Hello, the Windows security model allows access control and auditing on any operating system object. Each object can be protected by a security descriptor, which can contain a DACL (Discretionnary Access Control List, for access control) and a SACL (System Access Control List, for security auditing). The list of securable objects is documented in MSDN: http://msdn.microsoft.com/library/en-us/security/security/securable_objects.asp Accesses to any object can be audited with a SACL. When accesses to an audited object is requested, a 560 (or 565) event is logged in the Security eventlog. For example, for a file object, a 560 event would look like this: Object Open: Object Server: Security Object Type: File Object Name: C:\WINDOWS\Tasks\At1.job For operating system objects, the _Object Server_ field is always Security. The _Object Type_ fields is one of the securable objects type and the _Object Name_ is specific to each object type. For a registry key, a 560 event looks like this: Object Open: Object Server: Security Object Type: Key Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security If you enable auditing of base objects (which is, most of the time, a bad idea), you will see 560 events related to system objects types (this is because, when base objects auditing is enabled, some system objects are created with a SACL): Object Open: Object Server: Security Object Type: Event Object Name: \BaseNamedObjects\crypt32LogoffEvent Object Open: Object Server: Security Object Type: Desktop Object Name: \Winlogon Object Open: Object Server: Security Object Type: Mutant Object Name: \BaseNamedObjects\RasPbFile For each object type, the _Accesses_ field of 560 events gives the textual description of specific access mask for the object type. For example, for an Event object, the _Accesses_ field can be: Accesses DELETE READ_CONTROL WRITE_DAC WRITE_OWNER SYNCHRONIZE Query event state | Modify event state | Now, the Windows security model can also be used by applications that need access control and auditing on their own private objects. This feature is typically described as private security. It is also documented in MSDN: http://msdn.microsoft.com/library/en-us/security/security/auditing_access_to_private_objects.asp Windows itself uses this feature in some of its components. More precisely, the following components use private security: - Local Security Authority (appears as LSA in the _Object Server_ field of 560 events), supporting the following object types: PolicyObject, SecretObject, TrustedDomainObject, UserAccountObject - SAM (Security Account Manager): SAM_SERVER (instance of the SAM), SAM_DOMAIN (represent a DOMAIN in SAM), SAM_GROUP (represent a group in SAM), SAM_ALIAS (represent an alias (local group) in SAM), SAM_USER (represent a user in SAM) - Services Control Manager (SC Manager): SC_MANAGER (represents the SCM itself), SERVICE (instance of a service) - Directory Service (DS): Directory Service - Spooler (Spooler): Server, Printer, Document - NetDDE object: DDE Share All these private objects types appear in the registry, under the following registry key: Key: HKLM\SYSTEM\CCS\Services\Eventlog\Security\ If you wonder how DACL and SACL on these private objects can be modified, the following tools can be used: - samacl and lsaacl for LSA and SAM objects: http://razor.bindview.com/tools/desc/acltools1.0-readme.html - the sdshow and sdset of the sc command (W2K resource kit or Windows XP and Windows Server 2003) can be used to configure the security descriptor of each service. Does anynody know of tools that can be used to configure security descriptors of other private objects? Jean-Baptiste Marchand -- Jean-Baptiste.Marchandat_private Hervé Schauer Consultants http://www.hsc.fr/ _______________________________________________ LogAnalysis mailing list LogAnalysisat_private http://lists.shmoo.com/mailman/listinfo/loganalysis
This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 15:34:09 PDT