4663 events showing up for files that have no... Expand / Collapse
Author
Message
Posted 8/9/2016 4:50:42 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/9/2016 4:28:19 PM
Posts: 2, Visits: 0
Hello,

I have an environment where we're setting up object access logging for files on a few servers.

I have the audit policies set based on this baseline config for Server 2008:

https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008





*auditpol /set /subcategory:"Security State Change" /success:enable /failure:enable

*auditpol /set /subcategory:"Security System Extension" /success:enable /failure:enable

*auditpol /set /subcategory:"System Integrity" /success:enable /failure:enable

*auditpol /set /subcategory:"IPsec Driver" /success:disable /failure:disable

*auditpol /set /subcategory:"Other System Events" /success:disable /failure:enable

*auditpol /set /subcategory:"Logon" /success:enable /failure:enable

*auditpol /set /subcategory:"Logoff" /success:enable /failure:enable

*auditpol /set /subcategory:"Account Lockout" /success:enable /failure:enable

*auditpol /set /subcategory:"IPsec Main Mode" /success:disable /failure:disable

*auditpol /set /subcategory:"IPsec Quick Mode" /success:disable /failure:disable

*auditpol /set /subcategory:"IPsec Extended Mode" /success:disable /failure:disable

*auditpol /set /subcategory:"Special Logon" /success:enable /failure:enable

*auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable

*auditpol /set /subcategory:"Network Policy Server" /success:enable /failure:enable

*auditpol /set /subcategory:"File System" /success:enable /failure:enable

*auditpol /set /subcategory:"Registry" /success:enable /failure:enable

*auditpol /set /subcategory:"Kernel Object" /success:enable /failure:enable

*auditpol /set /subcategory:"SAM" /success:disable /failure:disable

*auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable

*auditpol /set /subcategory:"Application Generated" /success:enable /failure:enable

*auditpol /set /subcategory:"Handle Manipulation" /success:disable /failure:disable

*auditpol /set /subcategory:"File Share" /success:enable /failure:enable

*auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable

*auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

*auditpol /set /subcategory:"Other Object Access Events" /success:disable /failure:disable

*auditpol /set /subcategory:"Sensitive Privilege Use" /success:disable /failure:disable

*auditpol /set /subcategory:"Non Sensitive Privilege Use" /success:disable /failure:disable

*auditpol /set /subcategory:"Other Privilege Use Events" /success:disable /failure:disable

*auditpol /set /subcategory:"Process Creation" /success:enable /failure:enable

*auditpol /set /subcategory:"Process Termination" /success:enable /failure:enable

*auditpol /set /subcategory:"DPAPI Activity" /success:disable /failure:disable

*auditpol /set /subcategory:"RPC Events" /success:enable /failure:enable

*auditpol /set /subcategory:"Audit Policy Change" /success:enable /failure:enable

*auditpol /set /subcategory:"Authentication Policy Change" /success:enable /failure:enable

*auditpol /set /subcategory:"Authorization Policy Change" /success:enable /failure:enable

*auditpol /set /subcategory:"MPSSVC Rule-Level Policy Change" /success:disable /failure:disable

*auditpol /set /subcategory:"Filtering Platform Policy Change" /success:disable /failure:disable

*auditpol /set /subcategory:"Other Policy Change Events" /success:disable /failure:enable

*auditpol /set /subcategory:"User Account Management" /success:enable /failure:enable

*auditpol /set /subcategory:"Computer Account Management" /success:enable /failure:enable

*auditpol /set /subcategory:"Security Group Management" /success:enable /failure:enable

*auditpol /set /subcategory:"Distribution Group Management" /success:enable /failure:enable

*auditpol /set /subcategory:"Application Group Management" /success:enable /failure:enable

*auditpol /set /subcategory:"Other Account Management Events" /success:enable /failure:enable

*auditpol /set /subcategory:"Directory Service Access" /success:enable /failure:enable

*auditpol /set /subcategory:"Directory Service Changes" /success:enable /failure:enable

*auditpol /set /subcategory:"Directory Service Replication" /success:disable /failure:disable

*auditpol /set /subcategory:"Detailed Directory Service Replication" /success:disable /failure:disable

*auditpol /set /subcategory:"Credential Validation" /success:enable /failure:enable

*auditpol /set /subcategory:"Kerberos Service Ticket Operations" /success:enable /failure:enable

*auditpol /set /subcategory:"Other Account Logon Events" /success:enable /failure:enable

*auditpol /set /subcategory:"Kerberos Authentication Service" /success:enable /failure:enable


----------------

We also have this GPO set to allow subcategory settings to override the category settings:


Audit: Force Audit Policy subcategory settings to override audit policy category settings

-----


My understanding of the File System Audit Logging policy is that files will not be audited unless a SACL has been applied to it and the SACL applied matches the user attempting the access and the permission it's attempting to use.

In my case we have some of the folders (C:\inetpub\wwwroot) for IIS audited so we know when a file is added, written, deleted, permissions changed or ownership taken by members of the BUILTIN\Everyone group.

I can login and see that this folder has the SACL applied.

However when I go to look in the event log I see ID 4663 for paths outside C:\inetpub\wwwroot and for access attempts for read! When I check the folders and files I see the log showing up for it has no SACL applied to it!

I checked the Global Object Access Auditing and it's not set on the network or on the local security policy. I checked all the links associated with the event here:

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4663

and I don't see any reason I'd be getting these events if I don't have a SACL defined on the file.

Is there a setting somewhere else that would set a SACL for all folders on a machine that wouldn't be visible from the file and folder security screen?

Or could there be another audit logging setting I have set somewhere that also generates a 4663 event when a file is opened?



Post #6246
Posted 8/10/2016 3:23:49 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/9/2016 4:28:19 PM
Posts: 2, Visits: 0
I have figured out what Audit Policy the 4663 Events were coming from:

https://technet.microsoft.com/en-us/library/dd941615(v=ws.10).aspx

Audit Kernel Object

The crazy part about that is it seems to call out that a SACL or a global SACL have to be applied for this to generate the 4663 events. I can confirm I have no SACL or Global SACL set for the server I'm testing on but I'm getting events for files all over the C:\ and D:\ drives.

I also wanted to point out this page is out of date:

https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Kernal-Object
Post #6248
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 8:06am