Re: Auditing object access from network

From: Jean-Baptiste Marchand (jbm+news_at_glou.net)
Date: 08/20/03

• Next message: Hamish McBrearty: "Fooling OS fingerprinting"
• Previous message: Steven L Umbach: "Re: Minimum Services settings"
• In reply to: kenw_at_kmsi.net: "Re: Auditing object access from network"
• Next in thread: kenw_at_kmsi.net: "Re: Auditing object access from network"
• Reply: kenw_at_kmsi.net: "Re: Auditing object access from network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 19 Aug 2003 22:47:11 +0000 (UTC)

kenw@kmsi.net wrote:

[...]

> THE PROBLEM, again, is that IT ONLY AUDITS DELETIONS BY LOCALLY LOGGED-IN
> USERS, NOT BY USERS ACCESSING FILES VIA THE NETWORK. It almost appears
> that file deletions on behalf of remote users, by system processes (e.g.,
> the SMB server), are not auditable on the server where the files are
> located. Is that possible?

That seems strange.

I suggest:

 - replacing the EVERYONE SID by the NETWORK SID in the SACL. The SMB
   server establishes a network logon session for the user accessing
   remotely to a resource. Thus, the security token of the thread
   accessing the file on behalf of the client contains the NETWORK SID.

 - adding the SYSTEM SID, just to be verify if file deletions are
   performed under the SYSTEM security context.

There should be no difference between local and remote accesses, as the
technique used by the SMB server is to impersonate the remote user and
access the local ressources as if the client were logged locally..

Jean-Baptiste Marchand

-- 
jbm@glou.net
Real Unix Books are written with Troff
(W. Richard Stevens)

---

• Next message: Hamish McBrearty: "Fooling OS fingerprinting"
• Previous message: Steven L Umbach: "Re: Minimum Services settings"
• In reply to: kenw_at_kmsi.net: "Re: Auditing object access from network"
• Next in thread: kenw_at_kmsi.net: "Re: Auditing object access from network"
• Reply: kenw_at_kmsi.net: "Re: Auditing object access from network"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Network NeighbourHood problem ... remote users do not appear in network neighbourhood on the server.. ... We have yet to set the backup to occur on the remote users computers ... (microsoft.public.windows.server.sbs) Re: Network NeighbourHood problem ... remote users do not appear in network neighbourhood on the server.. ... We have yet to set the backup to occur on the remote users computers ... (microsoft.public.windows.server.sbs) Re: Network NeighbourHood problem ... log in directly into the domain, without the need of VPN) An Microsoft ... remote users do not appear in network neighbourhood on the server.. ... We have yet to set the backup to occur on the remote users computers ... (microsoft.public.windows.server.sbs) Re: Securing a Database with Linked tables to different mapped drives ... > individual copies of the front-end. ... > icon on each of their desk tops, they just link to it on the Network. ... I didnt realize that you have remote users. ... > database with linked tables, even after I solve the Network problems...I ... (microsoft.public.access.security) Re: VPN solution ... > network of around 30 computers. ... > The main SMB fileserver is behind the firewall but I need a way for people ... you need a special mppe kernel module. ... > access via its own SMB server. ... (comp.os.linux.networking)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.win2000.security  > 2003-08