[ Some more information, for those interested... ]
* Jean-Baptiste Marchand <Jean-Baptiste.Marchandat_private> [26/06/03 - 17:48]:
[...]
> One first thing important to know is that, once the _Audit object
> access_ category is enabled, you'll see some 560 events in the Windows
> security eventlog, even if you haven't enabled auditing on any of your
> own objects.
>
> This is because some internals objects, more precisely the LSA Policy
> objects and objects in the SAM hierarchy have, by default, a SACL.
>
> You can examine and modify the SACL on these objects using the lsaacl
> and samacl tools:
>
> http://razor.bindview.com/tools/desc/acltools1.0-readme.html
Default SACL on SAM objects are documented in MSKB #149401:
http://support.microsoft.com/?kbid=149401
However, this article only mentions Windows NT 4.0, whereas it probably
also applies to Windows 2000 and Windows Server 2003.
By the way, on Windows Server 2003, there are also default SACL on the
following objects:
- The C:\WINDOWS\tasks\ directory
(you can examine the content of the SACL using subinacl, part of
Windows Server 2003 Resource Kit Tools).
As a consequence, when a scheduled task is added, a 560 event is logged
in the Security eventlog:
-----------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: xx/xx/2003
Time: xx:xx:xx
User: NT AUTHORITY\SYSTEM
Computer: BLAH
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: C:\WINDOWS\Tasks\At1.job
Handle ID: 3464
Operation ID: {0,171812}
Process ID: 936
Image File Name: C:\WINDOWS\system32\svchost.exe
Primary User Name: BLAH$
Primary Domain: MYDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
WriteData (or AddFile)
AppendData (or AddSubdirectory or CreatePipeInstance)
WriteEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120196
-----------------------------------------------------------------------
- The Security\ registry key, under the Eventlog service configuration
key, has also a default SACL (you can examine the content of the SACL
on this key using regedit):
-----------------------------------------------------------------------
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: xx/xx/2003
Time: xx:xx:xx
User: BLAH\Administrator
Computer: BLAH
Description:
Object Open:
Object Server: Security
Object Type: Key
Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security
Handle ID: 496
Operation ID: {0,141880}
Process ID: 1816
Image File Name: C:\WINDOWS\system32\mmc.exe
Primary User Name: Administrator
Primary Domain: BLAH
Primary Logon ID: (0x0,0x124B8)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: Set key value
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x2
-----------------------------------------------------------------------
This can be annoying, because each time the administrator refreshes the
view on the Security eventlog, two events (560 and 562) are logged in
the Security eventlog. To avoid this, the SACL can be modified using
regedit.
Jean-Baptiste Marchand
--
Jean-Baptiste.Marchandat_private
Hervé Schauer Consultants
http://www.hsc.fr/
_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Jun 30 2003 - 08:37:30 PDT