Re: Which auditing category?

From: ThePsyko (thepsyko_at_itookmyprozac.com)
Date: 06/24/03

• Next message: ThePsyko: "Re: NT logon userids"
• Previous message: ThePsyko: "Re: File Permissions"
• In reply to: Steven L Umbach: "Re: Which auditing category?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 24 Jun 2003 00:58:14 GMT

On 23 Jun 2003 in microsoft.public.win2000.security, "Steven L Umbach"
<n9rou@attbi.com> made his/her contribution to mankind by stating in
news:XmIJa.1713$e26.908@rwcrnsc52.ops.asp.att.net:

> You would need to enable auditing of object access for the
> server and
> then enable auditing on the folder for the "change permissions"
> setting. This will audit change to ntfs permissions, not share
> permissions. Try to audit bare minimum of settings for bare minimum of
> user/group. Even then you will probably have a large amount of events
> recorded. Use of filtering for event viewer may help in searching the
> log. --- Steve

dumpevt.exe and the find command work wonders as well.. just run the
following .bat file customized to what events you're looking for..

d:\tools\dumpevt\dumpevt.exe /logfile=sec /outfile=seclog.txt
/reg=local_machine
find /N /I "609" d:\seclog.txt > d:\found.txt
find /N /I "612" d:\seclog.txt >> d:\found.txt

etc

>
> "Bill" <bills@selftestsoftware.com> wrote in message
> news:00b501c33997$0bdf14c0$a101280a@phx.gbl...
>> I have a shared folder on a member server. Access to the
>> folder granted using global group. Someone is changing
>> the permissions assigned to the group. Which audit policy
>> will document this event? Object access? Directory
>> services access? privilege use? The file is on a W2k
>> member server.
>
>

-- 
/(bb|[^b]{2})/ that is the Question
ThePsyko
Public Enemy #7
"God told me to skin you alive"
http://prozac.iscool.net

• Next message: ThePsyko: "Re: NT logon userids"
• Previous message: ThePsyko: "Re: File Permissions"
• In reply to: Steven L Umbach: "Re: Which auditing category?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Which auditing category? ... then enable auditing on the folder for the "change permissions" setting. ... This will audit change to ntfs permissions, ... audit bare minimum of settings for bare minimum of user/group. ... (microsoft.public.win2000.security) Re: Disappearing .doc files ... See the link below for more details and I would be sure to just audit ... the two delete permissions to keep the number of object access events down. ... otherwise it is the Primary User. ... when those permissions are reinstated the files disappear. ... (microsoft.public.windows.server.security) Re: Disappearing .doc files ... If I audit a group will that show individual user actions or only the group ... and Primary User Name fields to detect unauthorized ... attempts to change file permissions. ... However when those permissions are reinstated the files disappear. ... (microsoft.public.windows.server.security) New Tool: Windows Permission Identifier v1.0 ... This tool enables administrators and penetration testers to review and audit the permissions of users on a windows machine. ... (Pen-Test) Logon XP prof.: username and password grayed out ... security processes, permissions and audit the time ... sequence from a setting of eight hours to ... (microsoft.public.windowsxp.security_admin)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint