Re: Help with account auditing win2k
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/26/05
- Next message: Stephen Cartwright [MSFT]: "Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- Previous message: Roger Abell: "Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- In reply to: M. Simioni: "Help with account auditing win2k"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Apr 2005 06:51:52 -0700
It appears that you have a misbehaved application that is
expecting to make use of temporary directory located in
c:\winnt with the apparently random, and constantly changing
name. Since the name is not predictable you need to discover
if the directory is actually coming into existance and from
what origin. If possible, change it to use /temp. As the failed
request is only for List, apparently Aspnet is not in Users group
as Users would have read in a default settings on newly defined
directories and their content.
The other could be solved by allowing the account Full Control
on the one file fusioncache.dat, although you may also need to
increase permissions on the containing folder, depending on just
what the application is trying to do with the file. You said that
you have already granted read on the file, but notice that the
failing request is asking for more, including Write of Extended
Attributes, etc..
This solution is suboptimal, as the Default User profile and its
content should not be actively used by running processes/accounts.
However, if that is hard-coded into what Fusion is expecting you
may have little choice.
-- Roger Abell Microsoft MVP (Windows Security) MCSE (W2k3,W2k,Nt4) MCDBA "M. Simioni" <m.simioniREMOVETHIS@TOCONTACTMEwooow.it> wrote in message news:pyobe.4375$TR5.2689@news.edisontel.com... > Hi, a few days ago i turned on the auditing on file&directory access from > ASPNET user account. > > Since then i noticed many events in Protection Log about this failrue: > "Object name: C:\WINNT\7WTMZC5Q7S9UBO1M" > "Accesses: SYNCHRONIZE, ReadData (or ListDirectory)" > i get this message every day, and the object "7WTMZC5Q7S9UBO1M" seems to be > a random generated name that changes every time. > > I also got events about this failrue: > "Object name: C:\Documents and Settings\Default User\Impostazioni > locali\Dati applicazioni\fusioncache.dat" > "Accesses: READ_CONTROL,SYNCHRONIZE,ReadData (o ListDirectory),WriteData (o > AddFile),AppendData (o AddSubdirectory o > CreatePipeInstance) ,ReadEA,WriteEA,ReadAttributes,WriteAttributes " > > what this attempts should be? any idea? > the ASPNET account already has Read Attribute on C:\WINT, so what's the > first event and how can i fix it? > it has Read Attribute on "C:\Documents and Settings\Default > User\Impostazioni locali\Dati applicazioni", should i grant Full Control to > him? > > thnx i.a. > Marco > > > > > > >
- Next message: Stephen Cartwright [MSFT]: "Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- Previous message: Roger Abell: "Re: INFOSEC/NACOSA sec. templates and EXPANDING the AD SChema?"
- In reply to: M. Simioni: "Help with account auditing win2k"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
