In Windows there is not a concept changing the user's identity- however an existing process (running in the context of one user) can create a new process with a different user's identity, IFF either the existing process knows the new user's credentials, or has the Assign Primary Token privilege. When this is audited, we generate an event that includes the identity of the "primary" account- the original process' identity- and the "client" account- the new process' identity. I hope this helps. Eric Fitzgerald Microsoft Corporation -----Original Message----- From: Justin H Tran [mailto:justintat_private] Sent: Friday, December 13, 2002 12:26 PM To: loganalysisat_private Subject: [logs] auditing All- I am trying to explain to a manager (non technical) about audit but unable to get through him the point below. I tried and tried but unsucessful. I am looking for some plain English with examples to show to him. Any advise/info is appreciated. Auditing makes it possible to do the following: * Discover extended use of privilege that occurs when a user changes identity. How is this done ? how does a user outside of Unix change identity ? TIA, Justin _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 19:37:21 PST