|
Posted by Roger Abell [MVP] on September 18, 2007, 12:56 am
If you were Registered and logged in, you could reply and use other advanced thread options
> OK, thanks for confirming that. I think I can tell from these two that
> JoeSchmoe is the one that made the change, and at what time. Is there
> anything in these messages that tell me what change he made?
>
> For example, Joe was supposed to add a user with access to this directory.
> And Joe says that is what he did at the time the event was audited.
> However,
> there were also other users/groups that had access at the time, and now
> they
> no longer have access.
>
> So, is there anything in here that tells me that one user was added, while
> three others were deleted? Or possibly just what change was made? Or is
no and no, the details of the change are not recorded in event log
> just proving that a change was made the best that I can do?
best with event log and your strategy/change control
If only groups are used to grant permissions, one can audit
account management actions, and these do record what was
changed (added/removed) about the group and by whom.
So, if your resources are ACL's only with resource groups
for the different kinds of accesses, and these resource groups
are what is manipulated to alter who has what, then you can
use the event logs to determine
a) if there is a change to the ACLing of the resources (should
be an uncommon action once resources are set up with the
grants via the resource groups) and who made the change
b) what accounts were added to / removed from access to
resouces by events showing who changed what membership
in which resource groups.
This approach has other benefits, such as not needing to visit
the actual resources to change the ACLs on them in order to
make changes in accesses granted.
Roger
>
>
> "Roger Abell [MVP]" wrote:
>
>> Your answer is within the last event log message you posted.
>> Successful object access for
>> Accesses: WRITE_DAC
>> DAC is the first part of dacl, the discretionary access control list,
>> and the event says it was successfully written.
>> That you obtained the event msg shows that you have successfully
>> set up the two parts needed for filesystem auditing, turning it on
>> > Audit Object Access - Success, Failure
>> and defining a sacl, a security access control list, on the filesystem
>> objects to be, and for the types of access, audited.
>> The WMI eventlog provider can make reading/querying logs for
>> specific events relatively easy once you know the indexed properties'
>> values that you are after.
>>
>> --
>> Roger
>>
>> >I need to be able to determine with certainty who made a change to a
>> > directory, and what the change was.
>> >
>> > Here is the situation: I have some directories where the permissions
>> > were
>> > changed, causing all kinds of problems until they were fixed back to
>> > their
>> > correct settings. I am pretty confident that I know what directory,
>> > approximately what time, and who - I just need to be able to prove it.
>> >
>> > We do have auditing turned on with these settings:
>> > Audit Account Logon events - Success, Failure
>> > Audit Account Management - Failure
>> > Audit Directory Service Access - Failure
>> > Audit Logon Events - Failure
>> > Audit Object Access - Success, Failure
>> > Audit Policy Change - Success, Failure
>> > Audit Privilege Use - Success, Failure
>> > Audit Process Tracking - Failure
>> > Audit System Events - Success, Failure
>> >
>> > I've done some playing around with creating directories, changing
>> > permissions, etc. and then looking to see what was logged. I do have
>> > Event
>> > ID 560, 567 and 576 events logged when I do these sorts of things. But
>> > I
>> > can't say I fully understand what is in the event. I was hoping for
>> > something like "User Joe added Group OfficeParty to G:\ABC with
>> > Read-Write-Delete permissions", but the events are little more cryptic
>> > than
>> > that.
>> >
>> > So let's say I had a directory and deleted user XYZ and group ABC from
>> > the
>> > ACL - is there a way I can tell that this was done (and specifically
>> > tell
>> > that user XYZ was deleted, not just that some object was deleted)?
>> >
>> > Let's say I had a directory and added a user with List Folder and Write
>> > permissions (not Read) - what would the pattern be for that?
>> >
>> > These are pretty much always going to be done by somebody
>> > right-clicking
>> > on
>> > a network shared folder, going to the security tab, and then adding or
>> > removing users or groups there.
>> >
>> > Is there a way to replace one ACL with another, so that some IDs that
>> > had
>> > access before no longer have it, but there was never a DELETE object
>> > event
>> > logged?
>> >
>> > The server in question is Windows 2003 SP1.
>> >
>> > I have been using Event Comb MT, and I do have a saved copy of the
>> > Security
>> > Event Log that covers the time period in question.
>> >
>> > For example, I have an event like this. How can I tell what exactly
>> > user
>> > JoeSchmoe did on the G:\ABC\Junk directory on Server1?
>> >
>> > Event Type: Success Audit
>> > Event Source: Security
>> > Event Category: Object Access
>> > Event ID: 560
>> > Date: 9/13/2007
>> > Time: 9:51:38 PM
>> > User: MYDOMAIN\JoeSchmoe
>> > Computer: SERVER1
>> > Description:
>> > Object Open:
>> > Object Server: Security
>> > Object Type: File
>> > Object Name: G:\ABC\Junk
>> > Handle ID: 18852
>> > Operation ID:
>> > Process ID: 4
>> > Image File Name:
>> > Primary User Name: SERVER1$
>> > Primary Domain: MYDOMAIN
>> > Primary Logon ID: (0x0,0x3E7)
>> > Client User Name: JoeSchmoe
>> > Client Domain: MYDOMAIN
>> > Client Logon ID: (0x0,0x138FB0D5)
>> > Accesses: READ_CONTROL
>> > ReadAttributes
>> >
>> > Privileges: -
>> > Restricted Sid Count: 0
>> > Access Mask: 0x20080
>> >
>> > Or similarly for this one:
>> > Event Type: Success Audit
>> > Event Source: Security
>> > Event Category: Object Access
>> > Event ID: 567
>> > Date: 9/13/2007
>> > Time: 9:51:38 PM
>> > User: MYDOMAIN\JoeSchmoe
>> > Computer: SERVER1
>> > Description:
>> > Object Access Attempt:
>> > Object Server: Security
>> > Handle ID: 18852
>> > Object Type: File
>> > Process ID: 4
>> > Image File Name:
>> > Accesses: WRITE_DAC
>> >
>> > Access Mask: 0x40000
>> >
>> > Any help would be appreciated - Thanks!
>>
>>
>>
| 
XML site map