How to determine who changed permissions on a directory?

How to determine who changed permissions on a directory?
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
How to determine who changed permissions on a directory? CJ in Buffalo 09-13-2007
Posted by =?Utf-8?B?Q0ogaW4gQnVmZmFsbw== on September 13, 2007, 10:58 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I need to be able to determine with certainty who made a change to a
directory, and what the change was.

Here is the situation: I have some directories where the permissions were
changed, causing all kinds of problems until they were fixed back to their
correct settings. I am pretty confident that I know what directory,
approximately what time, and who - I just need to be able to prove it.

We do have auditing turned on with these settings:
Audit Account Logon events - Success, Failure
Audit Account Management - Failure
Audit Directory Service Access - Failure
Audit Logon Events - Failure
Audit Object Access - Success, Failure
Audit Policy Change - Success, Failure
Audit Privilege Use - Success, Failure
Audit Process Tracking - Failure
Audit System Events - Success, Failure

I've done some playing around with creating directories, changing
permissions, etc. and then looking to see what was logged. I do have Event
ID 560, 567 and 576 events logged when I do these sorts of things. But I
can't say I fully understand what is in the event. I was hoping for
something like "User Joe added Group OfficeParty to G:\ABC with
Read-Write-Delete permissions", but the events are little more cryptic than
that.

So let's say I had a directory and deleted user XYZ and group ABC from the
ACL - is there a way I can tell that this was done (and specifically tell
that user XYZ was deleted, not just that some object was deleted)?

Let's say I had a directory and added a user with List Folder and Write
permissions (not Read) - what would the pattern be for that?

These are pretty much always going to be done by somebody right-clicking on
a network shared folder, going to the security tab, and then adding or
removing users or groups there.

Is there a way to replace one ACL with another, so that some IDs that had
access before no longer have it, but there was never a DELETE object event
logged?

The server in question is Windows 2003 SP1.

I have been using Event Comb MT, and I do have a saved copy of the Security
Event Log that covers the time period in question.

For example, I have an event like this. How can I tell what exactly user
JoeSchmoe did on the G:\ABC\Junk directory on Server1?

Event Type:        Success Audit
Event Source:        Security
Event Category:        Object Access
Event ID:        560
Date:                9/13/2007
Time:                9:51:38 PM
User:                MYDOMAIN\JoeSchmoe
Computer:        SERVER1
Description:
Object Open:
        Object Server:        Security
        Object Type:        File
        Object Name:        G:\ABC\Junk
        Handle ID:        18852
        Operation ID:        
        Process ID:        4
        Image File Name:        
        Primary User Name:        SERVER1$
        Primary Domain:        MYDOMAIN
        Primary Logon ID:        (0x0,0x3E7)
        Client User Name:        JoeSchmoe
        Client Domain:        MYDOMAIN
        Client Logon ID:        (0x0,0x138FB0D5)
        Accesses:        READ_CONTROL
                        ReadAttributes
                        
        Privileges:        -
        Restricted Sid Count:        0
        Access Mask:        0x20080

Or similarly for this one:
Event Type:        Success Audit
Event Source:        Security
Event Category:        Object Access
Event ID:        567
Date:                9/13/2007
Time:                9:51:38 PM
User:                MYDOMAIN\JoeSchmoe
Computer:        SERVER1
Description:
Object Access Attempt:
        Object Server:        Security
        Handle ID:        18852
        Object Type:        File
        Process ID:        4
        Image File Name:        
        Accesses:        WRITE_DAC
                        
        Access Mask:        0x40000

Any help would be appreciated - Thanks!

Posted by Jon Holvoet on September 14, 2007, 10:25 am
If you were  Registered and logged in, you could reply and use other advanced thread options
You will never get a real clear reading out of it. But with a decent
understanding you can get far. I will quote one of my ancient posts, where
you might find some usefull information.
I really advice this as a must-reading if you want to really understand the
auditing events, and it will answer your questions below

[quote]

I used the "Security Monitoring and Attack Detection Planning Guide" from
technet to implement and better understand this. A lot of reading, but a
real aid in determining what to monitor and what not.
The URL is :
http://www.microsoft.com/technet/security/guidance/auditingandmonitoring/securitymonitoring/default.mspx

And as an external source I can also advice
http://www.ultimatewindowssecurity.com/
They have the Windows Server 2003 Security log revealed, which is a great
work for a deeper understanding, and even offer multimedia training.
Bad part is, they aren't free, but the good part is, they are not expensive
at all.

First source should definitely get you started, and the second can be a
handy add-on if you want to dig deeper.
[/quote]

--

Jon Holvoet
MCSA / MCSE Security
Comptia Security+
CISSP


>I need to be able to determine with certainty who made a change to a
> directory, and what the change was.
>
> Here is the situation: I have some directories where the permissions were
> changed, causing all kinds of problems until they were fixed back to their
> correct settings. I am pretty confident that I know what directory,
> approximately what time, and who - I just need to be able to prove it.
>
> We do have auditing turned on with these settings:
> Audit Account Logon events - Success, Failure
> Audit Account Management - Failure
> Audit Directory Service Access - Failure
> Audit Logon Events - Failure
> Audit Object Access - Success, Failure
> Audit Policy Change - Success, Failure
> Audit Privilege Use - Success, Failure
> Audit Process Tracking - Failure
> Audit System Events - Success, Failure
>
> I've done some playing around with creating directories, changing
> permissions, etc. and then looking to see what was logged. I do have
> Event
> ID 560, 567 and 576 events logged when I do these sorts of things. But I
> can't say I fully understand what is in the event. I was hoping for
> something like "User Joe added Group OfficeParty to G:\ABC with
> Read-Write-Delete permissions", but the events are little more cryptic
> than
> that.
>
> So let's say I had a directory and deleted user XYZ and group ABC from the
> ACL - is there a way I can tell that this was done (and specifically tell
> that user XYZ was deleted, not just that some object was deleted)?
>
> Let's say I had a directory and added a user with List Folder and Write
> permissions (not Read) - what would the pattern be for that?
>
> These are pretty much always going to be done by somebody right-clicking
> on
> a network shared folder, going to the security tab, and then adding or
> removing users or groups there.
>
> Is there a way to replace one ACL with another, so that some IDs that had
> access before no longer have it, but there was never a DELETE object event
> logged?
>
> The server in question is Windows 2003 SP1.
>
> I have been using Event Comb MT, and I do have a saved copy of the
> Security
> Event Log that covers the time period in question.
>
> For example, I have an event like this. How can I tell what exactly user
> JoeSchmoe did on the G:\ABC\Junk directory on Server1?
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 9/13/2007
> Time: 9:51:38 PM
> User: MYDOMAIN\JoeSchmoe
> Computer: SERVER1
> Description:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: G:\ABC\Junk
> Handle ID: 18852
> Operation ID:
> Process ID: 4
> Image File Name:
> Primary User Name: SERVER1$
> Primary Domain: MYDOMAIN
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: JoeSchmoe
> Client Domain: MYDOMAIN
> Client Logon ID: (0x0,0x138FB0D5)
> Accesses: READ_CONTROL
> ReadAttributes
>
> Privileges: -
> Restricted Sid Count: 0
> Access Mask: 0x20080
>
> Or similarly for this one:
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 567
> Date: 9/13/2007
> Time: 9:51:38 PM
> User: MYDOMAIN\JoeSchmoe
> Computer: SERVER1
> Description:
> Object Access Attempt:
> Object Server: Security
> Handle ID: 18852
> Object Type: File
> Process ID: 4
> Image File Name:
> Accesses: WRITE_DAC
>
> Access Mask: 0x40000
>
> Any help would be appreciated - Thanks!



Posted by =?Utf-8?B?Q0ogaW4gQnVmZmFsbw== on September 16, 2007, 9:24 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
Thanks for the suggestions - I have obtained both documents and am reading
them now.

"Jon Holvoet" wrote:

> You will never get a real clear reading out of it. But with a decent
> understanding you can get far. I will quote one of my ancient posts, where
> you might find some usefull information.
> I really advice this as a must-reading if you want to really understand the
> auditing events, and it will answer your questions below
>
> [quote]
>
> I used the "Security Monitoring and Attack Detection Planning Guide" from
> technet to implement and better understand this. A lot of reading, but a
> real aid in determining what to monitor and what not.
> The URL is :
>
http://www.microsoft.com/technet/security/guidance/auditingandmonitoring/securitymonitoring/default.mspx
>
> And as an external source I can also advice
> http://www.ultimatewindowssecurity.com/
> They have the Windows Server 2003 Security log revealed, which is a great
> work for a deeper understanding, and even offer multimedia training.
> Bad part is, they aren't free, but the good part is, they are not expensive
> at all.
>
> First source should definitely get you started, and the second can be a
> handy add-on if you want to dig deeper.
> [/quote]
>
> --
>
> Jon Holvoet
> MCSA / MCSE Security
> Comptia Security+
> CISSP
>
>
> >I need to be able to determine with certainty who made a change to a
> > directory, and what the change was.
> >
> > Here is the situation: I have some directories where the permissions were
> > changed, causing all kinds of problems until they were fixed back to their
> > correct settings. I am pretty confident that I know what directory,
> > approximately what time, and who - I just need to be able to prove it.
> >
> > We do have auditing turned on with these settings:
> > Audit Account Logon events - Success, Failure
> > Audit Account Management - Failure
> > Audit Directory Service Access - Failure
> > Audit Logon Events - Failure
> > Audit Object Access - Success, Failure
> > Audit Policy Change - Success, Failure
> > Audit Privilege Use - Success, Failure
> > Audit Process Tracking - Failure
> > Audit System Events - Success, Failure
> >
> > I've done some playing around with creating directories, changing
> > permissions, etc. and then looking to see what was logged. I do have
> > Event
> > ID 560, 567 and 576 events logged when I do these sorts of things. But I
> > can't say I fully understand what is in the event. I was hoping for
> > something like "User Joe added Group OfficeParty to G:\ABC with
> > Read-Write-Delete permissions", but the events are little more cryptic
> > than
> > that.
> >
> > So let's say I had a directory and deleted user XYZ and group ABC from the
> > ACL - is there a way I can tell that this was done (and specifically tell
> > that user XYZ was deleted, not just that some object was deleted)?
> >
> > Let's say I had a directory and added a user with List Folder and Write
> > permissions (not Read) - what would the pattern be for that?
> >
> > These are pretty much always going to be done by somebody right-clicking
> > on
> > a network shared folder, going to the security tab, and then adding or
> > removing users or groups there.
> >
> > Is there a way to replace one ACL with another, so that some IDs that had
> > access before no longer have it, but there was never a DELETE object event
> > logged?
> >
> > The server in question is Windows 2003 SP1.
> >
> > I have been using Event Comb MT, and I do have a saved copy of the
> > Security
> > Event Log that covers the time period in question.
> >
> > For example, I have an event like this. How can I tell what exactly user
> > JoeSchmoe did on the G:\ABC\Junk directory on Server1?
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Object Access
> > Event ID: 560
> > Date: 9/13/2007
> > Time: 9:51:38 PM
> > User: MYDOMAIN\JoeSchmoe
> > Computer: SERVER1
> > Description:
> > Object Open:
> > Object Server: Security
> > Object Type: File
> > Object Name: G:\ABC\Junk
> > Handle ID: 18852
> > Operation ID:
> > Process ID: 4
> > Image File Name:
> > Primary User Name: SERVER1$
> > Primary Domain: MYDOMAIN
> > Primary Logon ID: (0x0,0x3E7)
> > Client User Name: JoeSchmoe
> > Client Domain: MYDOMAIN
> > Client Logon ID: (0x0,0x138FB0D5)
> > Accesses: READ_CONTROL
> > ReadAttributes
> >
> > Privileges: -
> > Restricted Sid Count: 0
> > Access Mask: 0x20080
> >
> > Or similarly for this one:
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Object Access
> > Event ID: 567
> > Date: 9/13/2007
> > Time: 9:51:38 PM
> > User: MYDOMAIN\JoeSchmoe
> > Computer: SERVER1
> > Description:
> > Object Access Attempt:
> > Object Server: Security
> > Handle ID: 18852
> > Object Type: File
> > Process ID: 4
> > Image File Name:
> > Accesses: WRITE_DAC
> >
> > Access Mask: 0x40000
> >
> > Any help would be appreciated - Thanks!
>
>
>

Posted by Roger Abell [MVP] on September 16, 2007, 12:58 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Your answer is within the last event log message you posted.
Successful object access for
Accesses: WRITE_DAC
DAC is the first part of dacl, the discretionary access control list,
and the event says it was successfully written.
That you obtained the event msg shows that you have successfully
set up the two parts needed for filesystem auditing, turning it on
> Audit Object Access - Success, Failure
and defining a sacl, a security access control list, on the filesystem
objects to be, and for the types of access, audited.
The WMI eventlog provider can make reading/querying logs for
specific events relatively easy once you know the indexed properties'
values that you are after.

--
Roger

>I need to be able to determine with certainty who made a change to a
> directory, and what the change was.
>
> Here is the situation: I have some directories where the permissions were
> changed, causing all kinds of problems until they were fixed back to their
> correct settings. I am pretty confident that I know what directory,
> approximately what time, and who - I just need to be able to prove it.
>
> We do have auditing turned on with these settings:
> Audit Account Logon events - Success, Failure
> Audit Account Management - Failure
> Audit Directory Service Access - Failure
> Audit Logon Events - Failure
> Audit Object Access - Success, Failure
> Audit Policy Change - Success, Failure
> Audit Privilege Use - Success, Failure
> Audit Process Tracking - Failure
> Audit System Events - Success, Failure
>
> I've done some playing around with creating directories, changing
> permissions, etc. and then looking to see what was logged. I do have
> Event
> ID 560, 567 and 576 events logged when I do these sorts of things. But I
> can't say I fully understand what is in the event. I was hoping for
> something like "User Joe added Group OfficeParty to G:\ABC with
> Read-Write-Delete permissions", but the events are little more cryptic
> than
> that.
>
> So let's say I had a directory and deleted user XYZ and group ABC from the
> ACL - is there a way I can tell that this was done (and specifically tell
> that user XYZ was deleted, not just that some object was deleted)?
>
> Let's say I had a directory and added a user with List Folder and Write
> permissions (not Read) - what would the pattern be for that?
>
> These are pretty much always going to be done by somebody right-clicking
> on
> a network shared folder, going to the security tab, and then adding or
> removing users or groups there.
>
> Is there a way to replace one ACL with another, so that some IDs that had
> access before no longer have it, but there was never a DELETE object event
> logged?
>
> The server in question is Windows 2003 SP1.
>
> I have been using Event Comb MT, and I do have a saved copy of the
> Security
> Event Log that covers the time period in question.
>
> For example, I have an event like this. How can I tell what exactly user
> JoeSchmoe did on the G:\ABC\Junk directory on Server1?
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 9/13/2007
> Time: 9:51:38 PM
> User: MYDOMAIN\JoeSchmoe
> Computer: SERVER1
> Description:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: G:\ABC\Junk
> Handle ID: 18852
> Operation ID:
> Process ID: 4
> Image File Name:
> Primary User Name: SERVER1$
> Primary Domain: MYDOMAIN
> Primary Logon ID: (0x0,0x3E7)
> Client User Name: JoeSchmoe
> Client Domain: MYDOMAIN
> Client Logon ID: (0x0,0x138FB0D5)
> Accesses: READ_CONTROL
> ReadAttributes
>
> Privileges: -
> Restricted Sid Count: 0
> Access Mask: 0x20080
>
> Or similarly for this one:
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 567
> Date: 9/13/2007
> Time: 9:51:38 PM
> User: MYDOMAIN\JoeSchmoe
> Computer: SERVER1
> Description:
> Object Access Attempt:
> Object Server: Security
> Handle ID: 18852
> Object Type: File
> Process ID: 4
> Image File Name:
> Accesses: WRITE_DAC
>
> Access Mask: 0x40000
>
> Any help would be appreciated - Thanks!



Posted by =?Utf-8?B?Q0ogaW4gQnVmZmFsbw== on September 16, 2007, 9:28 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
OK, thanks for confirming that. I think I can tell from these two that
JoeSchmoe is the one that made the change, and at what time. Is there
anything in these messages that tell me what change he made?

For example, Joe was supposed to add a user with access to this directory.
And Joe says that is what he did at the time the event was audited. However,
there were also other users/groups that had access at the time, and now they
no longer have access.

So, is there anything in here that tells me that one user was added, while
three others were deleted? Or possibly just what change was made? Or is
just proving that a change was made the best that I can do?


"Roger Abell [MVP]" wrote:

> Your answer is within the last event log message you posted.
> Successful object access for
> Accesses: WRITE_DAC
> DAC is the first part of dacl, the discretionary access control list,
> and the event says it was successfully written.
> That you obtained the event msg shows that you have successfully
> set up the two parts needed for filesystem auditing, turning it on
> > Audit Object Access - Success, Failure
> and defining a sacl, a security access control list, on the filesystem
> objects to be, and for the types of access, audited.
> The WMI eventlog provider can make reading/querying logs for
> specific events relatively easy once you know the indexed properties'
> values that you are after.
>
> --
> Roger
>
> >I need to be able to determine with certainty who made a change to a
> > directory, and what the change was.
> >
> > Here is the situation: I have some directories where the permissions were
> > changed, causing all kinds of problems until they were fixed back to their
> > correct settings. I am pretty confident that I know what directory,
> > approximately what time, and who - I just need to be able to prove it.
> >
> > We do have auditing turned on with these settings:
> > Audit Account Logon events - Success, Failure
> > Audit Account Management - Failure
> > Audit Directory Service Access - Failure
> > Audit Logon Events - Failure
> > Audit Object Access - Success, Failure
> > Audit Policy Change - Success, Failure
> > Audit Privilege Use - Success, Failure
> > Audit Process Tracking - Failure
> > Audit System Events - Success, Failure
> >
> > I've done some playing around with creating directories, changing
> > permissions, etc. and then looking to see what was logged. I do have
> > Event
> > ID 560, 567 and 576 events logged when I do these sorts of things. But I
> > can't say I fully understand what is in the event. I was hoping for
> > something like "User Joe added Group OfficeParty to G:\ABC with
> > Read-Write-Delete permissions", but the events are little more cryptic
> > than
> > that.
> >
> > So let's say I had a directory and deleted user XYZ and group ABC from the
> > ACL - is there a way I can tell that this was done (and specifically tell
> > that user XYZ was deleted, not just that some object was deleted)?
> >
> > Let's say I had a directory and added a user with List Folder and Write
> > permissions (not Read) - what would the pattern be for that?
> >
> > These are pretty much always going to be done by somebody right-clicking
> > on
> > a network shared folder, going to the security tab, and then adding or
> > removing users or groups there.
> >
> > Is there a way to replace one ACL with another, so that some IDs that had
> > access before no longer have it, but there was never a DELETE object event
> > logged?
> >
> > The server in question is Windows 2003 SP1.
> >
> > I have been using Event Comb MT, and I do have a saved copy of the
> > Security
> > Event Log that covers the time period in question.
> >
> > For example, I have an event like this. How can I tell what exactly user
> > JoeSchmoe did on the G:\ABC\Junk directory on Server1?
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Object Access
> > Event ID: 560
> > Date: 9/13/2007
> > Time: 9:51:38 PM
> > User: MYDOMAIN\JoeSchmoe
> > Computer: SERVER1
> > Description:
> > Object Open:
> > Object Server: Security
> > Object Type: File
> > Object Name: G:\ABC\Junk
> > Handle ID: 18852
> > Operation ID:
> > Process ID: 4
> > Image File Name:
> > Primary User Name: SERVER1$
> > Primary Domain: MYDOMAIN
> > Primary Logon ID: (0x0,0x3E7)
> > Client User Name: JoeSchmoe
> > Client Domain: MYDOMAIN
> > Client Logon ID: (0x0,0x138FB0D5)
> > Accesses: READ_CONTROL
> > ReadAttributes
> >
> > Privileges: -
> > Restricted Sid Count: 0
> > Access Mask: 0x20080
> >
> > Or similarly for this one:
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Object Access
> > Event ID: 567
> > Date: 9/13/2007
> > Time: 9:51:38 PM
> > User: MYDOMAIN\JoeSchmoe
> > Computer: SERVER1
> > Description:
> > Object Access Attempt:
> > Object Server: Security
> > Handle ID: 18852
> > Object Type: File
> > Process ID: 4
> > Image File Name:
> > Accesses: WRITE_DAC
> >
> > Access Mask: 0x40000
> >
> > Any help would be appreciated - Thanks!
>
>
>

Similar ThreadsPosted
Print/Export Directory Permissions November 3, 2008, 6:26 pm
PLEASE help me determine if I've got issues; I've done everything I know how to do! February 6, 2008, 7:52 pm
determine process space August 23, 2005, 11:48 am
Wallpaper Changed And Disabled June 19, 2005, 9:52 pm
security event 529 have changed to 565 November 15, 2005, 1:01 pm
EMAIL PASSWORD CHANGED April 27, 2006, 10:10 am
Home page changed to www.securitywarmings.net January 9, 2006, 11:15 pm
Internet Explorer options changed September 5, 2007, 6:08 am
Determine whether an admin is viewing other users mailboxes? June 15, 2005, 12:51 pm
How to open LSA API on Win2k in order to determine if a computer is member of domain October 17, 2007, 5:45 am

The site map in XML format XML site map

Contact Us | Privacy Policy