Security Audit displays "Success" when it... Expand / Collapse
Author
Message
Posted 2/11/2010 6:11:50 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 2/16/2010 6:52:39 AM
Posts: 1, Visits: 1
I created an encrypted file as an Administrator and then as another user later I logged on and tried to open the file.  I got an "Access Denied" error but to my surprise the security log for #565 showed the type "Success Audit."  I don't know why I had a positive entry.

More specifically, I had the Administrator log onto a Virtual Server (Windows 2003) and left it open.   Then I logged on as another test user using remote desktop.  I could not see the security log as that user since I did not have permissions.  (I looked into that but couldn't seem to find the settings that would give the test user a way to see the security log.  How do I do that?)

Anyway, I looked later in the Administrator's Virtual PC and I saw the security log indicate a successful logon.  What is going on?  Why is it wrong about a failure?

Thanks!

Post #305
Posted 2/16/2010 3:40:23 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
Where do I begin? 

1. 565 is not an Object Access event - it is a Directory Service access event

2. Windows doesn't log attempts to open a file unless you enable Object Access auditing AND enable auditing for that file

3. Since trying to open an EFS encrypted file is not a permissions failure I'm not sure #2 would log an event anyway

4. As to logon events, please see my free webinars on the subject at www.ultimatewindowssecurity.com/webinars

Post #306
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 9:27pm