Like files and folders, services are access-controlled objects, and
every access-controlled object has a security descriptor.
Part of a
service's security descriptor is the system ACL (SACL), which you can
use to track access to that object.
The only way to view or change a
service's current SACL is through security templates.
To
reach the security templates, log on to the server and open the
Microsoft Management Console (MMC) Security Templates snap-in.
To create
a new template, right-click on the security templates path.
Select New
Template, click System Services, then double-click the appropriate
service (i.e., Telnet). Select the Define this policy setting in the template check box, then click Edit Security to open the Security for Telnet dialog box.
This dialog box contains the service's ACL, which you can use to
fine-tune who has start and stop authority.
Click Advanced, then select the Auditing tab in the Access Control Settings for Telnet dialog box.
As you can see, no auditing is currently enabled on the Telnet
service because auditing isn't enabled by default.
Click Add, then add
an entry to track successful start and stop events that members of
Everyone initiate.
Close all the dialog boxes, then save the template.
Import the
template into the MMC Security Configuration and Analysis snap-in, then
apply the template.
Now, you can check the Security log for event ID 560
(success audit: object open), where Object Type is SERVICE OBJECT, the
Object Name is the short name of the service you're monitoring (in the
case of the Telnet Service, TlntSvr), and the logged accesses include Start the service and Stop the service.
Source:
http://windowsitpro.com/systems-management/access-denied-auditing-users-who-might-be-starting-and-stopping-services
No comments:
Post a Comment