Hello, in the Windows security eventlog, events with the 560 identifier appear, provided the following two conditions are true: - the _Audit object access_ category is enabled in the auditing policy - the security descriptor of accessed objects has a non-empty SACL (System Access Control List), describing which kind of accesses must be audited, for which security principal. One first thing important to know is that, once the _Audit object access_ category is enabled, you'll see some 560 events in the Windows security eventlog, even if you haven't enabled auditing on any of your own objects. This is because some internals objects, more precisely the LSA Policy objects and objects in the SAM hierarchy have, by default, a SACL. You can examine and modify the SACL on these objects using the lsaacl and samacl tools: http://razor.bindview.com/tools/desc/acltools1.0-readme.html Now, if you create a SACL on, say, a file, auditing for example for Full Control (any accesses) for the Everyone SID (from anybody), 560 events will be logged in the security event log. Among the fields appearing in a 560 event, the Accesses field contains the access mask requested when accessing the object. There is also a Privileges field that is, most of the time, empty. However, for certain operations, it contains the internal name of one or more system privileges. For example, when accessing the SACL of an object, the SeSecurityPrivilege must be enabled. It seems that when this privilege is enabled in the security token of the process (or thread) opening an object for SACL modification, the Privileges fields contains the name of the privilege. Also, when an administrator (typically) takes the ownership of a file using the explorer.exe GUI, the SeTakeOwnershipPrivilege must be enabled. When enabled, it also appears in the Privileges field. I suppose that only privileges related to access control can appear in the Privileges fields of a 560 event. However, I haven't seen the SeBackupPrivilege or SeRestorePrivilege privileges yet. I thought that privileges logging was directly linked to the kind of accessed requested. For example, when an object is opened with the WRITE_OWNER permission, it would seem normal to log if the SeSecurityPrivilege is enabled. Also, when the ACCESS_SYS_SEC permission is requested, the SeSecurityPrivilege might be logged. This is the case in some 560 events I've seen. However, I also have an example of 560 event where the Accesses field value was WRITE_DAC, WRITE_OWNER and ACCESS_SYS_SEC but the Privileges field was empty... I would like to know if anybody has a complete reference of what can appear in 560 events. In particular, which privileges can appear in the Privileges field and, most importantly, in which case? Thank you, Jean-Baptiste Marchand -- Jean-Baptiste.Marchandat_private Hervé Schauer Consultants http://www.hsc.fr/ _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Thu Jun 26 2003 - 08:47:31 PDT