Re: Audit file/folder access

From: "DaveMo" <david.mowers@xxxxxxxxx>
Date: 13 Feb 2007 09:12:06 -0800

What can I do to not have those events in my event log ?

I want to monitor only one directory on D: drive...

The system will not audit any object access unless there is a SACL
specifying the audit action. So, the entries you are seeing are caused
by a SACL, you just have to find it. There are default SACLs on the
system, but they won't do anything until the security policy to enable
object access auditing is enabled. On one server here there is such a
default SACL on the registry key that contains the paramaters for the
security log.

When you enable auditing in security policy you start getting these:

Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 2/13/2007
Time: 8:55:08 AM
User: EXTRANET\Administrator
Computer: EXTRANETDC
Description:
Object Open:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog
\Security
Handle ID: 896
Operation ID: {0,579779}
Process ID: 3044
Image File Name: C:\WINDOWS\system32\mmc.exe
Primary User Name: Administrator
Primary Domain: EXTRANET
Primary Logon ID: (0x0,0x1C353)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: Set key value

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x2

If you use regedt32 to view this registry setting and click advanced/
permissions/auditing you'll see there is a SACL on the object. If you
were to remove the SACL you'll stop getting these particular audits.

Something similiar is happening on your file volumes. If you look
around you'll probably find an inheritable SACL. For any particular
path that generates an audit you should be able open that file's
properties and find a SACL either explicitly on the object or one that
is being inherited.

HTH.

Dave

.

Follow-Ups:
- Re: Audit file/folder access
  - From: Hugo

References:
- Audit file/folder access
  - From: Hugo
- Re: Audit file/folder access
  - From: Johan Engdahl
- Re: Audit file/folder access
  - From: Hugo

Prev by Date: Seeing Null Share Connection in Eventviewer
Next by Date: When Should Anonymous Logons Show on Windows 200x?
Previous by thread: Re: Audit file/folder access
Next by thread: Re: Audit file/folder access
Index(es):
- Date
- Thread

Relevant Pages

Re: Detailed Listing of SACLs
... >>inherited SACL set at the domain object that audits pretty ... >>but not for reads and lists. ... >>>The Audit directory service access setting determines whether to audit ... >>>accesses an Active Directory object that has a SACL specified. ...
(microsoft.public.win2000.active_directory)
Re: Detailed Listing of SACLs
... >>inherited SACL set at the domain object that audits pretty ... >>but not for reads and lists. ... >>>The Audit directory service access setting determines whether to audit ... >>>accesses an Active Directory object that has a SACL specified. ...
(microsoft.public.windows.server.security)
Re: Detailed Listing of SACLs
... >>inherited SACL set at the domain object that audits pretty ... >>but not for reads and lists. ... >>>The Audit directory service access setting determines whether to audit ... >>>accesses an Active Directory object that has a SACL specified. ...
(microsoft.public.security)
Re: Detailed Listing of SACLs
... >>inherited SACL set at the domain object that audits pretty ... >>but not for reads and lists. ... >>>The Audit directory service access setting determines whether to audit ... >>>accesses an Active Directory object that has a SACL specified. ...
(microsoft.public.win2000.security)
Detailed Listing of SACLs
... I am trying to find a detailed document that describes each item in a system ... The Audit directory service access setting determines whether to audit the ... own system access control list (SACL) specified. ... accesses an Active Directory object that has a SACL specified. ...
(microsoft.public.win2000.active_directory)