Last week, I mentioned that Vista had a neat new event (Event ID 4907) that told you when the SACL (e.g. the list of users/groups who generate security events *when they access* a file/folder/securable object) was changed. Well, there is another new event that you could say is the twin brother to Event ID 4907.
Event ID 4670 gets logged when anyone changes the DACL (Discretionary Access Control List) on a file, folder, or securable object. For more information on DACLs and SACLs, you can refer to this post below, but as a reminder, the DACL of a file/folder/object is the list of users/groups that *can access* or are *denied access* a file/folder. In other words, that file or folder's permissions.
Prior to Vista, you had to root around in the description field of Event ID 560 or 566/567 and check the Accesses granted to a user that touched a file to see if they could have (or actually did) change the permissions on a file. Now in Vista, Event ID 4670 will tell you immediately if the permissions get changed, who changed them, what they used to look like, and what they look like now. Here's a sample of how the event looks:
Permissions on an object were changed.
Subject:
Security ID: DOMAIN\Admin
Account Name: Admin
Account Domain: DOMAIN
Logon ID: 0x11b8ffd
Object:
Object Server: Security
Object Type: File
Object Name: C:\financials.txt
Handle ID: 0xf50
Process:
Process ID: 0x50c
Process Name: C:\Windows\explorer.exe
Permissions Change:
Original Security Descriptor: D:AI(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)
New Security Descriptor: D:ARAI(A;;0x1e01bf;;;WD)(A;ID;FA;;;BA)(A;ID;FA;;;SY)(A;ID;0x1200a9;;;BU)(A;ID;0x1301bf;;;AU)
So, you can see it looks a lot like its brother, Event ID 4907, even down to using the same SDDL strings to indicate the changes to user/groups who have permissions on the file. Very cool stuff.
Friday, June 1, 2007
Auditing Changes To Permissions (Event ID 4670)
Labels:
4670,
Auditing,
DACL,
Event ID 4670,
Permissions,
Security event log,
Vista
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment