Re: Track Changes to IP Configuration?
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 6 Apr 2006 22:36:34 -0500
You could enable auditing of object access and then audit the registry key
for that adapter for success for set key value and object access events such
as 560,562, and 567 will show in the security log when that happens but it
will not show what value was changed though it would show a user name [could
be system or both] and times that it happened. Below is what you could
expect to find when a value is changed and note the three events have the
same timestamp and handle ID and should be looked at as a set. The computer
will need to be rebooted after enabling auditing on a registry key [from
what my experience shows] for it to start working. Audit under
currentcontrolset. You can use the free Event Comb from Microsoft to parse
security logs for event IDs and text strings. In this case such a text
string could be Access Mask: Set key value. That may give you something to
start with. You can use the command net config server to find the adapter ID
as shown in the registry as shown under object name in Event ID 560 below.
It may also help enabling auditing of process tracking to see if you can
find a process that happened at a time just before the registry change that
could be responsible for the change if it was not done by user interaction.
You will need to increase the size of your security log quite a bit from
default settings if you have not done so yet. I would also check the servers
for any apparent rouge processes running with free tools from SysInternals
such as Process Explorer and do malware scans if you have not done so
lately.--- Steve
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/6/2006
Time: 9:34:43 PM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Object Open:
Object Server: Security
Object Type: Key
Object Name:
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{19C66C86-CB8F-40CF-95C3-E6E755957325}
Handle ID: 1600
Operation ID: {0,256768}
Process ID: 1404
Image File Name: D:\WINDOWS\explorer.exe
Primary User Name: Steve
Primary Domain: STEVE-XP
Primary Logon ID: (0x0,0xD7FA)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
Set key value
Create sub-key
Privileges: -
Restricted Sid Count: 0
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 567
Date: 4/6/2006
Time: 9:34:43 PM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Object Access Attempt:
Object Server: Security
Handle ID: 1600
Object Type: Key
Process ID: 1404
Image File Name: D:\WINDOWS\explorer.exe
Access Mask: Set key value
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 4/6/2006
Time: 9:34:43 PM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Handle Closed:
Object Server: Security
Handle ID: 1600
Process ID: 1404
Image File Name: D:\WINDOWS\explorer.exe
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
"RJ" <jackbobNOSPAM@xxxxxxxxxxx> wrote in message
news:%237hxC9dWGHA.1348@xxxxxxxxxxxxxxxxxxxxxxx
Can you track changes to the IP address / subnet mask / gateway, etc.
on a Win2003 server? Is there an auditing setting that will do this, and
would it show
up in Event Viewer.
We have some servers that the subnet mask is getting changed on,
(static IP addresses) and we need to track down what is causing/doing
this.
Thanks.
.
- Follow-Ups:
- References:
- Track Changes to IP Configuration?
- From: RJ
- Track Changes to IP Configuration?
- Prev by Date: Re: Folder security problem
- Next by Date: Access to NT4 File Ressources denied from Windows 2003 System
- Previous by thread: Track Changes to IP Configuration?
- Next by thread: Re: Track Changes to IP Configuration?
- Index(es):
Relevant Pages
|
