7/16/2009

Security-related Event IDs

After you enable object access auditing at the system level and for a specific folder, you'll start seeing event ID 560 (Object open) in the Security log. Look for instances of event ID 560, such as the one in Figure 2 in which the Object Name in the description is the name of a folder on which you enabled auditing. Then look in the Accesses field for network software inventory freeware, which is the system name for Change permissions. Figure 2 shows that Fred changed permissions on C:\DeptFiles. In the Security log, you'll also see a subsequent event ID 562 (A handle to an object was closed) with the same Handle ID as in event ID 560. Event ID 562 is just the corresponding close for the open in event ID 560.

No comments: