This forum has migrated to Microsoft Q&A. Visit Microsoft Q&A to post new questions.

Remove From My Forums

Security Audit journal is clogged with unwanted events

Question
0

Sign in to vote

Hello,

I consider auditing a good way to see if my computer is behaving normally without unwanted activity.

So I enabled auditing for the file system, and I add audit SACLs on trees I want to monitor. So far so good.

Unfortunately there are annoying audits logged that make difficult finding an abnormal activity among a heap of useless events.

The most common event is that several programs, OneDrive to begin with, attempt to make file operations with the

ACCESS_SYS_SEC bit set. The operation of course fails and is logged.

My first problem is how to avoid an audit in these circumstances while keeping audits for all other failed access bits.

There is no bit available in the SACL editor at this point (using audit in advanced security tab) for logging or not this failure.

My second problem is why OneDrive sets this bit ??? if this bit is set by a higher-level system routine for obscure reasons then maybe it should not be audited.

This is not a new problem, but I would be happy to find a workaround.

Thank you,

- gg

Informations sur le processus :
ID du processus :  0x2628
Nom du processus :  C:\Users\me\AppData\Local\Microsoft\OneDrive\OneDrive.exe

Informations sur la demande d’accès :
ID de la transaction   {00000000-0000-0000-0000-000000000000}
Accès :  DELETE
    READ_CONTROL
    SYNCHRONIZE
    ACCESS_SYS_SEC
    Lecture données (ou liste de répertoire)
    Écriture données (ou ajout fichier)
    ReadEA
    ReadAttributes

Raisons de l’accès :  DELETE: Accordé par ACE sur le dossier parent D:(A;OICIID;FA;;;S-1-5-21-myident)
    READ_CONTROL: Accordé par la propriété
    SYNCHRONIZE: Inconnu ou non contrôlé
    ACCESS_SYS_SEC: Non accordé en raison d’un élément manquant SeSecurityPrivilege
    Lecture données (ou liste de répertoire): Inconnu ou non contrôlé
    Écriture données (ou ajout fichier): Inconnu ou non contrôlé
    ReadEA: Inconnu ou non contrôlé
    ReadAttributes: Accordé par ACE sur le dossier parent D:(A;OICIID;FA;;;S-1-5-21-myident)

Masque d’accès   0x113008B
Privilèges utilisés pour les vérifications d’accès : -
Nombre de SID restreints : 0

Monday, May 23, 2016 5:37 PM

Answers

1

Sign in to vote
Hi,

As I know, The ACCESS_SYSTEM_SECURITY bit corresponds to the right to access the object's SACL.

The ACCESS_SYSTEM_SECURITY access right controls the ability to get or set the SACL in an object's security descriptor. The system grants this access right only if the SE_SECURITY_NAME privilege is enabled in the access token of the requesting thread.

And system use the ACCESS_SYSTEM_SECURITY access right in a SACL to audit attempts to use the access right.
Please mark the reply as an answer if you find it is helpful.
If you have feedback for TechNet Support, contact tnmff@microsoft.com
- Proposed as answer by Kate LiMicrosoft employee Friday, May 27, 2016 6:04 AM
- Marked as answer by Michael_LS Friday, June 3, 2016 9:23 AM
Wednesday, May 25, 2016 3:26 PM