portiz60
asked on
Access Mask Windows 2003 Security
Hi, I have configured Audit in some folders in my Windows 2003 Servers, and I have some events in the security log that I want to understand, exactly the meaning of the Access Mask option, I want to know if a user or a process is creating, changing or deleting a file.
The information isn't clear and I think the clue is in the Access Mask information, I haven't found tecnichal information about it.
I copied and event below:
Event Type: Sucess Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 12/28/2007
Time: 6:36:04 AM
User: somedomain\some.user
Computer: some computer
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: N:\ifs\a081900\ifs\exec\ge nbin\KEYS. ICO
Handle ID: -
Operation ID: {0,141566014}
Process ID: 8912
Image File Name: N:\oracle\oraifs1\BIN\ifru n60.EXE
Primary User Name: walter.mathison.ifs
Primary Domain: NAE
Primary Logon ID: (0x0,0x86EE23A)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120189
I find 0x120189 and 0x10080 values normally in the Access Mask field, but i want to know the meaning of this field and if there exist some documentation about it, or if there is a way to know if a user or a process is creating, changing or deleting a file.
Any help will be apreciated.
Paulo.
The information isn't clear and I think the clue is in the Access Mask information, I haven't found tecnichal information about it.
I copied and event below:
Event Type: Sucess Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 12/28/2007
Time: 6:36:04 AM
User: somedomain\some.user
Computer: some computer
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: N:\ifs\a081900\ifs\exec\ge
Handle ID: -
Operation ID: {0,141566014}
Process ID: 8912
Image File Name: N:\oracle\oraifs1\BIN\ifru
Primary User Name: walter.mathison.ifs
Primary Domain: NAE
Primary Logon ID: (0x0,0x86EE23A)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120189
I find 0x120189 and 0x10080 values normally in the Access Mask field, but i want to know the meaning of this field and if there exist some documentation about it, or if there is a way to know if a user or a process is creating, changing or deleting a file.
Any help will be apreciated.
Paulo.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
0x indicates that it's a hexadecimal. (I'm learning too :) ) Take the number, convert it to binary (you can use the Windows calculator in scientific mode to do this) and then you can compare it to that link.
If when you convert it to binary you come up with fewer than 32 characters, then pad the left side with zeros.
If when you convert it to binary you come up with fewer than 32 characters, then pad the left side with zeros.
ASKER
Ok, I undertand the Hexadecimal thing, but I have converted the values and I still don't know how to use the table in the page, it only says that the first 16 bits are Object-specific Access Rigths and next 8 bits are Standard Access Rigths, but how do I know if 0x120189 and 0x10080 values are creating, modifing, reading or deleting a file?
ASKER
Or maybe the clue to know the diference is in another field, but wich one?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER