T
Tony of MBD
Hi,
My understanding of the history of security event ID 567 (Object Access
Attempt) is that it was introduced into Windows 2003 and XP, but a bug caused
it to not log for remote file changes via a share, it only logs when a file
change occurred from local. This was then fixed in SP1 and I can confirm this
as I have tested a Windows 2003 R2 Ent SP1 32bit server and it seems to work
ok. File changes, via remote and local, cause Event 560, 567 and 562 as
expected. However, on a Windows 2003 R2 Ent SP2 32bit server, remote file
changes only cause event 560 and 562. No event 567 is generated! A event 567
is only generated when local file changes occur!
Both the Windows 2003 SP1 and SP2 have the same policy config, set via GPO,
and auditing flags set on all files and directories.
Is this a bug that was broken, pre SP1, fixed SP1 and then broke again SP2?
Or do I need to do something different?
Thanks for any input
Regards
Tony of MBD
My understanding of the history of security event ID 567 (Object Access
Attempt) is that it was introduced into Windows 2003 and XP, but a bug caused
it to not log for remote file changes via a share, it only logs when a file
change occurred from local. This was then fixed in SP1 and I can confirm this
as I have tested a Windows 2003 R2 Ent SP1 32bit server and it seems to work
ok. File changes, via remote and local, cause Event 560, 567 and 562 as
expected. However, on a Windows 2003 R2 Ent SP2 32bit server, remote file
changes only cause event 560 and 562. No event 567 is generated! A event 567
is only generated when local file changes occur!
Both the Windows 2003 SP1 and SP2 have the same policy config, set via GPO,
and auditing flags set on all files and directories.
Is this a bug that was broken, pre SP1, fixed SP1 and then broke again SP2?
Or do I need to do something different?
Thanks for any input
Regards
Tony of MBD