
> > > memory - and that delete is also logged in the Security log. This
seems
> > to
> > > fit with what I'm seeing in the log - 2 entries per file that is
> > > *accessed* - not just modified (well, the memory *is* modified, so
> logging
> > > appears correct - but I don't want to know about that stuff). Most of
> my
> > > files are not being modified or deleted - but how can I tell them
apart?
> > >
> > > 1. Is this a correct assesment?
> > > 2. And more importantly, can I audit only changes & deletes to files
> like
> > I
> > > want?
> > >
> > > Thanks in advance for any help!!
> > >
> > > Roc
> > >
> > >
> > >
> >
> >
>
>