OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTBugtraq And NTSecurity Archives: Re: AuditBaseObjects set rev

Re: AuditBaseObjects set reveals Event 560 Object Access Audit when Taskmanager is running

Subject: Re: AuditBaseObjects set reveals Event 560 Object Access Audit when Taskmanager is running
From: Gary Kuyat (garyDIGISLE.NET)
Date: Thu Dec 09 1999 - 18:04:17 CST

I've received a few replies like this, so I'll just point out that no
SUCCESS auditing was enabled at all. The point of my comments was that
there is a security failure that routinely occurs when Taskman is running.
We only see it when base object auditing is on, but I believe it is still a
failure even without auditing.

This is the NT version of "if a tree falls in the woods, and nobody listens,
does it make a noise?"

Also, I can't find #Q14901

 - Gary Kuyat
   DI NT Syseng

...
> > I believe that this setting is also documented as causing large volumes
of
> > log entries. However, now that I look, I can't find this anywhere in
the
> > KB. My understanding is that this is the reason this isn't on by
default,
> > and that you'd only turn it on to do specific debugging.
>
> I remember when I started looking into what I could audit under NT4, I
> turned on "file and object access" success and failure auditing and
> figured I wouldn't see any messages in my Security Log until I actually
> specified a file or directory to audit (in the object's security dialog).
> It turned out that my Security Log started filling up VERY quickly when I
> enabled this because certain "base system objects" would be audited
> whether I wanted them to be or not. I called Microsoft up and opened a
...

> Look at MSKB article #Q14901 and the "Managing Auditing of Particular
> Object" chapter in the NT Workstation 4.0 Resource Kit for more
> information on Base Object Auditing.
...

This archive was generated by hypermail 2b27 : Fri Dec 10 1999 - 12:53:26 CST