|
|
|
Forum Newbie
Group: Forum Members
Last Login: 5/5/2017 3:57:53 PM
Posts: 4,
Visits: 6
|
|
| I am trying to audit all attempts to access sensitive files. I have set up auditing at the folder level and turned on object access:file system and handle manipulation. I am seeing audit failures, but it does not list the process name. I am trying to determine if someone is actually trying to access the folder or if it is a background process and the user is unaware. It is multiple times per day and I would guess that if the user would be getting access denied errors repeatedly that they would not continue to attempt. Is there anyway I can get more information?
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 5/5/2017 3:57:53 PM
Posts: 4,
Visits: 6
|
|
| Anyone have any suggestions? I can't tell if there is a process that is attempting to access the directory, or if it is the user. These are highly sensitive files and I have no confidence in the audit log.
|
|
|
|
|
Supreme Being
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 212,
Visits: 0
|
|
| Can you show a sample event? One way would be to test the auditing for the exact conditions you want to detect and review the log. You may want to check event ID 4663 instead. From the encyclopedia,"This event is logged between the open (4656) and close (4658) events for the object being opened"..."event 4656 tells you when the object is initially opened and what type of access was requested at that time; 4656 doesn't give you positive confirmation any of the access permissions were actually exercised."
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 5/5/2017 3:57:53 PM
Posts: 4,
Visits: 6
|
|
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 3/16/2017 8:24:50 PM
Event ID: 4656
Task Category: File System
Level: Information
Keywords: Audit Failure
User: N/A
Computer: DOC.consultbai.local
Description:
A handle to an object was requested.
Subject:
Security ID: BRUBAKER\deb
Account Name: deb
Account Domain: BRUBAKER
Logon ID: 0x6bf30962
Object:
Object Server: Security
Object Type: File
Object Name: E:\ProlawDocs\RAV
Handle ID: 0x0
Process Information:
Process ID: 0x4
Process Name:
Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: SYNCHRONIZE
ReadData (or ListDirectory)
ReadAttributes
Access Reasons: SYNCHRONIZE: Denied by D D;OICI;FA;;;S-1-5-21-2093295583-843462373-1182547822-1175)
ReadData (or ListDirectory): Denied by DD;OICI;FA;;;S-1-5-21-2093295583-843462373-1182547822-1175)
ReadAttributes: Granted by ACE on parent folder DA;OICI;0x1200a9;;;BU)
Access Mask: 0x100081
Privileges Used for Access Check: -
Restricted SID Count: 0
Event Xml:
4656
1
0
12800
0
0x8010000000000000
35506609
Security
DOC.consultbai.local
S-1-5-21-2093295583-843462373-1182547822-4462
deb
BRUBAKER
0x6bf30962
Security
File
E:\ProlawDocs\RAV
0x0
{00000000-0000-0000-0000-000000000000}
%%1541
%%4416
%%4423
%%1541: %%1802 DD;OICI;FA;;;S-1-5-21-2093295583-843462373-1182547822-1175)
%%4416: %%1802 DD;OICI;FA;;;S-1-5-21-2093295583-843462373-1182547822-1175)
%%4423: %%1811 DA;OICI;0x1200a9;;;BU)
0x100081
-
0
0x4
|
|
|
|
|
Supreme Being
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 212,
Visits: 0
|
|
| This looks like the user Deb attempted to read the file Deb and was denied. Is that correct? What actions occurred and what was the outcome?
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 5/5/2017 3:57:53 PM
Posts: 4,
Visits: 6
|
|
| We have deny access set to a directory that belongs to our HR person, RAV. I don't think that the user BRUBAKER\DEB or BRUBAKER\SDW are purposely trying to access anything in the directory, but that is what I am trying to find out. I have multiple entries where those 2 users show up as being denied. I am not sure what else would cause only 2 users in our organization to show up if they were not purposely trying to access, but it is multiple entries a day so I would also think if you were denied repeatedly, you would stop. I thought maybe it was a mapped drive and virus scan or something that was automatically trying to list the contents, but the audit is not giving any other information.
|
|
|
|
|
Supreme Being
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 212,
Visits: 0
|
|
| I think you should rely on event ID 4663 to make a final determination. What do those logs tell you?
|
|
|
|