Auditing Object Access Events
Here's how SACL entries translate into events in the Security log.
January 22, 2006
When I create audit entries in a file's ACL, how do I know what new Security log entries are enabled? For example, if I check the box for Everyone/Read Permissions/Success, what additional event IDs are enabled?
When you open the properties of a file or folder, select the Security tab, click Advanced, and select the Auditing tab, you're looking at what developers call the system ACL (SACL). It's not really an ACL at all—it just has the same internal structure as an ACL. I prefer to think of it as the system audit control list. For any items that you select on this list, Windows will start logging matching access events in the Security log. Of course, Windows will log these success and/or failure events according to how the Audit object access events policy is configured.
The event IDs of object access events generated from a file's SACL are from 560 through 567. Events with these IDs tell you when an object is accessed in one of the ways you've defined on the object's SACL. For the example you specified, you'll see event ID 560 whenever an application successfully opens the file and then event ID 562 when it closes the file. Event ID 560 tells you who opened the file, the full path name of the file, and the types of access the application requested. If the file is on the same computer as the application, event ID 560 also tells you the name of the executable. Event ID 560 doesn't tell you whether the application used the access it requested.
If the file is on a Windows Server 2003 system, you'll also see an instance of event ID 567 between 560 and 562. Event ID 567 has the same handle ID as event ID 560 and reports the exact permission used. In Windows 2000, event ID 567 doesn't exist. Therefore, if the application closes the file without ever using the access the application was granted, you won't know on Win2K but you will on Windows 2003.
About the Author
You May Also Like