track SAM modifications

Marc Ochsenmeier · Jul 8, 2003

Hi,

I know that, when turned on, Windows entries in the events log when someone
changes the SAM.

My question is: is there any notification mechanism proper to the SAM that
can be registered in order to capture these events?

Thanks
Marc Ochsenmeier
______________________________________________________

(e-mail address removed) HP Customer Support R&D
Network Services
tel: +49 (7031) 14-7503 Schickardstraße 25
fax: +49 (7031) 14-4987 D - 71034 Böblingen

Jean-Baptiste Marchand · Jul 8, 2003

Yes, when the _Audit object access_ auditing category is set (for
success and/or failures) in the security auditing policy, 560 events
related to SAM objects appear in the security eventlog.

This is because SAM objects have by default a SACL (see the following
thread for more details):

http://www.securityfocus.com/archive/116/327320/2003-06-30/2003-07-06/1

Not that I know of. But you can modify the SACL on SAM objects using the
samacl tool:

http://razor.bindview.com/tools/desc/acltools1.0-readme.html

Of course, a 560 event does not actually mean that an object was
effectively accessed but only that access was given to an object, with
the intent to do something with it.

Jean-Baptiste Marchand

Eric Fitzgerald [MSFT] · Jul 9, 2003

Better still, enable "Account Management", the events are more clear.

--
Eric Fitzgerald
Program Manager, Windows Auditing
Microsoft Corporation

The above message is provided "AS-IS" with no warranties, and confers no
rights.

Marc Ochsenmeier · Jul 9, 2003

Hi,

this is was I did! I did enable the auditing of "Account management". From
this point, I receive the event 518 in the log events.
This event tells me how someone has been trying to modify the SAM.

....but what I am really looking for is a mechanism that allow me to
(programmatically) register a component (dll?) that will enable me to catch
these events additionally to log events. My goal is to collect the SAM
specific audit events in another application.

Thanks in advance.

Marc Ochsenmeier
www.ochsenmeier.com

Marc Ochsenmeier · Jul 9, 2003

Hi,

this is was I did! I did enable the auditing of "Account management". From
this point, I receive the event 518 in the log events.
This event tells me how someone has been trying to modify the SAM.

....but what I am really looking for is a mechanism that allow me to
(programmatically) register a component (dll?) that will enable me to catch
these events additionally to log events. My goal is to collect the SAM
specific audit events in another application.

Thanks in advance.

Marc Ochsenmeier
www.ochsenmeier.com

Marc Ochsenmeier · Jul 9, 2003

Hi,

this is was I did! I did enable the auditing of "Account management". From
this point, I receive the event 518 in the log events.
This event tells me how someone has been trying to modify the SAM.

....but what I am really looking for is a mechanism that allow me to
(programmatically) register a component (dll?) that will enable me to catch
these events additionally to log events. My goal is to collect the SAM
specific audit events in another application.

Thanks in advance.

Marc Ochsenmeier
www.ochsenmeier.com

Marc Ochsenmeier · Jul 9, 2003

Hi,

this is was I did! I did enable the auditing of "Account management". From
this point, I receive the event 518 in the log events.
This event tells me how someone has been trying to modify the SAM.

....but what I am really looking for is a mechanism that allow me to
(programmatically) register a component (dll?) that will enable me to catch
these events additionally to log events. My goal is to collect the SAM
specific audit events in another application.

Thanks in advance.

Marc Ochsenmeier
www.ochsenmeier.com

Marc Ochsenmeier · Jul 9, 2003

Hi,

this is was I did! I did enable the auditing of "Account management". From
this point, I receive the event 518 in the log events.
This event tells me how someone has been trying to modify the SAM.

....but what I am really looking for is a mechanism that allow me to
(programmatically) register a component (dll?) that will enable me to catch
these events additionally to log events. My goal is to collect the SAM
specific audit events in another application.

Thanks in advance.

Marc Ochsenmeier
www.ochsenmeier.com

Marc Ochsenmeier · Jul 9, 2003

Hi,

this is was I did! I did enable the auditing of "Account management". From
this point, I receive the event 518 in the log events.
This event tells me how someone has been trying to modify the SAM.

....but what I am really looking for is a mechanism that allow me to
(programmatically) register a component (dll?) that will enable me to catch
these events additionally to log events. My goal is to collect the SAM
specific audit events in another application.

Thanks in advance.

Marc Ochsenmeier
www.ochsenmeier.com

Marc Ochsenmeier · Jul 9, 2003

sorry about this multiple answer!
I don't know what happend, the server had a problem....

Roger Abell [MVP] · Jul 10, 2003

You may want to look into using WMI to get a notification
set up on the event log entries of interest.

Tracking an object move/rename	1	Nov 29, 2005
NORMALIZING A DATABASE	4	Nov 9, 2005
Samba vs. Windows : significant difference in timestamp handling ?	10	Aug 11, 2003
Real-time Auditing of changes in Active Directory	6	Jul 8, 2005
W2K's event logs showed \\?\Volume{107944b6-439b-11d7-9e57-806d6172696f}?Failing HDD?	1	May 9, 2010
Tracking Down Cause of Creeping System Hang	4	Apr 16, 2010
.NET Prerequisites Installation FAILURE	0	Jul 31, 2003
retrictions in effect and missing control panel- Help!!	2	Nov 12, 2007

track SAM modifications

Marc Ochsenmeier

Jean-Baptiste Marchand

Eric Fitzgerald [MSFT]

Marc Ochsenmeier

Marc Ochsenmeier

Marc Ochsenmeier

Marc Ochsenmeier

Marc Ochsenmeier

Marc Ochsenmeier

Marc Ochsenmeier

Roger Abell [MVP]

Ask a Question

Similar Threads