|
Posted by RJ on April 7, 2006, 7:03 am
Please log in for more thread options Great Info ... Thank-you very much !
It is a little more convoluted than I hoped for, but it
should do the trick.
> You could enable auditing of object access and then audit the registry key for
that adapter for
> success for set key value and object access events such as 560,562, and 567
will show in the
> security log when that happens but it will not show what value was changed
though it would show a
> user name [could be system or both] and times that it happened. Below is what
you could expect to
> find when a value is changed and note the three events have the same timestamp
and handle ID and
> should be looked at as a set. The computer will need to be rebooted after
enabling auditing on a
> registry key [from what my experience shows] for it to start working. Audit
under
> currentcontrolset. You can use the free Event Comb from Microsoft to parse
security logs for
> event IDs and text strings. In this case such a text string could be Access
Mask: Set key value.
> That may give you something to start with. You can use the command net config
server to find the
> adapter ID as shown in the registry as shown under object name in Event ID 560
below. It may also
> help enabling auditing of process tracking to see if you can find a process
that happened at a
> time just before the registry change that could be responsible for the change
if it was not done
> by user interaction. You will need to increase the size of your security log
quite a bit from
> default settings if you have not done so yet. I would also check the servers
for any apparent
> rouge processes running with free tools from SysInternals such as Process
Explorer and do malware
> scans if you have not done so lately.--- Steve
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 4/6/2006
> Time: 9:34:43 PM
> User: STEVE-XP\Steve
> Computer: STEVE-XP
> Description:
> Object Open:
> Object Server: Security
> Object Type: Key
> Object Name:
>
\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\
> Handle ID: 1600
> Operation ID:
> Process ID: 1404
> Image File Name: D:\WINDOWS\explorer.exe
> Primary User Name: Steve
> Primary Domain: STEVE-XP
> Primary Logon ID: (0x0,0xD7FA)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Accesses: READ_CONTROL
> Set key value
> Create sub-key
>
> Privileges: -
> Restricted Sid Count: 0
>
>
> For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
>
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 567
> Date: 4/6/2006
> Time: 9:34:43 PM
> User: STEVE-XP\Steve
> Computer: STEVE-XP
> Description:
> Object Access Attempt:
> Object Server: Security
> Handle ID: 1600
> Object Type: Key
> Process ID: 1404
> Image File Name: D:\WINDOWS\explorer.exe
> Access Mask: Set key value
>
>
>
> For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 562
> Date: 4/6/2006
> Time: 9:34:43 PM
> User: STEVE-XP\Steve
> Computer: STEVE-XP
> Description:
> Handle Closed:
> Object Server: Security
> Handle ID: 1600
> Process ID: 1404
> Image File Name: D:\WINDOWS\explorer.exe
>
>
> For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
>
>
>
>
>> Can you track changes to the IP address / subnet mask / gateway, etc.
>> on a Win2003 server? Is there an auditing setting that will do this, and
would it show
>> up in Event Viewer.
>>
>> We have some servers that the subnet mask is getting changed on,
>> (static IP addresses) and we need to track down what is causing/doing this.
>>
>> Thanks.
>>
>>
>
>
| 
XML Sitemap