|
Posted by msnews mvp on May 18, 2007, 4:33 pm
Please log in for more thread options If you mean that accesses to explorer.exe file are generating object access
event messages, then you probably need to examine the DACL on that file.
> Great post, but still having some issues. I went through and created a
> security template to just modify the SACLs on c:\Temp and did not specify
> any
> other locations. In that same template I also enabled GPO Computer
> Configuration->Windows Settings->Local Policies-<Audit Policy and modified
> "Audit Object Access" to Success and "Audit Privilege Use" to Success. I
> am
> trying to keep the Security Log as clean as possible, but I am still
> getting
> ridicuous amounts objects Access from c:\Windows\explorer even though I am
> trying to not audit any of those directories. Any ideas on why I am
> getting
> all the extra events?
>
> "Roger Abell [MVP]" wrote:
>
>>
>> > Hi guys,
>> >
>> > I am hoping anyone that is doing enterprise auditing can help out with
>> > this
>> > one. We have a new project and it can really be broken down into 3
>> > objectives
>> >
>> > First - Use auditing to monitor the modification and deletion of files
>> > on
>> > workstations/servers
>> > Second - Try to keep security logs as clean as possible by auditing
>> > only
>> > cetain folders we and only the create/write data successes and delete
>> > success
>> > events.
>> > Third - Find a way through script or GPO to roll this out to all of our
>> > workstations/servers
>> >
>> > When I manually take a certain directory and audit with just successful
>> > delete & create/write data it seems to work pretty good and not
>> > generate
>> > to
>> > much other garbage.
>> >
>>
>> OK, so I will not give the song and dance about getting all sorts of
>> extra stuff as users work, temp files, etc. but will take this as your
>> saying you have some audit settings you can live with.
>>
>> > 1 - Is there a command line way to apply auditing that I could put in a
>> > script? (I do not think CALCs will do it)
>> >
>>
>> Cacls only does DACLs, not SACLs. The same is true for xcacls
>> and xcacls.vbs, but the last is provided in source (doh, .vbs right)
>> and recoding to do SACLs is possible following the exampled code
>> that is there for the DACLs.
>>
>> IIRC SetAcl and FileAcls do handle SACLs - but you would be
>> better off doing this with GPO.
>>
>>
>> > I am trying to use GPO to do it, but see 2 huge problems. First is I
>> > can
>> > not get it to work. I have enabled GPO Computer Configuration->Windows
>> > Settings->Local Policies-<Audit Policy and modified "Audit Object
>> > Access"
>> > to
>> > Success and "Audit Privilege Use" to Success and rebooted workstation
>> > and
>> > they are getting and applying the GPO(verified with gpresult) but they
>> > are
>> > not auditing file changes like they should.
>> >
>>
>> Well, that enabled auditing of objects, but you do still need to name
>> which objects should be audited for what, right? Or, are you saying
>> that you have set the NTFS auditing (i.e. the SACLs).
>>
>> > 2 - Is there anything I am missing there?
>> >
>>
>> above
>>
>> > 3 - If I do use GPO is there anyway to narrow down the level of
>> > auditing
>> > to
>> > just get results for deleting/modifiying files similar to the way you
>> > can
>> > when you do it manually?
>> >
>>
>> Yes. In a GPO or security template there is a Filesystem section.
>> If you only want to set the auditing (SACL) and not the permissions
>> (DACL) then you cannot do this directly, but you can do it. If both
>> should be set then just use a GPO and define where to set both the
>> permissions and auditing and set it to replace (so it inherits on down
>> from that/those points). It may however be more convenient to set
>> an inhertiable SACL at the very top, letting it inherit to all even
>> though parts of that "all" have different permissions (DACLs).
>>
>> To set only the SACL you need to use the Security Templates
>> MMC snapin. Define a new, empty template, in the filesystem
>> section define the root area, and then edit the security. Do not
>> pay much attention to the permissions part, it will be deleted.
>> Access the Audit area and define what you want to generate an
>> audit record. Save the template, which will be a plain old text
>> file with .inf extension. Open the template in notepad. Find the
>> line starting with the path you defined. Look at the long SDDL
>> that encodes the permissions and auditing. The part the starts
>> with D:( is the DACL, the part that starts with S:( is the SACL.
>> Delete all of the DACL and save.
>>
>> You then have a template, which you can import into a GPO.
>> You can edit that template to name a different path as needed
>> for importing to a different GPO that will target other machines
>> where the storage of concern is at a different location.
>>
>> You probably should look up SDDL in the MSDN docs to help
>> you see what is what in the SDDL encoding.
>>
>> > 4 - Is there anyone else out there doing something similar through a
>> > 3rd
>> > party product they would recommend?
>>
>> Keep an eye on the System Center product set MS is rolling out.
>>
>> Roger
>>
>>
>>
| 
XML Sitemap