locked
Configure Windows registry Audit settings RRS feed

  • Question

  • I'm trying to set ACL advanced permissions for Auditing  (SetValue, CreateSubKey, Delete, ChangePermissions,TakeOwnership)

    PS C:\> Get-Acl HKLM:\SOFTWARE -Audit | fl

    Path   : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE
    Owner  : BUILTIN\Administrators
    Group  : NT AUTHORITY\SYSTEM
    Access : CREATOR OWNER Allow  FullControl
             NT AUTHORITY\SYSTEM Allow  FullControl
             BUILTIN\Administrators Allow  FullControl
             BUILTIN\Users Allow  ReadKey
             APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES Allow  ReadKey
    Audit  : Everyone Success  SetValue, CreateSubKey, Delete, ChangePermissions, TakeOwnership

    I can do so manually but getting error running this script:

    $AuditUser = "Everyone"
    $AuditRules = "ReadData, TakeOwnership"
    $InheritType = "None"
    $PropagationFlags = "None"
    $AuditType = "Success"
    $FileReadSuccessAudit = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,
    $AuditRules,$InheritType,$PropagationFlags,$AuditType)
    $FilePath = "HKLM:\SOFTWARE"
    $Acl = Get-Acl $FilePath -Audit
    $Acl.SetAuditRule($FileReadSuccessAudit)

    Cannot convert argument "rule", with value: "System.Security.AccessControl.FileSystemAuditRule", for "SetAuditRule" to
    type "System.Security.AccessControl.RegistryAuditRule": "Cannot convert the
    "System.Security.AccessControl.FileSystemAuditRule" value of type "System.Security.AccessControl.FileSystemAuditRule"
    to type "System.Security.AccessControl.RegistryAuditRule"."
    At line:1 char:1
    + $Acl.SetAuditRule($FileReadSuccessAudit)
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : NotSpecified: (:) [], MethodException
        + FullyQualifiedErrorId : MethodArgumentConversionInvalidCastArgument






    Thursday, November 29, 2018 11:54 PM

All replies

  • You should never try to give "TakeOwnerShip" to Everyone.  That is asking to be hacked.


    \_(ツ)_/

    Friday, November 30, 2018 12:06 AM
  • $path = 'HKLM:\SOFTWARE'
    $auditUser = 'Everyone' $auditRules = 'ReadData,TakeOwnership' $inheritType = 'None' $propagationFlags = 'None' $auditType = 'Success' $rule = New-Object System.Security.AccessControl.FileSystemAuditRule($auditUser,$auditRules,$inheritType,$propagationFlags,$auditType)
    $acl = Get-Acl $path -Audit $acl.Access.AddRule($rule) Set-Acl -AclObject $acl -Path $path
    Be careful.

    \_(ツ)_/





    Friday, November 30, 2018 12:09 AM
  • Thank you, this is what Netwrix software is requiring per this article

    https://helpcenter.netwrix.com/Configure_IT_Infrastructure/Windows_Server/WS_Registry.html


    • Edited by alexserd Friday, November 30, 2018 5:06 PM
    Friday, November 30, 2018 5:04 PM
  • Thank you, this is what Netwrix software is requiring per this article

    https://helpcenter.netwrix.com/Configure_IT_Infrastructure/Windows_Server/WS_Registry.html


    Please contact Netwrix for help with Netwrix software.

    Also I made an error when typing the above example. It should be:

    $acl = Get-Acl $path -Audit
    $acl
    .Access.AddAuditRule($rule)
    Set-Acl -AclObject $acl -Path $path

    $path = 'HKLM:\SOFTWARE'
    $user = 'Everyone'
    $auditRules = 'ReadKey,TakeOwnership'
    $inheritType = 'None'
    $propagationFlags = 'None'
    $auditType = 'Success'
    $rule = New-Object System.Security.AccessControl.RegistryAuditRule($user,$auditRules,$inheritType,$propagationFlags,$auditType)
    
    $acl = Get-Acl $path -Audit
    $acl.AddAuditRule($rule)
    Set-Acl -AclObject $acl -Path $path
    

    You cannot use a file system rule for a registry audit rule.


    \_(ツ)_/


    • Edited by jrv Friday, November 30, 2018 5:25 PM
    Friday, November 30, 2018 5:19 PM