Remove From My Forums

Configure Windows registry Audit settings

Question
0

Sign in to vote

I'm trying to set ACL advanced permissions for Auditing (SetValue, CreateSubKey, Delete, ChangePermissions,TakeOwnership)

PS C:\> Get-Acl HKLM:\SOFTWARE -Audit | fl

Path   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE
Owner : BUILTIN\Administrators
Group : NT AUTHORITY\SYSTEM
Access : CREATOR OWNER Allow FullControl
         NT AUTHORITY\SYSTEM Allow FullControl
         BUILTIN\Administrators Allow FullControl
         BUILTIN\Users Allow ReadKey
         APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow ReadKey
Audit : Everyone Success SetValue, CreateSubKey, Delete, ChangePermissions, TakeOwnership

I can do so manually but getting error running this script:

$AuditUser = "Everyone"
$AuditRules = "ReadData, TakeOwnership"
$InheritType = "None"
$PropagationFlags = "None"
$AuditType = "Success"
$FileReadSuccessAudit = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,
$AuditRules,$InheritType,$PropagationFlags,$AuditType)
$FilePath = "HKLM:\SOFTWARE"
$Acl = Get-Acl $FilePath -Audit
$Acl.SetAuditRule($FileReadSuccessAudit)

Cannot convert argument "rule", with value: "System.Security.AccessControl.FileSystemAuditRule", for "SetAuditRule" to
type "System.Security.AccessControl.RegistryAuditRule": "Cannot convert the
"System.Security.AccessControl.FileSystemAuditRule" value of type "System.Security.AccessControl.FileSystemAuditRule"
to type "System.Security.AccessControl.RegistryAuditRule"."
At line:1 char:1
+ $Acl.SetAuditRule($FileReadSuccessAudit)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodException
    + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument

Thursday, November 29, 2018 11:54 PM

All replies

0

Sign in to vote

You should never try to give "TakeOwnerShip" to Everyone. That is asking to be hacked.

\_(ツ)_/

Friday, November 30, 2018 12:06 AM

$path = 'HKLM:\SOFTWARE'
$auditUser = 'Everyone'
$auditRules = 'ReadData,TakeOwnership'
$inheritType = 'None'
$propagationFlags = 'None'
$auditType = 'Success'
$rule = New-Object System.Security.AccessControl.FileSystemAuditRule($auditUser,$auditRules,$inheritType,$propagationFlags,$auditType)

$acl = Get-Acl $path -Audit
$acl.Access.AddRule($rule)
Set-Acl -AclObject $acl -Path $path

Be careful.

\_(ツ)_/

Edited by jrv Friday, November 30, 2018 12:14 AM
Proposed as answer by LeeSeenLiMicrosoft contingent staff Friday, November 30, 2018 1:42 AM

Friday, November 30, 2018 12:09 AM

0

Sign in to vote
Thank you, this is what Netwrix software is requiring per this article

https://helpcenter.netwrix.com/Configure_IT_Infrastructure/Windows_Server/WS_Registry.html
- Edited by alexserd Friday, November 30, 2018 5:06 PM
Friday, November 30, 2018 5:04 PM
0

Sign in to vote
Thank you, this is what Netwrix software is requiring per this article

https://helpcenter.netwrix.com/Configure_IT_Infrastructure/Windows_Server/WS_Registry.html

Please contact Netwrix for help with Netwrix software.

Also I made an error when typing the above example. It should be:

$acl = Get-Acl $path -Audit
$acl.Access.AddAuditRule($rule)
Set-Acl -AclObject $acl -Path $path

$path = 'HKLM:\SOFTWARE' $user = 'Everyone' $auditRules = 'ReadKey,TakeOwnership' $inheritType = 'None' $propagationFlags = 'None' $auditType = 'Success' $rule = New-Object System.Security.AccessControl.RegistryAuditRule($user,$auditRules,$inheritType,$propagationFlags,$auditType) $acl = Get-Acl $path -Audit $acl.AddAuditRule($rule) Set-Acl -AclObject $acl -Path $path

You cannot use a file system rule for a registry audit rule.

\_(ツ)_/
- Edited by jrv Friday, November 30, 2018 5:25 PM
Friday, November 30, 2018 5:19 PM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Asked by:

Configure Windows registry Audit settings

Question

All replies