Access control for files and directories (4) Audit rules

So far, only the access control rules have been discussed, which constitute the DACL of the object. DACLs can be arbitrarily changed by the owner of the object, or by any person whose owner has given them permission to change the DACL. The security descriptor for the object contains another list of rules, called the system access control List,sacl, which controls which type of auditing the system performs on the object.

Auditing is a security-sensitive operation. In Windows, auditing can only be generated by the local security authority, which is the only component that allows entries to be written to the Security event log (where auditing is stored). \ authority,lsa Security audits are a very rigorous business that can be used in computer courts to analyze who did what and who tried to do it in the system. Many organizations retain their audit logs for years. Needless to say, the settings that govern which items are audited are often subject to strict management control. If you execute the code in this section and you encounter a unauthorizedaccessexception message, it may be because the account at run time does not contain the Security privilege privilege. In order to be able to modify or even analyze a SACL, you must assign this powerful privilege to your account by the local computer policy. Despite these dire warnings, the audit settings for read and manipulate objects are similar in all respects to modifying access control settings after having the necessary privileges. Code Listing 7-13 is a simple example of an action audit rule.

Code Listing 7-13 Operation audit rules

using (FileStream file = new FileStream (
    
@ "M:\temp\sample.txt", FileMode.Open, FileAccess.ReadWrite))
    
{
    
FileSecurity Security = file. GetAccessControl ();
    
FileSystemAuditRule rule = new FileSystemAuditRule (The
    
new NTAccount (@ "Fabrikam\full_time_employees"),
    
 Filesystemrights.write, auditflags.failure);
    
Security. Addauditrule (rule);
    
File. Setaccesscontrol (Security)
    
}

Unlike the previous code example, this example uses a new FileSystemAuditRule class. This class represents an abstraction of the underlying access control entry (ACE) that specifies the user account, the type of access to provide (read, write, and so on), and whether to perform audits. This class can also specify how audit rules are inherited from objects and propagate audit rules to objects.

To allow file or directory auditing on Microsoft Windows NT, you must enable the Audit Access security policy on your own computer. By default, this policy is set to No auditing.

The steps for enabling the Audit accesssecurity policy are as follows:

Step 1 opens the local security Settings Microsoft Management Console (MMC) snap-in and locates in the administrative Tools folder.

Step 2 Expand the local Policies folder and left click the Audit Policy folder.

Step 3 Double-click the Audit object access item on the right pane of the MMC snap-in, or right-click and select the property option to display the Audit Object Access Properties dialog.

Step 4 Select the Success or failure box to record success or failure.

Note that the audit rules for user accounts require corresponding access rules for the same user account.

As shown in Listing 7-13, you need to create a new audit rule using the FileSystemAuditRule class, and then use the FileSecurity or directorysecurity class to persist this rule.

Audit settings are represented as audit rules. You can specify the name of the security principal (user or group) you want to audit, the type of access you are interested in (for example, read, write, and so on), and whether you want to generate an audit if you grant, deny access, or perform both of these actions. For example, in Listing 7-13, the system generates audits whenever a full-time employee is denied write access to a file or to a directory under a given parent directory. Inheritance flags, propagation flags, and Protection Settings Act on audit rules in exactly the same way as they do with access control rules.

---------------Note: This part of the text is adapted from the ". NET Security Secrets"

Author: Hyun-Soul

Source: http://www.cnblogs.com/xuanhun/

See more highlights of this column: http://www.bianceng.cnhttp://www.bianceng.cn/Programming/net/