Auditing - Access Mask

[Don Jones]

OS: Windows Server 2003 w/SP2 latest Hotfixes
Mode: Running Terminal Servers in Application Mode
Users: average about 40-50 users per server.

Is there any documentation or tool that can take an access mask listed in an
entry in the security.log and translated into meaningful informatation?

We have enabled auditing for Files,Folders and subfolders starting at the
root directory on down. We are seeing failures on access to files that users
have read and execute access to. Below is a sample of entries we are
seeing.

Event Type: Failure Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 12/28/2007
Time: 6:36:04 AM
User: somedomain\some.user
Computer: some computer
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: N:\ifs\a081900\ifs\exec\genbin\KEYS.ICO
Handle ID: -
Operation ID: {0,141566014}
Process ID: 8912
Image File Name: N:\oracle\oraifs1\BIN\ifrun60.EXE
Primary User Name: walter.mathison.ifs
Primary Domain: NAE
Primary Logon ID: (0x0,0x86EE23A)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
WriteAttributes

Privileges: -
Restricted Sid Count: 0
Access Mask: 0x120189


Any assistance would be appreicated.

Don Jones

 

[Kirk Lashbrook]

Re: Auditing - Access Mask

Have you seen this ?

http://wiki.wireshark.org/SMB2/AccessMask





"Don Jones" <DonJones@discussions.microsoft.com> wrote in message
news:294965AE-9CB2-44FE-80F8-6FFD0580FFCB@microsoft.com...
> OS: Windows Server 2003 w/SP2 latest Hotfixes
> Mode: Running Terminal Servers in Application Mode
> Users: average about 40-50 users per server.
>
> Is there any documentation or tool that can take an access mask listed in
> an
> entry in the security.log and translated into meaningful informatation?
>
> We have enabled auditing for Files,Folders and subfolders starting at the
> root directory on down. We are seeing failures on access to files that
> users
> have read and execute access to. Below is a sample of entries we are
> seeing.
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 12/28/2007
> Time: 6:36:04 AM
> User: somedomain\some.user
> Computer: some computer
> Description:
> Object Open:
> Object Server: Security
> Object Type: File
> Object Name: N:\ifs\a081900\ifs\exec\genbin\KEYS.ICO
> Handle ID: -
> Operation ID: {0,141566014}
> Process ID: 8912
> Image File Name: N:\oracle\oraifs1\BIN\ifrun60.EXE
> Primary User Name: walter.mathison.ifs
> Primary Domain: NAE
> Primary Logon ID: (0x0,0x86EE23A)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Accesses: READ_CONTROL
> SYNCHRONIZE
> ReadData (or ListDirectory)
> ReadEA
> ReadAttributes
> WriteAttributes
>
> Privileges: -
> Restricted Sid Count: 0
> Access Mask: 0x120189
>
>
> Any assistance would be appreicated.
>
> Don Jones