Re: Auditing or preventing task manager from terminating a process
From: Slava M. Usov (stripit.slough_at_gmx.net)
Date: 07/13/04
- Next message: Douglas Peterson: "Re: Named (by string) block of memory accessable by all units in the process"
- Previous message: Matt Taylor: "Re: Importing NTDLL Functions"
- In reply to: Ivan Brugiolo [MSFT]: "Re: Auditing or preventing task manager from terminating a process"
- Next in thread: Anette: "Re: Auditing or preventing task manager from terminating a process"
- Reply: Anette: "Re: Auditing or preventing task manager from terminating a process"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 13 Jul 2004 22:04:46 +0200
"Ivan Brugiolo [MSFT]" <ivanbrug@online.microsoft.com> wrote in message
news:Ot6sXhPaEHA.712@TK2MSFTNGP11.phx.gbl...
> It should be the flag that is set on the OBJECT_HEADER when "audit object
> access" is enabed.
OK, I found it.
Hive: HKEY_LOCAL_MACHINE \SYSTEM
Key: \CurrentControlSet\Control\Lsa
Name: AuditBaseObjects
Type: REG_DWORD
Value: 1
With that setting on [reboot is required], and the object audit enabled, I
can finally see the audit of process objects.
It is documented in NT ResKit. It also says
[quote]
In addition to Files, Registry Keys, and Printers, Windows NT has a number
of objects that are not generally visible to or known by a typical user.
Application programmers or people writing I/O device drivers might have
learned about these objects in software development or device driver
development kits. Normal interactive users, however, have no direct ability
to affect these objects except as intended by Windows NT.
Generally speaking, these objects are used by Windows NT in a manner that
makes auditing their use not very interesting. In fact, doing so can
introduce so many audit entries into the security log that locating real
security problems becomes considerably more difficult.
[end quote]
I find the second paragraph quite true. It generates a lot of audit events.
What I do not understand is why all that stuff is generated. I see audit of
objects that do not have SACLs; that includes window stations and desktops,
and, less frequently, sections, mutants and events. Why are they audited?
S
- Next message: Douglas Peterson: "Re: Named (by string) block of memory accessable by all units in the process"
- Previous message: Matt Taylor: "Re: Importing NTDLL Functions"
- In reply to: Ivan Brugiolo [MSFT]: "Re: Auditing or preventing task manager from terminating a process"
- Next in thread: Anette: "Re: Auditing or preventing task manager from terminating a process"
- Reply: Anette: "Re: Auditing or preventing task manager from terminating a process"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
