Auditing Whom delete an file or folder.

TheMSsForum.com: The Microsoft Software Forum

The MSS Forum ‹ Security
- Archive
  - Biz
  - MCSE
  - CRM
  - Drivers
  - Framework
  - ADO
  - ASP
  - Compact
  - Forms
  - Dotnet
  - C#
  - VB
  - FontpageGen
  - Excel
  - WorkSheet
  - Exchange
  - Setup
  - Fox
  - Fontpage
  - ASP
  - IIS
  - Entourage
  - Money
  - Messanger
  - PocketPC
  - Powerpoint
  - Project
  - Publisher
  - Excel
  - VB
  - Security
  - Portal
  - Services
  - SQLServerDev
  - SVCS
  - SQLServer
  - VB
  - VC
  - MFC
  - ExcelGen

- Previous
  - 1
    - WInXP SP3 Why not release a SP3 for WinXP that incluldes all the latest updates? Tag: Auditing Whom delete an file or folder. Tag: 72646
  - 2
    - Links If you get a link in an email or see one on the forum, what is the best way to tell if the link is safe. How are some ways to check it before clicking on it? Thanks Tag: Auditing Whom delete an file or folder. Tag: 72637
  - 3
    - IUSR_WIN2K3 needs "Set Key" and "Create Subkey" permission to read I have an IIS ISAPI Extension running as the Internet Guest Account (IUSR_WIN2K3), and I'm having trouble getting it to read some registry keys. The RegOpenKeyEx() function is able to open the registry fine, but when I do a RegQueryValueEx(), it returns "5" (ERROR_ACCESS_DENIED). I've found that if I assert permissions to "Set Value" and "Create Subkeys", then I AM able to read the value (even if "Query Value" isn't allowed!). If I assert everything except "Create Subkeys", it won't work. etc, etc... I'm completely baffled by this behavior. This is a test development win2k3/IIS6 box that doesn't have any major software installed on it. Any idea what could cause this? Thanks Jason Tag: Auditing Whom delete an file or folder. Tag: 72636
  - 4
    - Audit Account Management We have set under our domain group policy to audit success and failure on our account management. We had an instance of someone resetting our domain admin password and don't want it to happen again. But, even after turning on this under our default domain gp and default domain controller gp, we are not getting any messages under our security event log. Anyone have an idea that we have missed? Tag: Auditing Whom delete an file or folder. Tag: 72631
  - 5
    - New MSSecure.XML Version 2005.06.14.0 Now Available MSSECURE.XML Data Version 2005.06.14.0 (for use by MBSA 1.2 and SMS SUS Feature Pack) was last modified today, June 14, 2005, and is now available for all supported languages (English, French, German and Japanese). Today's release contains 10 new bulletins, 7 of which are fully supported by MBSA. There are also 3 re-releases for previously released bulletins listed below: June Re-releases 1) MS02-035 (SQL Tool re-release) - there are no vulnerable files to identify, so there is no automated detection for this item. This will appear in MBSA as an MBSA Note Message as it did with the original release (see MS02-035 and KB306460 for details) 2) MS05-004 (ASP .Net re-release) - not supported by MBSA, but supported by February edition of the EST Tool. 3) MS05-019 (TCP re-release)- this patch replaces the original MS05-019 release. Only the patch in today's release is sufficient to resolve this vulnerability; neither the original patch nor the subsequent hot-fix are sufficient to resolve this issue. New June Bulletins 4) MS05-025 (IE Cumulative) - Supersedes MS05-020 for all matching instances (W2003 SP1 is not superseded). 5) MS05-026 (HTML Help) - Supersedes MS05-001, MS04-023 and MS03-044 in all cases; does NOT replace MS02-055 even though files appear similar due to an ACL change that is not present in future updates. 6) MS05-027 (SRV.SYS) - Supersedes MS03-024 for all instances; supersedes MS02-070 for WinXP SP1 instance only. 7) MS05-028 (Web Client) 8) MS05-029 (Exchange 5.5) - Support for all Exchange 5.5 SP4 instances except when Exchange OWA is configured as a standalone IIS application that links to an Exchange installation on another server. For this case, EST must be used (see below) 9) MS05-030 (Outlook Express) - not supported by MBSA. Supported by June EST tool (see below). 10) MS05-031 (MS Interactive Training) - not supported by MBSA. Supported by June EST tool (see below). 11) MS05-032 (MSAgent) 12) MS05-033 (Telnet) - Windows Telnet instances detected by MBSA. Services for UNIX instances of Telnet require June EST tool (see below) 13) MS05-034 (ISA Server 2000) - not supported by MBSA. Supported by June EST tool (see below). ---------------------------- There are a number of technical issues with today's release that may be valuable to enterprise administrators: MSXML 3.0 SP5 and SP7: For customers with MSXML 3.0 SP7 (present on Windows Server 2003 SP1 or installed with SQL Server 2000 SP4) or MSXML 3.0 SP5 - both are now considered acceptable versions for the 'latest service pack' warning in MBSA. This resolves a previous warning that reported "MSXML 3.0 SP7 is installed, SP5 is the latest available service pack for this product." MS05-012 (OLE) and KB894391: MBSA would report a 'greater than expected' warning if the post MS05-012 hot-fix was applied. This has been fixed. MS05-009 (WMP9) and KB892313: MBSA would report a 'greater than expected' warning if the post MS05-009 hot-fix was applied. This has been fixed. ---------------------------- What is the Enterprise Update Scanning Tool (EST)? As part of an ongoing commitment to provide detection tools for complex updates for bulletin-class issues that are not supported by MBSA, a stand-alone tool may be provided for certain bulletins. Microsoft will evaluate the detection and deployment complexity of each bulletin, and provide detection support based on the specifics of each release. When a detection tool is created for a specific bulletin, customers will be able to script running the tool from a command line interface, and process the results using an XML output file. Detailed documentation will be provided with the tool to ensure customers can leverage it quickly. See the following link for details http://support.microsoft.com/default.aspx?id=894193 Additional detection for the 4 bulletins (Services for UNIX instance of Telnet, Outlook Express, Interactive Training, ISA Server 2000) not fully supported by MBSA can be obtained by downloading the June edition of the Enterprise Scan Tool (EST) located at the link above. -- Doug Neal [MSFT] dugn@online.microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights. If newsgroup discussion with experts and MVPs is unable to solve a problem to your satisfaction, feel free to contact PSS for support on the Microsoft Baseline Security Analyzer (MBSA). Information is available at the following link: http://support.microsoft.com/default.aspx This e-mail address does not receive e-mail, but is used for newsgroup postings only. Tag: Auditing Whom delete an file or folder. Tag: 72630
  - 6
    - Microsoft Security Bulletin(s) for June 2005 Follow up set to microsoft.public.security June 14, 2005 Today Microsoft released the following Security Bulletin(s). Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details. Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided. Bulletin Summary: http://www.microsoft.com/technet/security/Bulletin/ms05-Jun.mspx Critical Bulletins: Cumulative Security Update for Internet Explorer (883939) http://www.microsoft.com/technet/security/Bulletin/ms05-025.mspx Vulnerability in HTML Help Could Allow Remote Code Execution (896358) http://www.microsoft.com/technet/security/Bulletin/ms05-026.mspx Vulnerability in Server Message Block Could Allow Remote Code Execution (896422) http://www.microsoft.com/technet/security/Bulletin/ms05-027.mspx Important Bulletins: Vulnerability in Web Client Service Could Allow Remote Code Execution (896426) http://www.microsoft.com/technet/security/Bulletin/ms05-028.mspx Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks (895179) http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspx Cumulative Security Update in Outlook Express (897715) http://www.microsoft.com/technet/security/Bulletin/ms05-018.mspx Cumulative Security Update in Outlook Express (897715) http://www.microsoft.com/technet/security/Bulletin/ms05-030.mspx Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (898458) http://www.microsoft.com/technet/security/Bulletin/ms05-031.mspx Moderate Bulletins: Vulnerability in Microsoft Agent Could Allow Spoofing (890046) http://www.microsoft.com/technet/security/Bulletin/ms05-032.mspx Vulnerability in Telnet Client Could Allow Information Disclosure (896428) http://www.microsoft.com/technet/security/Bulletin/ms05-033.mspx Cumulative Security Update for ISA Server 2000 (899753) http://www.microsoft.com/technet/security/Bulletin/ms05-034.mspx Re-Released Bulletins: SQL Server Installation Process May Leave Passwords on System (Q263968) http://www.microsoft.com/technet/security/Bulletin/ms02-032.mspx ASP.NET Path Validation Vulnerability (887219) http://www.microsoft.com/technet/security/Bulletin/ms05-004.mspx Vulnerability in Outlook Web Access for Exchange Server 5.5 Could Allow Cross-Site Scripting Attacks (895179) http://www.microsoft.com/technet/security/Bulletin/ms05-029.mspx This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so. If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary. -- Regards, Jerry Bryant - MCSE, MCDBA Microsoft IT Communities Get Secure! www.microsoft.com/security This posting is provided "AS IS" with no warranties, and confers no rights. Tag: Auditing Whom delete an file or folder. Tag: 72629
  - 7
    - AD GetObject fails in ASP page when using smartcard logon Hi, I am having problems accessing Active Directory from VBscript in an ASP web application when it is configured for smartcards using Directory Service certificate mapping. The system scenario is as follows. Server 1 - W2K3 Server as Domain Controller with Active Directory Server 2 - W2K3 Server running IIS 6.0 and Exchange 2K3 Server Client 1 - W2K3 Server as client with CAC smartcard and IE 6 IIS is configured for Directory Service mapping, SSL, "Enable client certificate mapping" and Accept Client certificate. The client uses a CAC smartcard to logon and invokes a Web application on Server 2 via IE 6. Web app on Server 2 loads ASP page using VBScript to call GetObject("LDAP://CN=client1,CN=Users,DC=SERVER1,DC=COM") on User object to retrieve user attributes. GetObject fails with Err.Number = -2147016672 (0x80072020 - ERROR_DS_OPERATIONS_ERROR) In IIS Mgr properties for web app Virtual Directory, select Security/Edit and uncheck "Enable client certificate mapping". Now the user is prompted for username and password and GetObject succeeds. Does anybody have any ideas? PS I am told that if IIS cert mapping is used instead of DS mapping, it works OK. Thanks, MikeC Tag: Auditing Whom delete an file or folder. Tag: 72627
  - 8
    - It is patch day (10).... Patch your systems! Thanks Microsoft, -Im Tag: Auditing Whom delete an file or folder. Tag: 72626
  - 9
    - June Patches - where are they? it's 8am PST and nothing So, it's June 14th - where are the patches? Does MS release them at a certain time - like 10am PST or something? I'm very very eager to get them today, but I don't feel like sitting here at my browser clicking links and refreshing every 10 min in some hope they released them. Would be nice if there was a specific TIME to go along w/the specific day. Tag: Auditing Whom delete an file or folder. Tag: 72624
  - 10
    - Administrator password Hi, We have been told we have to change our Domain Administrator password. Is this as simple as going into A/D and reseting the password or is there more involved. Any advice would be grateful. Thx Tag: Auditing Whom delete an file or folder. Tag: 72621
  - 11
    - all in one fax, copier, scanner.........safe? are there any security issues with connecting an all-in-one to a networked machine? ie- is it possible to hack into the device via the phone line and then gain access to the computer~ domain? Tag: Auditing Whom delete an file or folder. Tag: 72620
  - 12
    - Compare Security config between two w2k servers Can Security Configuration and Analysis be used to compare two server's security configs? I have created a new database and a blank template file. Using these to load Security Configuration and Analysis and then Analyze Computer Now results in the Database Setting being Undefined and the Computer Setting showing the server's config. Now I want to "save/import/update" the Database Setting with the Computer Setting. Then open this database on another server to "highlight" security config differences. Many thanks Dan Tag: Auditing Whom delete an file or folder. Tag: 72619
  - 13
    - Unknown file Does anybody know what this file does? C:\wj2jovma.sys? I've searched google and MS to no avail. I checked properties for the file but that was usless. I'm concerned this is a virus that has gone undetected. Thanks, --Jim -- JPB Tag: Auditing Whom delete an file or folder. Tag: 72606
  - 14
    - Remote Desktop Connection Hello I am currently using "remote desktop connection", I am impressed with the speed and stability of it, but I would like to know if any one has found any serious security issues involved in useing it. Also when two people log on remotley as Administrator, does this drop the account on the machine and drop any programs running. My bussines partner and I both logged on remotley as Administrators and this caused a fatal error and caused the server to reboot. Thank you in advanced for any help offered Adrian :o) Tag: Auditing Whom delete an file or folder. Tag: 72604
  - 15
    - MS document encryption I want to ensure that documents passworded by our staff are encrypted with something stronger than the 40-bit encryption provided by default. Accordingly, I have followed the advice given in the MS Office Assistance document "Import Aspects of Password and Encryption Protection" on setting the "DefaultEncryption" registry keys on my PC. Unfortunately, when I run up Word, even after a reboot, it still seems to default to 40-bit encryption, though I can select and use the stronger encryption. How can I make Word default to using the stronger encryption? Martin Taylor Tag: Auditing Whom delete an file or folder. Tag: 72603
  - 16
    - Account Lockout threshold Three domain controller: one primary and two backup Member servers (joined same DC) : MServer1, MServer2 All are windows 2000 SP3 servers I want to set account policy in MServer1 and MServer2: Account Lockout duration: Not defined (original) --> 30minutes (new) Account Lockout threshold: 0 (original) --> 5 (new) invalid logon attempts Reset account lockout counter after: Not defined (original) --> 30minutes (new) In MServer, all settings were changed as I expected. However, for MServer2, in "local policy settings --> account lockout threshold", the local setting = 5, the effective setting = 0. In DC, the "Domain Controoler Security Policy", "Domain Security Policy" and "Local Security Policy", the effective setting = not defined I tried to change MServer2 account lockout threshold to 5 in "Local Sercurity Policy", "MMC-->Group policy" and "MMC-->Security Configuration and Analysis", but the effective setting is still = 0 How to set account lockout threshold to 5 in MServer2? Tag: Auditing Whom delete an file or folder. Tag: 72595
  - 17
    - missing key/value in registry of w2k server - hot to track it? wi there, Recently I have a problem that the key included the value in registry had been deleted / missing but I can not find why or by who? My question is perharps there is a way to zoom in why it could be happened and how to track the causing of missing key/value in registry. Is there any tools to help it out? Thanks for your help..... Tag: Auditing Whom delete an file or folder. Tag: 72592
  - 18
    - IPSEC for scripting Hey can anyone provide an example of how to use IPSEC in a script/commandline between a Win2000 and Win2003 server. I want to create a tunnel so I can use Robocopy between the boxes like I use Rsync and SSH on my linux boxes. I'm new to this so please be descriptive. Thanks! ----------- Anyone who knows everything, leads a pretty boring life Tag: Auditing Whom delete an file or folder. Tag: 72587
  - 19
    - Solution for securing VPN/RAS using 2-factor SMS Authentication Hi Everyone, I've developed an IAS plugin, 'MobileKey', that provides 2-Factor Authentication (via SMS) for VPN/RAS networks using Microsoft IAS (Win2k/Win2k3) as RADIUS server. Two authentication modes are supported - Windows password plus SMS access code, and Challenge Password plus SMS access code. Delivering access code by SMS secures the VPN against key-press capture spyware and trojans residing on the client PC. 'MobileKey' is database driven/secured and can comfortably authenticate up to 50,000 users a day with an SMPP connectivity to an SMSC. I'm now looking for beta testers for this plugin to test out on ISA Server and other VPN/RAS equipment, as well as partners interested in reselling this kind of solution out of the box, customized or OEM. 'MobileKey' offers unbeatable value for deployments exceeding 30 VPN users as no hardware key is required - your mobilephone is your key generator! Here's some preliminary information:- SMS Gateway used - VisualGSM Enterprise Server (http://www.visualtron.com/products_enterprise.htm) IAS Plugin Windows Installer with Help file (http://www.visualtron.com/download/mobilekey-radius.exe) SMS delivery mode - GSM or SMPP 3.3/3.4 Please feel free to contact me anytime. Rgds, Joshua Lim Visualtron Software http://www.sms-gateway-software.com Tag: Auditing Whom delete an file or folder. Tag: 72582
  - 20
    - Firewall I am unable to connect to the Internet through Musicmatch Jukebox b/c of a firewall that is turned on. I have disabled at least one firewall by opening the security center. I can't figure out how to disable the firewall that's on from a program I've already deleted. As a result, I cannot download music. Please help! Tag: Auditing Whom delete an file or folder. Tag: 72575
  - 21
    - Expiring AntiSpyware Hello, i was just wondering about Antispywere it is gonna expire in 10 Days what should i do? Any Answers? Tag: Auditing Whom delete an file or folder. Tag: 72572
  - 22
    - Unknown User Logon attempt I'm trying to track down a user logon attempt on one of my servers. W2k AD enviroment Whenever I reboot one of my member server i get an event 681/529. What scares me is that the username attempting to logon is called "secret". I know for sure it's not a domain user account nor a local user account on the server. I'm trying to find more info on this user. I only receive this event when I reboot the server as if it's a service starting up. I don't see any unknown services running on the server though? Any suggestions how to best troubleshoot this? Here's a copy of the event: Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 6/11/2005 Time: 9:10:31 AM User: NT AUTHORITY\SYSTEM Computer: EVANS10 Description: Logon Failure: Reason: Unknown user name or bad password User Name: Secret Domain: Logon Type: 2 Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: "member server" Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 681 Date: 6/11/2005 Time: 9:10:31 AM User: NT AUTHORITY\SYSTEM Computer: member server Description: The logon to account: Secret by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation: member server failed. The error code was: 3221225572 Thanks Tag: Auditing Whom delete an file or folder. Tag: 72568
  - 23
    - SE caught a trojan or is it misslabeled Hi Spyware Exterminator caught a trojan called "Trojan Win 32 FTP Attack" in the C:\WINDOWS\CREATOR\Remind_XP.exe, file. Now I would normally delete this and move on, however the last time I attempted recovery the error message PRELOAD is missing or corruppted flashed while recovering. The computer got stuck while reloading for about a day or two. I attempted and completed a DESTRUCTIVE RECOVERY, which brings me to the point of having another trojan??? (or legit program labeled as a trojan). I ALSO USED SYSTEM MECHANIC TO DELETE UNNECESSARY FILES -------WHAT DO YOU GUYS THINK?????? -- Thought computing was supposed to be easy. Tag: Auditing Whom delete an file or folder. Tag: 72567
  - 24
    - Does we need a dedicated software to guard mIRC? I am a mIRC user and found a software declare dedicated for the security of IRC program! There already have AV and firewall to guard my system. Does I need this IRC dedicated door installed?? bellow is the link of it: http://www.diamondcs.com.au/index.php?page=irclean __ Lecter - "Trust No One!" Tag: Auditing Whom delete an file or folder. Tag: 72562
  - 25
    - server 2003 administrator password We have just received a new machine with server 2003 loaded as per our bespoke software suppliers instructions. the machine was configured with turkish as the default language, however, the software we installed required english as the primary language so i changed this in the control panel. After restarting i found that the administrators password is now invalid and after three unsuccessful attempts to log in the machine will no longer boot! Can anyone please offer a technophobe some simple help? Tag: Auditing Whom delete an file or folder. Tag: 72560
- Next
  - 1
    - Windows Firewall off and indicates on Hello , XP , SP2 , Norton Personal Firewall , Lately when turn off Windows firewall is selected , the Windows Security Center Control Panel indicates 'on .' Is there a solution and fix ? Personal firewall on or off does not affect this behavior . Thank You . -- KD Tag: Auditing Whom delete an file or folder. Tag: 72558
  - 2
    - unauthorized access into hotmail account I need some help. I have a case where my client is alleging wrongful termination by his former employer. It seems that his former employer found a way to access his personal hotmail account, thus also accessing information protected by attorney-client privilege. We can't be sure there was unauthorized access. Is there some way to determine if the email was accessed by anyone other than my client? I'm hoping we can do this without a court order or lawsuit, since we hope to resolve this matter out-of-court. Thanks. Tag: Auditing Whom delete an file or folder. Tag: 72551
  - 3
    - centralized, multi-OS authentication ? in a mixed environment with mainframes, unix/linux, windows, etc... is there some way to have a centralized authentication server or service that users can authenticate to once ( kerberos ? ldap ? ) and then pass the authentication on to all of the other hosts in the mixed environment ? not sure what the best way to go about this is, but when passwords expire on each host every 90 days its a nightmare to sync all of the new passwords on all of the different machines. tia for any help or guidance on this one ... Tag: Auditing Whom delete an file or folder. Tag: 72550
  - 4
    - Alternative Login Methods/Security Devices/Smart Cards Hi I'm wondering if anyone out there has any experience with this. I have a complex password scheme applied to my domain and I have a user who has issues remembering complex passwords. This user is important enough that I find an alternate solution without removing my password policy. Has anyone had any experience with this, or any suggestions on what route to go? Thanks in advance! Tag: Auditing Whom delete an file or folder. Tag: 72548
  - 5
    - OneCare Beta Program If anyone out there would like to help out with Microsoft's OneCare solution and has some time (and resources) to spare, go to the following link and nominate yourself for the OneCare beta program: http://beta.windowsonecare.com/betaentry.aspx Please Note: This is a BETA and things can go wrong, if you are not prepared to provide balanced beta feedback or, potentially, do a complete system restore please do not nominate yourself. I have been running it for about a week on a number of computers and for the most part I am quite impressed, it is simple and effective. BB Tag: Auditing Whom delete an file or folder. Tag: 72547
  - 6
    - ms02-039 i have xp-pro, am a home user, not running a server, my question is why do i keep getting hit with stuff like ms02-039, this is the last one to occur, been happening for a while now, im thinking that , perhaps, i downloaded the wrong updates form microsoft, if so, yall know of any way i can find out, so i can delete it? im a newbie , dont know much about digging around in the system, thanks Tag: Auditing Whom delete an file or folder. Tag: 72546
  - 7
    - Certificate Autoenrollment Hoping someone might be able to enlighten me on this subject and correct any assumptions I am making that might be wrong. Thanks in advance. When you set up your CA you can specifiy in the capolicy.inf file which pki services you wish to provide to users/computers. Some of these, such as basic EFS and Domain Controller, are set up for autoenrollment by default as defined in group policy. This is fine, except for when you want to limit who/what can request the certificates. I have both basic EFS and Domain Controller certificates being issued. I don't want to implement these certificates yet and wish to controll the requests which are building up in my pending queue. I was able to modify the Autoenrollment setting in Group Policy for my Win2003 Domain Controllers to stop them from requesting certificates, but the Win2000 DCs are still requesting and I have not found where the setting in group policy is to controll this. I can also remove this template from the certificate store, but I read a warning that once removed you cannot issue certificates based on the template anymore. Not sure if this simply meant that a custom template definition would not be available as I can't see any restriction that would keep me from adding it back in after I removed it. This brings up the question, "Am I being a paranoid control freak." Should I just allow the domain controllers to request their certificates even though I have not implemented anything yet based on those certs. Just a bit confused why MS would asssume this how an admin would want the default behavior. Tag: Auditing Whom delete an file or folder. Tag: 72544
  - 8
    - Require connecting systems to be a Domain Computers Does anyone know how to prohibit computers from connecting to a Windows 2003 Server share unless the system they are connecting from is a member of the domain. I a few "power users" and developers who keep removing their systems from the domain, and just connecting to the server by browsing and using their domain credentials. These users need to be able to add computers to the domain, as they reinstall Windows often to test stuff on a clean machines. If I don't allow them to connect to the file server unless their system is a part of the domain, that will solve the problem. I feel that this should be such an obvious thing to do, but I have yet to see any information on how to do this. Kevin Tag: Auditing Whom delete an file or folder. Tag: 72542
  - 9
    - Total protection for your software against crack EXECryptor reaches version 2.1.21 Software piracy! Cracked serial numbers! Thousands of commercial products are posted on the warez sites and become available to all every day! Companies lose millions of dollars every year to software piracy, and faulty protection programs. Shareware developers look for unbreakable protection for their products and create some protection themselves or try many of the ready-made tools. Unfortunately most tools have already been cracked, and self solutions often only take one determined cracked a few hours to bypass. As a result they soon find the stoles keys and product cracks on thousands of hacker Internet pages. No solution ? Well there is It is time to turn to the uncrackable, time tested, EXECryptor protection product. EXECryptor is a powerful, software tool that allows developers to significantly increase software protection from reverse engineering, analysis and modifications. Its main difference from other protection tools is its brand new metamorphing code transformation technology. With EXECryptor the protected code block is not just packed or obfuscated like many other packers, but also disassembled into nondeterminate transformations, effectively scrambling the visible logical code structure and making it impossible to reverse. After the code transformation, it remains executable and working as it is supposed to but it cannot be analysed, modified, or circumvented. It is not just a question about code encryption but also code transformation. You can optionally wrap additional parts of your code, at a source code level, in special flags which then transform into virtually impossible code to trace, crack, or bypass. Protected code blocks are never decrypted during execution they remain in their transformed code state. Code restoration becomes an NP-hard problem. EXECryptor has the innovative very powerful antidebug, antitrace and import protection features to stop the latest cracking software. EXECryptor allows to use short registration keys of 12/16 characters long, based on a new generation of our HardKey algorithm, cryptographically strong ultrashort digital signature. The power of software protection with EXECryptor is proved out in practice: despite numberous cracking attempts and challenges, the EXECryptor's 2.x series has not been cracked since its inception in July of 2004. In addition to its advanced protection features, EXECryptor allows you to compress the code and resources of your application. EXECryptor is able to protect any 32bit PE executable file (exe, dll, bpl, vxd, wdm). It has been tested with W95/98/ME/2000/NT/XP/2003. SDKs are available for Delphi, C++Builder, Microsoft Visual C++, LCC, PellesC, Visual Basic, PowerBASIC and PureBasic. What's new in this version : - added SDK's and examples for support LCC, PellesC, PowerBASIC and PureBasic - added new option: Delay DLL loading - improved: wmvare/virtualpc/wine compatible mode - improved: protection from inline patching - improved: antidebug protection EXECryptor is distributed electronically over the Internet; free trial version is available at http://www.strongbit.com for evaluation. The price of a single copy is 135.00 US Dollars / 99 EUR. There are significant discounts available for multiple purchases and site license buyers (starting at as few as 5 copies). * Operating system: Windows 95, 98, ME, NT, 2000, XP, 2003 * RAM: 32 Mb * Hard Disk: 2.5 Mb Product Page: http://www.strongbit.com/execryptor.asp Download: http://www.softcomplete.com/download/execryptor.zip Buy Link: http://www.strongbit.com/order.asp Tag: Auditing Whom delete an file or folder. Tag: 72535
  - 10
    - SQL2K WIN2K3 CONNECTION SECURITY This question got rejected from the SQL Server group, but i'll try here as it relates to security. I moving an old SQL Server-backend-IIS5/ASP-fronte=AD=ADnd application to servers with windows 2003 standard edition. One server will run the database the other will run IIS 6.0. Note that i haven't set-up a domain, which i think requires one machine to be domain controller which would decrease performance and stuff. I've simply put them on the same group. I wan't to restrict access to the sql server so only the incomming connection from the webserver is allowed. I can use either named pipes(which should be the fastest protocol) or tcp(which should be slight slower than named pipes) but I seem to have a problem. If I use named pipes to connect, the IUSR(the user under which IIS is running) must have access-rights to IPC$ share on the sql server. I can't seem to set any access-right directly for IPC$ share, but I can reactivate my guest user and then it works, but then everyone can now access the ipc$ share so it's not really what i'm looking for. I can also connect through TCP( and set up some kind of filter only allowing incomming connections on port 1433 from the ip of the web server. But i don't know how to do this. I've taken a look at the IPSec stuff but it's all about kerberos authentication and other bull which i don't think i need. What i need is a simply ip port filter, which does nothing else but reject incomming connections to sql server on port 1433 originating from any other ip's than my webserver. My question is how do I do this? Do i need to have a additional "firewall" service running and, if so, how much extra overhead will this create for the sql server. Alternately, is it possible to change the access rights for the IPC$ share manually? Thanks in advance for any input you might have on this? Tag: Auditing Whom delete an file or folder. Tag: 72533
  - 11
    - Certificate Authority services on W2k forest I want to setup an internal CA to deploy 4 certificates to our users (even though our total user count in this company is 5000). We do not have any major plans to deploy additional certs for others. Question: Can i just install CA on a domain controller? MS' best best practice is to use a 2 tier/3 tier method and NOT INSTALL CA on a DC. But in our situation, we just need it to do a fast deployment. Deploying CA on 3 servers just dont' justify the cost. Let me know what the drawback is by installing it on a domain controller. Tag: Auditing Whom delete an file or folder. Tag: 72521
  - 12
    - How to allow certain users to restart a service on W2K3 serves? I would like to enable a group of users to only be able to restart the Print spooler service. (Don't want him to have any additional rights). I don't want them to have administrators priviledges either. How do we enable this? Tag: Auditing Whom delete an file or folder. Tag: 72515
  - 13
    - Using Cacls I am trying to use Cacls to add Domain Users to numerous folders within a folder and can not seem to get it to work. Can it be done on a server cacls /T /E /G domain users:F c:\testfolder\*.* Can someone help me with the syntax Many Thanks Tag: Auditing Whom delete an file or folder. Tag: 72514
  - 14
    - LDAP changePassword always returns error I'm working on a script to change a user's password in an AD domain. Our problem is a script that uses the changePassword method to change a user's password. No matter how strong the new password is, we always return an error that says the new password is either not unique or doesn't meet the policy for strong passwords. This script doesn't work when run as either the user making the change or the domain administrator. I think this error is bogus; we have another script that overwrites the user's password with a strong random one (which runs in the context of the domain admin), and that works fine. Tag: Auditing Whom delete an file or folder. Tag: 72513
  - 15
    - Running IIS and Massager on Windows Servers I want to find out about running IIS and Massager on Window Servers, what is the risk in security? I am also afraid that by running these items on a secured system that it will cause problems someday. Are there any articles I can read or any advice would be great. Tag: Auditing Whom delete an file or folder. Tag: 72507
  - 16
    - Hotmail signing out For the past week or so, every time I try to sign out of Hotmail I'm told I can't - the page I'm sent to tells me that if I can sign out of a site, there's a green tick, if not, a red cross. I've never seen such things! Where are they? And how can I safely sign out of my account? If anyone can help, I'd be very grateful... I'm not very technical, you see... Tag: Auditing Whom delete an file or folder. Tag: 72505
  - 17
    - New IE security hole Hi, I discovered a NEW security hole / exploit in IE6 with SP2 and all the latest security patches. Overview of the exploit: * Bug for all Microsoft Internet Explorer users * Can be abused by hackers to run harmful JavaScript code and can be abused to mislead existing protection against harmful JavaScript code, like software from Norton, McAfee,. * Can be abused to mislead the search engines Google, MSN, Yahoo, AltaVista,. * Unpleasant for JavaScript programmers All the information about the NEW horrible bug (info, exploit,.) , see the page http://research.seniorennet.be/Techresearch/Javascript_security_flaw_bug_ie_6/security_flaw_bug_javascript_ie_6_internet_explorer.php Best regards, Pascal Vyncke Tag: Auditing Whom delete an file or folder. Tag: 72502
  - 18
    - ms02-039 my av caught this, called it a virus, ms02-039 sql, thats all i can read of the description, it came from source ip 220.104.2.137, protocol...udp have no idea what that means Tag: Auditing Whom delete an file or folder. Tag: 72500
  - 19
    - Thirty steps to PC security This article describes the steps necessary to secure your Windows operating system from malicious exploits. The solutions listed below will protect you from every major vulnerability found on the Internet today, June 08, 2005. If by chance you would prefer to use tested software to enable these solutions, go to http://www.geocities.com/turbotramp2/samurai.html or click http://www.geocities.com/turbotramp2/samurai.zip to download the most recent version of Samurai. This Host-based Intrusion Prevention System will secure your machine using the solutions listed below. DISABLE INSECURE CONTROLS: Disable known insecure ActiveX controls. This solution disables the use of insecure ActiveX controls. The registry key â??HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibilityâ?? is updated with the GUIDâ??s of known insecure controls that do not affect normal operation when disabled. The GUIDs are: // ADODB control {00000566-0000-0010-8000-00AA006D2EA4} // Shell.Application {13709620-C279-11CE-A49E-444553540000} // AnchorClick DHTML Behavior {8856F961-340A-11D0-A96B-00C04FD705A2} // Image Control 1.0 (uses asycpict.dll) {D4A97620-8E8F-11CF-93CD-00AA00C08FDF} // DHTML Editing Control {2D360201-FFF5-11D1-8D03-00A0C959BC0A} PREVENT AIM EXPLOIT: Disable the AIM URL protocol handler. This solution prevents the use of the AIM URL protocol by replacing the insecure ActiveX GUID with a harmless substitute, in this case the HTML Help GUID is used. The AIM URL protocol is not required for normal operation and does not affect AOL Instant Messaging. The registry key is â??HKCR\PROTOCOLS\Handler\aimâ??. The registry value is â??CLSIDâ??. PREVENT ANONYMOUS ACCOUNTS: Prevent anonymous accounts. This solution prevents the use anonymous sessions by setting the registry value â??HKLM\System\CurrentControlSet\Control\Lsa\restrictanonymousâ?? to true. This setting will not become active until the machine is rebooted. As such, â??The new configuration will require a rebootâ?? will be displayed when this setting is altered in Samurai. DISABLE AUTO FILE OPEN: Disable automatic file open from explorer. This solution prevents Explorer from opening files without first prompting the user. This is accomplished by masking all auto open bits in EditFlags values of registry keys located in HKLM\Software\Classes, HKLM\Software\Classes\Shell\Open, HKLM\Software\Classes\CLSID, HKCU\Software\Classes, HKCU\Software\Classes\Shell\Open and HKCU\Software\Classes\CLSID. STOP BIT SERVICE: Stop the Background Intelligent Transfer Service. This solution stops the Background Intelligent Transfer Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. DISABLE URL PROTOCOLS: Disable dangerous URL protocols. This solution disables the use of insecure URL types "ms-itsâ??, "ms-itss", "its", "mk" and "local" by removing the type entries from the â??HKLM\Software\Classes\Protocols\Handlerâ?? and â??HKCR\Protocols\Handlerâ?? registry keys. DISABLE DYNAMIC ICONS: Disable insecure job icon handlers. This solution disables dynamic icon handlers for (.job) JobObject files by removing the "IconHandler" keys from "HKCR\JobObject\shellex" and "HKLM\SOFTWARE\Classes\JobObject\shellex". Dynamic job icon handlers are not required for normal operation and can be abused to allow full control of a host machine from a remote computer. SECURE EXPLORER ZONE 0: Set and secure "My Computer" zone. This solution secures â??My Computer Zoneâ?? by resetting the values of the registry key â??SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0â??. These special settings prevent many vulnerabilities including MS05-001, MS05-008 and MS05-014. The settings are: 1001 Download signed ActiveX controls Disable 1004 Download unsigned ActiveX controls Disable 1200 Run ActiveX controls and plug-ins Prompt 1201 Initialize and script ActiveX controls not marked as safe Disable 1400 Active Scripting Allow 1402 Scripting of Java applets Disable 1405 Script ActiveX controls marked as safe for scripting Allow 1406 Access data sources across domains Disable 1407 Allow paste operations via script Disable 1601 Submit non-encrypted form data Disable 1604 Font Download Disable 1605 Run Java Disable 1606 User Data persistence Disable 1607 Navigate sub-frames across different domains Disable 1608 Allow META REFRESH Disable 1609 Display mixed content Disable 1800 Installation of desktop items Disable 1802 Drag and drop or copy and paste of files Allow 1803 File Download Disable 1804 Launching programs and files in an IFRAME Disable 1E05 Software channel permissions 196608 DISABLE GRP ASSOCIATION: Disable dangerous .grp file conversions. This solution disables the insecure association between â??.grpâ?? files and â??MSProgramGroupâ?? by deleting both registry keys from HKCR. DISABLE GUEST ACCOUNT: Disable the Guest Account. This solution disables the guest account by removing account registry keys â??Vâ?? and â??Fâ?? from â??SAM\SAM\Domains\Account\Users\000001F5â??. The guest account is not required for normal operation and can be used by privilege escalation exploits to gain full administrative control of a machine. DISABLE HTML APP TYPE: Disable the HTML Application MIME type. This solution disables the HTML application type by removing the â??application/htaâ?? registry key from both â??HKCR\MIME\Database\Content Typeâ?? and â??HKLM\SOFTWARE\Classes\MIME\Database\Content Typeâ??. PREVENT HTML FRAME EXPLOIT: Check FRAME/IFRAME NAME field. This solution registers an HTML filter that checks for FRAME and IFRAME tags with overly long NAMEs. The filter removes overly long names from the HTML stream to prevent a well-publicized buffer overflow. This can only be accomplished with the Samurai HIPS. SECURE HTTP SETTINGS: Secure HTTP configuration parameters. This solution adjusts registry values under the â??HKLM\ System\CurrentControlSet\Services\\HTTP\Parametersâ?? key to secure HTTP from many common vulnerabilities. The settings are: "AllowRestrictedChars" 0 "EnableNonUTF8" 1 "FavorUTF8" 1 "MaxConnections" 0x7fffffff "MaxEndpoints" 0 "MaxFieldLength" 16384 "MaxRequestBytes" 16384 "PercentUAllowed" 1 "UrlSegmentMaxCount" 255 "UriEnableCache" 1 "UriMaxUriBytes" 262144 "UriScavengerPeriod" 120 "UrlSegmentMaxLength" 260 PREVENT IMAGE EXPLOITS: Check image files for correctness. This solution hooks various system calls to block Animated Cursor (.ANI) and GDI+ (.JPG) files containing buffer overflow exploits. Only files with embedded buffer overflows will be blocked from image processing. Properly formatted ANI and JPG files will not be affected by this solution. This can only be accomplished with the Samurai HIPS. STOP INDEX SERVICE: Stop the Windows Indexing Service. This solution stops the Windows Indexing Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. SECURE LICENSE LOGGING: Disable null session License Logging. This solution disables insecure nullSession license logging by removing "LLSRPC" from the â??NullSessionPipesâ?? value of the â??HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parametersâ?? registry key. PREVENT LSASS EXPLOIT: Prevent LSASS (Sasser based) exploits. This solution repairs a well-known LSASS vulnerability by setting the LSASS dcpromo.log file to â??read onlyâ??. The dcpromo.log file can be found in the system directory under the â??debugâ?? directory. STOP MESSAGE SERVICE: Stop the Windows Messaging Service. This solution stops the Windows Messaging Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. This solution does not affect Instant Messaging services. STOP NET DDE SERVICE: Stop the Net DDE Service. This solution stops the Network Dynamic Data Exchange Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. DISABLE PCT SERVICE: Disable the Private Communication Transport. This solution disables the PCT protocol by disabling both the â??Clientâ?? and â??Serverâ?? registry keys under â??HKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0â??. The PCT protocol is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. DISABLE UPNP SERVICE: Disable the Universal Plug and Play Service. This solution stops the Simple Service Discovery Protocol, which disables Universal Plug and Play. The SSDP service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. This solution does not affect local Plug and Play operation. DISABLE RDS: Disable the Remote Data Services Datafactory. This solution disables 3 insecure RDS datafactory objects; RDSServer.DataFactory, AdvancedDataFactory and VbBusObj.VbBusObjCls by removing the corresponding registry keys from â??HKLM\System\CurrentControlSet\Services\W3SVC\Parameters\ADCLaunchâ??. These objects are not used in normal operation and will not affect other Remote Data Services. STOP REMOTE REGISTRY SERVICE: Stop the Remote Registry Service. This solution stops the Remote Registry Service. This service is not required for normal operation and can be used to remotely reconfigure a host machine from a remote computer. DISABLE ROOTKITS: Clear existing rootkits and prevent future loading. This solution hooks system calls to prevent the loading of rootkits and refreshes the kernelâ??s system call table to clear existing rootkits. This solution also contains a user interface that informs the operator when attempts are made to load device drivers during normal operation. This can only be accomplished with the Samurai HIPS. DISABLE RPC-DCOM: Disable RPC based DCOM. This solution disables the DCOM client protocol of the Remote Procedure Call protocol by setting â??HKLM\Software\Microsoft\OLE\EnableDCOMâ?? to â??Nâ?? and removing any data in â??HKLM\Software\Microsoft\Rpc\DCOM Protocolsâ??. The Client DCOM portion of RPC is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. This setting will not become active until the machine is rebooted. As such, â??The new configuration will require a rebootâ?? will be displayed when this setting is altered in Samurai. DELETE SAM FILE: Delete the backup password file. Many Windows operating systems save a backup copy of the SAM file in the repair directory under the system directory. This file contains SMB username and password data that can be decoded by utilities such as JohnTheRipper to retrieve valid login information. The backup file is only used for emergency backup and is not required for normal operation. DISABLE SHELL URL: Disable the Shell URL protocol handler. The solution disables the Shell protocol handler by replacing the insecure ActiveX GUID found at â??HKCR\PROTOCOLS\Handler\shell\CLSIDâ?? with a harmless substitute, in this case the HTML Help GUID. The Shell URL protocol is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. BLOCK SYN ATTACKS: Prevent TCP/IP SYN attacks. This solution helps to prevent SYN Flood Attacks from disabling TCP/IP by setting the "SynAttackProtect" value of the "HKLM\SYSTEM\CurrentControlSet\Services\TcpIp\Parameters" registry key. The value is set to 2, which adds additional delays to connection indications and allows TCP connection requests to quickly timeout when a SYN attack is in progress. DISABLE WWW DAV: Disable Distributed Web Authoring. This solution disables the Distributed Web Authoring service by setting the "DisableWebDAV" value of the "HKLM\System\CurrentControlSet\Services\W3SVC\Parameters" registry key. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. DISABLE WIN SERVICE: Disable the Windows Internet Naming Service. This solution disables the Windows Internet Naming Service. This service is not required for normal operation and can be abused to allow full control of a host machine from a remote computer. I hope this helps, TurboTramp Tag: Auditing Whom delete an file or folder. Tag: 72494
  - 20
    - Website Tracking by User I am looking for a simple application (free or not) that will track website usage by user. If it can use the windows logon that is fine, if not it would be ok if it required users to logon to the software before they could access internet explorer. Something that just recorded the User, URL, Date, Time. This is for home use so I can track my kid's web usage. I'm running Win 2k pro and each person in the household has their individual logon id & password. I know some of this information is contained in the history files but it can be deleted. Anyone have any ideas??? thanks! Tag: Auditing Whom delete an file or folder. Tag: 72484
  - 21
    - Spyware apps for Win95 I need to set up a PC for a temporary user (student intern), and the only spare I have that's any good is an old Win 95 unit. I'd like to install anti-spyware on it, but SpyBot S&D won't install because it keeps telling me there are .dlls missing. I tried to download and install them, but still no luck. I tried AdAware, but the newer versions don't work on 95 either. I understand one of the older versions does, but I can't find it. Does anyone know where I can download an older version of AdAware that is compatible with Win 95? We are a non-profit, and money is tight. Thanks! Tag: Auditing Whom delete an file or folder. Tag: 72478
  - 22
    - Folder and Subfolders Permisions using Scripts Our HR dept. has purchased a new HR software that needs to be installed on all of our Desktops (600 pc's) the software when installs it gives admin rights full control to it's app directory and read to everyone group. In order for the software to work for all users we need to give everyone group full rights to the app. directory and subdirectory. How can we accomplish this by using a logon script. Tag: Auditing Whom delete an file or folder. Tag: 72477
  - 23
    - IPSEC thru ISA 2000 Can we establish a policy to allow our internal users to connect thru ISA using Check Point or Cisco VPN servers. Tag: Auditing Whom delete an file or folder. Tag: 72473
  - 24
    - Password Policy Hello, I have been trying to find Microsoft's recommendation on password policy's, but no luck. Also, if I set a password policy that forces users to change the password, what about services (exchange, veritas, ....)? If I select password never expires for the services, will they be exempt form that policy? Tag: Auditing Whom delete an file or folder. Tag: 72472
  - 25
    - Windows Firewall exceptions Is it possible to configure the exceptions in Windows Firewall for different network environments? For example, when I'm surfing internet in a cafe with wireless LAN, file&print exception will be auto disabled; when I'm back to my office having wireless LAN, file&print exception will be auto enabled. Thank you. Regards Gary Tag: Auditing Whom delete an file or folder. Tag: 72469

Hi,

It is possible and how to set Audit so I can log which user at which
workstation delete an file or folder?

Thank,

S.

Top

Re: Auditing Whom delete an file or folder. by Roger

Roger
Wed Jun 15 03:39:41 CDT 2005

You may easily set auditing to record which account deleted
a file or folder. You would need to cross-correlate this account
info with login records to determine from what workstation, and,
you would have to use other means to tie the account use to a user.

To set auditing, in the Auditing policies of the machine where the
file/folder exists, enable the policy setting "Audit object access"
(likely for success and failure). Then, at the filesystem area of
concern access the NTFS Security dialog in the properties of the
folder rooting that NTFS area and click into the Advanced view,
where you would access the Audit tab and define to audit Delete
for Everyone and check to have it applied to all substructure.

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"IT Boy" <shingxx@hotmail.com> wrote in message
news:%23fyEJjXcFHA.2288@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> It is possible and how to set Audit so I can log which user at which
> workstation delete an file or folder?
>
> Thank,
>
> S.
>
>

Top

Re: Auditing Whom delete an file or folder. by Karl

Karl
Wed Jun 15 06:46:06 CDT 2005

See http://securityadmin.info/faq.asp#auditing

"IT Boy" <shingxx@hotmail.com> wrote in message
news:%23fyEJjXcFHA.2288@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> It is possible and how to set Audit so I can log which user at which
> workstation delete an file or folder?
>
> Thank,
>
> S.
>
>

Top

Re: Auditing Whom delete an file or folder. by Imhotep

Imhotep
Wed Jun 15 10:28:49 CDT 2005

IT Boy wrote:

> Hi,
>
> It is possible and how to set Audit so I can log which user at which
> workstation delete an file or folder?
>
> Thank,
>
> S.

..be forewarned, MS auditing is quite a burden on the OS...

-Im

Top