|
Posted by Will on December 26, 2006, 3:12 pm
Please log in for more thread options
So far I have used the auditing features in NTFS by specifying rules for
reserved user Everyone, just to make the rules simple to specify. Is
there a way I could specify one rule for SYSTEM, another rule for every
other user? In other words, if you have multiple users or groups in your
audit list, and then a catch all for Everyone, how does Windows process
those rules?
--
Will
|
|
Posted by Jesper on December 26, 2006, 4:04 pm
Please log in for more thread options
Let's deal with the simple question first:
If there are several access control list (ACL) entries (ACE) in the system
ACL (SACL, i.e. the audit ACL) the system will process all of them for each
access. It is basically an access check. If the group specified in the ACE is
present in the users token AND the access request contains at least one of
the audited actions then (at least one) an audit event gets logged.
In other words, no, if you use Everyone as a catch-all, it will cause every
access to get audited, for every user. If you want to audit differently for
SYSTEM and everyone else you would need to either live with the two events
for access by SYSTEM, or create a special group that contains every other
user and ensure they are all in there. That turns out to be very hard because
there are many "special" users that you may not see in the standard tools.
"Will" wrote:
> So far I have used the auditing features in NTFS by specifying rules for
> reserved user Everyone, just to make the rules simple to specify. Is
> there a way I could specify one rule for SYSTEM, another rule for every
> other user? In other words, if you have multiple users or groups in your
> audit list, and then a catch all for Everyone, how does Windows process
> those rules?
>
> --
> Will
>
>
>
|
|
Posted by Will on December 30, 2006, 9:08 pm
Please log in for more thread options > Let's deal with the simple question first:
>
> If there are several access control list (ACL) entries (ACE) in the system
> ACL (SACL, i.e. the audit ACL) the system will process all of them for
each
> access. It is basically an access check. If the group specified in the ACE
is
> present in the users token AND the access request contains at least one of
> the audited actions then (at least one) an audit event gets logged.
>
> In other words, no, if you use Everyone as a catch-all, it will cause
every
> access to get audited, for every user. If you want to audit differently
for
> SYSTEM and everyone else you would need to either live with the two events
> for access by SYSTEM, or create a special group that contains every other
> user and ensure they are all in there. That turns out to be very hard
because
> there are many "special" users that you may not see in the standard tools.
It's interesting, but your post showed up in Microsoft's news server, but
never got distributed to the wider USENET. You may want to review how your
posts here are going up, because I would never have seen this had Roger not
alluded to it.
Can you give me a few examples of the special users you are referring to?
--
Will
|
|
Posted by Roger Abell [MVP] on December 30, 2006, 2:24 am
Please log in for more thread options Hi Will,
Jesper is quite correct in his response.
You may be able to accomplish this objective more simply than
defining a group with all accounts except System however, if
your users are members of Users (or Domain Users and hence
of Users).
I notice that System does not have Users in its token but does
have Authenticated Users, Administrators, and Everyone.
Now, for this to work, you would need to have Interactive and
Authenticated Users removed from Users (I routinely remove
Interactive and Authenticated Users from Users anyway).
So, if you just either made sure that each individual admin account
was member of Users (or Domain Users), or if you defined a group
that mirrored Administrators, and used these in place of Everyone
then you would not be auditing for System via those and could
avoid the duplications Jesper indicated.
Roger
> So far I have used the auditing features in NTFS by specifying rules for
> reserved user Everyone, just to make the rules simple to specify. Is
> there a way I could specify one rule for SYSTEM, another rule for every
> other user? In other words, if you have multiple users or groups in
> your
> audit list, and then a catch all for Everyone, how does Windows process
> those rules?
>
> --
> Will
>
>
|
|
Posted by Will on December 30, 2006, 9:16 pm
Please log in for more thread options > Hi Will,
>
> Jesper is quite correct in his response.
>
> You may be able to accomplish this objective more simply than
> defining a group with all accounts except System however, if
> your users are members of Users (or Domain Users and hence
> of Users).
>
> I notice that System does not have Users in its token but does
> have Authenticated Users, Administrators, and Everyone.
How do you enumerate the user groups that SYSTEM belongs to?
> Now, for this to work, you would need to have Interactive and
> Authenticated Users removed from Users (I routinely remove
> Interactive and Authenticated Users from Users anyway).
>
> So, if you just either made sure that each individual admin account
> was member of Users (or Domain Users), or if you defined a group
> that mirrored Administrators, and used these in place of Everyone
> then you would not be auditing for System via those and could
> avoid the duplications Jesper indicated.
I've never been crazy about Authenticated Users as a concept as it embraces
too many totally different things and just makes it harder to figure out
what is or is not controlled in an ACL.
The only problem in your approach is you would need to think through what
other kinds of access were previously covered by Authenticated Users and
provide for those another way. For example, Domain Computers, Domain
Controllers, Computers from Trusted domains, etc.
It would sure be nice if Microsoft would publish a way to build a
comprehensive list of all entities that might interact with a computer so we
could control at that level when we want to.
--
Will
|
| Similar Threads | Posted | | Setting Audit from CLI | March 6, 2007, 8:42 pm |
| How to Audit windows 2003 folder secrity setting change? | January 5, 2006, 10:13 pm |
| Help setting Windows permissions (policy?) | April 26, 2006, 1:06 pm |
| Setting Metabase File Permissions | November 27, 2007, 6:29 pm |
| Setting Permission to user to start a service | October 19, 2006, 4:11 am |
| Audit when a user copies a file | September 16, 2008, 8:44 am |
| Looking for best practices for setting up secure user home directory file structure | October 6, 2006, 8:47 pm |
| audit folder access, exclude user | November 27, 2007, 5:14 pm |
| windows user permissions | April 3, 2007, 10:30 pm |
| User folders permissions. | June 7, 2007, 3:40 pm |
|
XML Sitemap