OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTBugtraq And NTSecurity Archives: Re: AuditBaseObjects set rev

Re: AuditBaseObjects set reveals Event 560 Object Access Audit when Taskmanager is running

Subject: Re: AuditBaseObjects set reveals Event 560 Object Access Audit when Taskmanager is running
From: Jesse Aaron Safir (jesse_safirUNC.EDU)
Date: Tue Dec 07 1999 - 18:12:31 CST

On Tue, 7 Dec 1999, David LeBlanc wrote:

> At 12:10 AM 12/7/99 -0800, Gary Kuyat wrote:
> >In the TechNet article "Securing Windows NT 4.0 Installation" the following
> >entry appears:
> >
> >----
> >Auditing Base Objects
> >To enable auditing on base system objects, add the following key value to
> >the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa:
> [snip]
>
> >Once this entry is set, and Auditing "File and Object Access" failures is
> >enabled, bringing up the Task Manager will cause the following entry to
> >appear in the Security Log approximately once a second:
>
> I believe that this setting is also documented as causing large volumes of
> log entries. However, now that I look, I can't find this anywhere in the
> KB. My understanding is that this is the reason this isn't on by default,
> and that you'd only turn it on to do specific debugging.

I remember when I started looking into what I could audit under NT4, I
turned on "file and object access" success and failure auditing and
figured I wouldn't see any messages in my Security Log until I actually
specified a file or directory to audit (in the object's security dialog).
It turned out that my Security Log started filling up VERY quickly when I
enabled this because certain "base system objects" would be audited
whether I wanted them to be or not. I called Microsoft up and opened a
support incident to find out what part of the Registry I could tweak to
turn this off so I could audit ONLY the files and objects that I specified
for auditing. The answer I was give by Microsoft was that it is
IMPOSSIBLE to disable auditing of "base system objects" when "file and
object access" auditing is enabled. If I even opened User Manager for
Domains or Server Manager, I would get tons of EventID 560 and 562 entries
in my Security Log.

Look at MSKB article #Q14901 and the "Managing Auditing of Particular
Object" chapter in the NT Workstation 4.0 Resource Kit for more
information on Base Object Auditing.

This is one "feature" I would really like to be able to temporarily
disable in NT...

 ********************************************************
 * Jesse Aaron Safir, Chief NT Systems Engineer *
 * Network Consultants Group, AIS Distributed Computing *
 * 440 West Franklin Street, CB# 1150, UNC *
 * Chapel Hill, NC 27599, jesse.safirunc.edu *
 * 919-962-4720(w), 919-216-1605(p), 919-932-1079(h) *
 ********************************************************

This archive was generated by hypermail 2b27 : Thu Dec 09 1999 - 11:14:20 CST