Re: Track Changes to IP Configuration?

Great Info ... Thank-you very much !
It is a little more convoluted than I hoped for, but it
should do the trick.



"Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23iyxYRfWGHA.128@xxxxxxxxxxxxxxxxxxxxxxx
You could enable auditing of object access and then audit the registry key for that adapter for
success for set key value and object access events such as 560,562, and 567 will show in the
security log when that happens but it will not show what value was changed though it would show a
user name [could be system or both] and times that it happened. Below is what you could expect to
find when a value is changed and note the three events have the same timestamp and handle ID and
should be looked at as a set. The computer will need to be rebooted after enabling auditing on a
registry key [from what my experience shows] for it to start working. Audit under
currentcontrolset. You can use the free Event Comb from Microsoft to parse security logs for
event IDs and text strings. In this case such a text string could be Access Mask: Set key value.
That may give you something to start with. You can use the command net config server to find the
adapter ID as shown in the registry as shown under object name in Event ID 560 below. It may also
help enabling auditing of process tracking to see if you can find a process that happened at a
time just before the registry change that could be responsible for the change if it was not done
by user interaction. You will need to increase the size of your security log quite a bit from
default settings if you have not done so yet. I would also check the servers for any apparent
rouge processes running with free tools from SysInternals such as Process Explorer and do malware
scans if you have not done so lately.--- Steve

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 4/6/2006
Time: 9:34:43 PM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Object Open:
Object Server: Security
Object Type: Key
Object Name:
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{19C66C86-CB8F-40CF-95C3-E6E755957325}
Handle ID: 1600
Operation ID: {0,256768}
Process ID: 1404
Image File Name: D:\WINDOWS\explorer.exe
Primary User Name: Steve
Primary Domain: STEVE-XP
Primary Logon ID: (0x0,0xD7FA)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
Set key value
Create sub-key

Privileges: -
Restricted Sid Count: 0


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 567
Date: 4/6/2006
Time: 9:34:43 PM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Object Access Attempt:
Object Server: Security
Handle ID: 1600
Object Type: Key
Process ID: 1404
Image File Name: D:\WINDOWS\explorer.exe
Access Mask: Set key value



For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 562
Date: 4/6/2006
Time: 9:34:43 PM
User: STEVE-XP\Steve
Computer: STEVE-XP
Description:
Handle Closed:
Object Server: Security
Handle ID: 1600
Process ID: 1404
Image File Name: D:\WINDOWS\explorer.exe


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




"RJ" <jackbobNOSPAM@xxxxxxxxxxx> wrote in message news:%237hxC9dWGHA.1348@xxxxxxxxxxxxxxxxxxxxxxx
Can you track changes to the IP address / subnet mask / gateway, etc.
on a Win2003 server? Is there an auditing setting that will do this, and would it show
up in Event Viewer.

We have some servers that the subnet mask is getting changed on,
(static IP addresses) and we need to track down what is causing/doing this.

Thanks.






.

Relevant Pages

  • Re: Moved & Deleted Files
    ... share will not go to the recycle bin on the server. ... For Windows 2000 you can enable auditing of object access in the Local ... Security Policy or Domain Controller Security Policy for domain controllers ... and then audit folders for user access. ...
    (microsoft.public.security)
  • Re: Track Changes to IP Configuration?
    ... You could enable auditing of object access and then audit the registry key ... security logs for event IDs and text strings. ... Set key value. ...
    (microsoft.public.windows.server.security)
  • Re: Moved & Deleted Files
    ... > share has correct share/ntfs permissions and that the permissions are not ... > share will not go to the recycle bin on the server. ... > For Windows 2000 you can enable auditing of object access in the Local ... > Security Policy or Domain Controller Security Policy for domain controllers ...
    (microsoft.public.security)
  • Re: anonymous logon
    ... I do not normally audit object access, but my understanding is that yes ... unless you see a lot of logon failures, ... > Object Server: Security Account Manager ...
    (microsoft.public.win2000.security)
  • Re: Auditing Folders and Files - Audit Policy - Audit Object Access
    ... Make sure on that server that auditing of object access is indeed enabled. ... Open Local Security Policy and look at the "effective" settings if the ...
    (microsoft.public.win2000.group_policy)