Re: Server refreshes its security policy with wrong values

That is really strange that it is happening on a non domain computer when
you can not find any Scheduled Tasks. To answer your question what you could
try auditing are the windows\security\database\secedit.sdb and
\windows\system32\config\security files . Another thing I would do is to use
esentutl to check the integrity of your secdit.sdb file as described in the
article below. Also check the application log to see if you see any events
that indicate that security policy was refreshed at the time you see the
events in the security log for policy change. --- Steve

http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_scetroubletn.mspx?mfr=true

Run esentutl /g to check the integrity of the security database at
%windir%\Security\Database\Secedit.sdb.


"Alexander Groß" <PLEASEAlexanderGrossREMOVETHIS@xxxxxx> wrote in message
news:%23n1xZxrpGHA.2328@xxxxxxxxxxxxxxxxxxxxxxx
Hi Steven,

thanks for your reply.

Steven L Umbach <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
| You could try enabling auditing for process tracking on that server
| and then see what processes show in the security log just before the

I'll give that a try.

| I would also use search to search the
| hard drive for files that contain secedit to see if any batch file is
| found containing it.

There are no files (besides an ISA Server Best Practices Analyzer log)
that
contain secedit.

| If it continues to happen right at 8 AM you
| also could try running filemon and regmon from SysInternals at 7:59

I also thought of trying these tools. However, the changes to the audit
policy happen at (obviously) random intervals. Today it's been at 10:26
PM.

Do you know which files are used to store the security settings? I thought
about enabling file access audit for these using the audit feature NTFS
provides.

Best regards,

Alex

--
_______________________________________

Alexander Groß
Dipl.-Ing. (BA) für Informationstechnik
PLEASEAlexanderGrossREMOVETHIS@xxxxxx
http://www.it99.org/axl/
ICQ# 36765668
_______________________________________




.

Relevant Pages

  • RE: Auditing file deletion
    ... regarding this in the security event log. ... Default Domain Controllers Policy. ... Click Computer Configuration, double-click Windows Settings, ... double-click Audit Policy. ...
    (microsoft.public.windows.server.sbs)
  • Re: Auditing file deletion
    ... You won't have to wade through the tonnes of audit logs, but have to set filters to watch the activity you care about. ... The problem is that hundreds of other Object Access events get logged, not just the file and directory deletions. ... regarding this in the security event log. ... Default Domain Controllers Policy. ...
    (microsoft.public.windows.server.sbs)
  • RE: Auditing Workstation logons from DC
    ... You have already configured Domain Security Settings for Audit account ... the both Default Domain Controllers Policy and Default Domain Security ... GPO may be overriding the audit policy setting that you configured. ...
    (microsoft.public.windows.server.sbs)
  • Re: audit folder/file delet
    ... >size of the security log and only audit the bare number of permissions for the bare ... >> I try to audit a folder and its subdirectory for deletion. ... >> first to enable in local security policy, audit policy, audit object ...
    (microsoft.public.win2000.security)
  • RE: USB delivered attacks
    ... security 101 kind of stuff. ... toy comes out does not imply it should not play by the rules of the ... it has to start with policy. ... Audit and update list of devices as technology/trends ...
    (Pen-Test)