Click here to get back home

How to Audit windows 2003 folder secrity setting change?
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
How to Audit windows 2003 folder secrity setting change? James Pang 01-05-2006
Posted by James Pang on January 5, 2006, 10:13 pm
Please log in for more thread options
 The folder secrity always change by somebody, somehow. I need know when and
who. Is there a way I can do it?



Posted by Steven L Umbach on January 5, 2006, 10:30 pm
Please log in for more thread options
 First use Local Security Policy [secpol.msc] or the domain/OU Group Policy
that enforces that setting or auditing of object access. Then configure
auditing on the folders you want to track the changes of for the users/group
and then for "change permissions" and look in the security log for object
access events, particularly event ID 560, that refer to the folder in
question for change permission. If the user is system then a
startup/shutdown Group Policy script, AT scheduled task, Group Policy file
system, or some other process using system could be changing the
permissions. Below is an example I just created on my computer. Note the
object name is a folder called log on drive E. Under accesses note
WRITE_DAC which most likely means write discretionary access control. I did
change permissions on that folder. You can use the free Event Comb from
Microsoft to help narrow the search by for instance searching for event ID
560 and text string WRITE_DAC . The links below explain more. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 -- Event
Comb


Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 1/5/2006
Time: 9:22:27 PM
User: STEVE-XP\Steve <<<<<<<<<<
Computer: STEVE-XP
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: E:\log <<<<<<<<<<<<
Handle ID: 2204
Operation ID:
Process ID: 1204
Image File Name: D:\WINDOWS\explorer.exe
Primary User Name: Steve
Primary Domain: STEVE-XP
Primary Logon ID: (0x0,0x1F85E4)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
WRITE_DAC <<<<<<<<<<<
ReadAttributes

Privileges: -
Restricted Sid Count: 0


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


> The folder secrity always change by somebody, somehow. I need know when
> and who. Is there a way I can do it?
>



Posted by James Pang on January 9, 2006, 8:20 pm
Please log in for more thread options
I tryed it works on my xp computer. But on windows 2003 PDC it do not work.
No 560 event at all.


写入消息新闻:uAAgRGnEGHA.740@TK2MSFTNGP12.phx.gbl...
> First use Local Security Policy [secpol.msc] or the domain/OU Group Policy
> that enforces that setting or auditing of object access. Then configure
> auditing on the folders you want to track the changes of for the
> users/group and then for "change permissions" and look in the security log
> for object access events, particularly event ID 560, that refer to the
> folder in question for change permission. If the user is system then a
> startup/shutdown Group Policy script, AT scheduled task, Group Policy
> file system, or some other process using system could be changing the
> permissions. Below is an example I just created on my computer. Note the
> object name is a folder called log on drive E. Under accesses note
> WRITE_DAC which most likely means write discretionary access control. I
> did change permissions on that folder. You can use the free Event Comb
> from Microsoft to help narrow the search by for instance searching for
> event ID 560 and text string WRITE_DAC . The links below explain
> ore. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
> http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 -- Event
> Comb
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 1/5/2006
> Time: 9:22:27 PM
> User: STEVE-XP\Steve <<<<<<<<<<
> Computer: STEVE-XP
> Description:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: E:\log <<<<<<<<<<<<
> Handle ID: 2204
> Operation ID:
> Process ID: 1204
> Image File Name: D:\WINDOWS\explorer.exe
> Primary User Name: Steve
> Primary Domain: STEVE-XP
> Primary Logon ID: (0x0,0x1F85E4)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Accesses: READ_CONTROL
> WRITE_DAC <<<<<<<<<<<
> ReadAttributes
>
> Privileges: -
> Restricted Sid Count: 0
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
>
>
>> The folder secrity always change by somebody, somehow. I need know when
>> and who. Is there a way I can do it?
>>
>
>



Posted by Steven L Umbach on January 10, 2006, 7:34 pm
Please log in for more thread options
It should work. You have to make sure the auditing of object access is
enabled for success first in Domain Controller Security Policy and you may
need to reboot the domain controller. -- Steve

>I tryed it works on my xp computer. But on windows 2003 PDC it do not work.
>No 560 event at all.
>
>
> 写入消息新闻:uAAgRGnEGHA.740@TK2MSFTNGP12.phx.gbl...
>> First use Local Security Policy [secpol.msc] or the domain/OU Group
>> Policy that enforces that setting or auditing of object access. Then
>> configure auditing on the folders you want to track the changes of for
>> the users/group and then for "change permissions" and look in the
>> security log for object access events, particularly event ID 560, that
>> refer to the folder in question for change permission. If the user is
>> system then a startup/shutdown Group Policy script, AT scheduled task,
>> Group Policy file system, or some other process using system could be
>> changing the permissions. Below is an example I just created on my
>> computer. Note the object name is a folder called log on drive E. Under
>> accesses note WRITE_DAC which most likely means write discretionary
>> access control. I did change permissions on that folder. You can use the
>> free Event Comb from Microsoft to help narrow the search by for instance
>> searching for event ID 560 and text string WRITE_DAC . The links below
>> explain ore. --- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;308471 -- Event
>> Comb
>>
>>
>> Event Type: Success Audit
>> Event Source: Security
>> Event Category: Object Access
>> Event ID: 560
>> Date: 1/5/2006
>> Time: 9:22:27 PM
>> User: STEVE-XP\Steve <<<<<<<<<<
>> Computer: STEVE-XP
>> Description:
>> Object Open:
>> Object Server: Security
>> Object Type: File
>> Object Name: E:\log <<<<<<<<<<<<
>> Handle ID: 2204
>> Operation ID:
>> Process ID: 1204
>> Image File Name: D:\WINDOWS\explorer.exe
>> Primary User Name: Steve
>> Primary Domain: STEVE-XP
>> Primary Logon ID: (0x0,0x1F85E4)
>> Client User Name: -
>> Client Domain: -
>> Client Logon ID: -
>> Accesses: READ_CONTROL
>> WRITE_DAC <<<<<<<<<<<
>> ReadAttributes
>>
>> Privileges: -
>> Restricted Sid Count: 0
>>
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>>
>>
>>> The folder secrity always change by somebody, somehow. I need know when
>>> and who. Is there a way I can do it?
>>>
>>
>>
>
>



Similar ThreadsPosted
Setting Audit from CLI March 6, 2007, 8:42 pm
Windows 2003 audit Policy amended October 29, 2006, 7:32 pm
Sourcing security failure audit id: 529 Windows server 2003 March 7, 2007, 9:14 am
How to change the minimum password length in a Windows 2003 server July 27, 2006, 8:09 pm
Setting Audit Permissions Differently for Each User December 26, 2006, 3:12 pm
Re: Windows 2003: Folder Access Denied October 25, 2005, 10:13 pm
Windows 2003: Folder Access Denied October 24, 2005, 9:06 am
failed/successfull audit delete folder and delete file and folder November 15, 2006, 8:12 am
Audit file/folder access February 12, 2007, 10:52 am
audit folder access, exclude user November 27, 2007, 5:14 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap