[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1491
  • Last Modified:

Access Mask Windows 2003 Security

Hi, I have configured Audit in some folders in my Windows 2003 Servers, and I have some events in the security log that I want to understand, exactly the meaning of the Access Mask option, I want to know if a user or a process is creating, changing or deleting a file.
The information isn't clear and I think the clue is in the Access Mask information, I haven't found tecnichal information about it.

I copied and event below:

Event Type:      Sucess Audit
Event Source:      Security
Event Category:      Object Access
Event ID:      560
Date:            12/28/2007
Time:            6:36:04 AM
User:            somedomain\some.user
Computer:      some computer
Description:
Object Open:
Object Server:      Security
Object Type:      File
Object Name:      N:\ifs\a081900\ifs\exec\genbin\KEYS.ICO
Handle ID:      -
Operation ID:      {0,141566014}
Process ID:      8912
Image File Name:      N:\oracle\oraifs1\BIN\ifrun60.EXE
Primary User Name:      walter.mathison.ifs
Primary Domain:      NAE
Primary Logon ID:      (0x0,0x86EE23A)
Client User Name:      -
Client Domain:      -
Client Logon ID:      -
Accesses:      READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes

Privileges:      -
Restricted Sid Count:      0
Access Mask:      0x120189

I find 0x120189 and 0x10080 values normally in the Access Mask field, but i want to know the meaning of this field and if there exist some documentation about it, or if there is a way to know if a user or a process is creating, changing or deleting a file.

Any help will be apreciated.

Paulo.
0
portiz60
Asked:
portiz60
  • 3
  • 3
2 Solutions
 
zelron22Commented:
0
 
portiz60Author Commented:
Thank you zelron22, but this page doesn't help to much to undestand the meaning of the values in the access Mask, for example in the events I have 0x10080 or 0x120196, this numbers are decimal or hexadecimal? or how can I locate them in the table?
0
 
zelron22Commented:
0x indicates that it's a hexadecimal.  (I'm learning too :) )  Take the number, convert it to binary (you can use the Windows calculator in scientific mode to do this) and then you can compare it to that link.

If when you convert it to binary you come up with fewer than 32 characters, then pad the left side with zeros.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
portiz60Author Commented:
Ok, I undertand the Hexadecimal thing, but I have converted the values and I still don't know how to use the table in the page, it only says that the first 16 bits are Object-specific Access Rigths and next 8 bits are Standard Access Rigths, but how do I know if 0x120189 and 0x10080 values are creating, modifing, reading or deleting a file?
0
 
portiz60Author Commented:
Or maybe the clue to know the diference is in another field, but wich one?
0
 
zelron22Commented:
When you compare the mask to the table, each place you have a 1 indicates that permission is granted.

As to what the object specific permissions are, that's beyond my knowledge.

Good luck!
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now