Re: track SAM modifications

From: Roger Abell [MVP] (mvpNoSpam_at_asu.edu)
Date: 07/10/03 

Date: Thu, 10 Jul 2003 01:42:43 -0700

You may want to look into using WMI to get a notification
set up on the event log entries of interest.

"Marc Ochsenmeier" <marc@ochsenmeier.com> wrote in message
news:3f0c1d48$1_3@hpb10302.boi.hp.com...
> Hi,
>
> this is was I did! I did enable the auditing of "Account management". From
> this point, I receive the event 518 in the log events.
> This event tells me how someone has been trying to modify the SAM.
>
> ...but what I am really looking for is a mechanism that allow me to
> (programmatically) register a component (dll?) that will enable me to
catch
> these events additionally to log events. My goal is to collect the SAM
> specific audit events in another application.
>
> Thanks in advance.
>
> Marc Ochsenmeier
> www.ochsenmeier.com
>
>
>
> "Eric Fitzgerald [MSFT]" <ericf@online.microsoft.com> wrote in message
> news:#RgFn#aRDHA.1072@TK2MSFTNGP10.phx.gbl...
> > Better still, enable "Account Management", the events are more clear.
> >
> > --
> > Eric Fitzgerald
> > Program Manager, Windows Auditing
> > Microsoft Corporation
> >
> > The above message is provided "AS-IS" with no warranties, and confers no
> > rights.
> >
> > "Jean-Baptiste Marchand" <jbm+news@glou.net> wrote in message
> > news:slrnbgls15.a3n.jbm+news@gwyneth.glou.net...
> > > Marc Ochsenmeier wrote:
> > >
> > > > I know that, when turned on, Windows entries in the events log when
> > someone
> > > > changes the SAM.
> > >
> > > Yes, when the _Audit object access_ auditing category is set (for
> > > success and/or failures) in the security auditing policy, 560 events
> > > related to SAM objects appear in the security eventlog.
> > >
> > > This is because SAM objects have by default a SACL (see the following
> > > thread for more details):
> > >
> > >
http://www.securityfocus.com/archive/116/327320/2003-06-30/2003-07-06/1
> > >
> > > > My question is: is there any notification mechanism proper to the
SAM
> > that
> > > > can be registered in order to capture these events?
> > >
> > > Not that I know of. But you can modify the SACL on SAM objects using
the
> > > samacl tool:
> > >
> > > http://razor.bindview.com/tools/desc/acltools1.0-readme.html
> > >
> > >
> > > Of course, a 560 event does not actually mean that an object was
> > > effectively accessed but only that access was given to an object, with
> > > the intent to do something with it.
> > >
> > >
> > > Jean-Baptiste Marchand
> > > --
> > > jbm@glou.net
> > > Real Unix Books are written with Troff
> > > (W. Richard Stevens)
> >
> >
>
>

Relevant Pages

  • Re: Windows Events & Notification Hooks
    ... Whenever there is a ready buffer, Windows notifies the application using ... I want to hook this event in my debugger application. ... > Sam wrote: ... >> hook Windows Events and their notification. ...
    (microsoft.public.win32.programmer.kernel)
  • Re: WMI / NameSpace / Providers
    ... Indeed, Sam, you have been a great help and you have helped me plenty. ... I am referring to the SDK Documentation - Topic: Browsing the WMI Schema ... Do you have the Windows Platform SDK ...
    (microsoft.public.win32.programmer.wmi)
  • Re: Ada France - stop spamming the newsgroup
    ... Dale> How much time do they need? ... I got notified of this problem yesterday evening; ... would have been fixed within the same delay if the notification had ... Sam ...
    (comp.lang.ada)
  • WMI, SAM, ADSI call or something else? Semantics Question.
    ... calling when I run this script. ... Is it a WMI call, SAM call, ADSI call ... All my previous WMI calls were constructed like ...
    (microsoft.public.scripting.vbscript)
  • RE: WIndows XP Pro with SP2
    ... I know - somethng odd going on. ... It also sent me notification to a post ... "Sam C." wrote: ... > now...not to mention my multi post on a reply ...
    (microsoft.public.windowsxp.network_web)