Audit Software Restriction Policy
Last response: in Windows 2000/NT
Archived from groups: microsoft.public.win2000.security (More info?)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi
We now have this software restriction policy which prevents users
running applications from various places. Not only would we like to stop
them, we'd like to know who tried :-)
How can I turn on auditing for this? I'd like it to record every time a
user tries to run an app?
tia
andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBZn2Lqmlxlf41jHgRAjBkAJwMb9Wja08/NYxgyflGdcBnf4VGTwCgwN/s
2vYMCIMs9Ao9u9bOUp2nGnM=
=EfME
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi
We now have this software restriction policy which prevents users
running applications from various places. Not only would we like to stop
them, we'd like to know who tried :-)
How can I turn on auditing for this? I'd like it to record every time a
user tries to run an app?
tia
andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBZn2Lqmlxlf41jHgRAjBkAJwMb9Wja08/NYxgyflGdcBnf4VGTwCgwN/s
2vYMCIMs9Ao9u9bOUp2nGnM=
=EfME
-----END PGP SIGNATURE-----
More about : audit software restriction policy
Archived from groups: microsoft.public.win2000.security (More info?)
I think that the events would be recorded in the application or system log
without enabling any more policies. I know of no specific audit policy that
could track that otherwise unless you want to enable auditing of object
access on the computer and then audit folders for failure for the execute
permissions for files only in the apply onto selection. The problem with
enabling auditing of object access is that a lot of events may be recorded
in the security log by the system for seemingly unrelated events and it
would not work on removeable media. --- Steve
"andy smart" <anonymus@discussions.microsoft.com> wrote in message
news:ck5uic$gtm$1@newsfeed.th.ifl.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi
>
> We now have this software restriction policy which prevents users
> running applications from various places. Not only would we like to stop
> them, we'd like to know who tried :-)
>
> How can I turn on auditing for this? I'd like it to record every time a
> user tries to run an app?
>
> tia
> andy
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBZn2Lqmlxlf41jHgRAjBkAJwMb9Wja08/NYxgyflGdcBnf4VGTwCgwN/s
> 2vYMCIMs9Ao9u9bOUp2nGnM=
> =EfME
> -----END PGP SIGNATURE-----
I think that the events would be recorded in the application or system log
without enabling any more policies. I know of no specific audit policy that
could track that otherwise unless you want to enable auditing of object
access on the computer and then audit folders for failure for the execute
permissions for files only in the apply onto selection. The problem with
enabling auditing of object access is that a lot of events may be recorded
in the security log by the system for seemingly unrelated events and it
would not work on removeable media. --- Steve
"andy smart" <anonymus@discussions.microsoft.com> wrote in message
news:ck5uic$gtm$1@newsfeed.th.ifl.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi
>
> We now have this software restriction policy which prevents users
> running applications from various places. Not only would we like to stop
> them, we'd like to know who tried :-)
>
> How can I turn on auditing for this? I'd like it to record every time a
> user tries to run an app?
>
> tia
> andy
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.5 (MingW32)
> Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
> iD8DBQFBZn2Lqmlxlf41jHgRAjBkAJwMb9Wja08/NYxgyflGdcBnf4VGTwCgwN/s
> 2vYMCIMs9Ao9u9bOUp2nGnM=
> =EfME
> -----END PGP SIGNATURE-----
Archived from groups: microsoft.public.win2000.security (More info?)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steven L Umbach wrote:
| I think that the events would be recorded in the application or system
log
| without enabling any more policies. I know of no specific audit policy
that
| could track that otherwise unless you want to enable auditing of object
| access on the computer and then audit folders for failure for the execute
| permissions for files only in the apply onto selection. The problem with
| enabling auditing of object access is that a lot of events may be
recorded
| in the security log by the system for seemingly unrelated events and it
| would not work on removeable media. --- Steve
|
|
| "andy smart" <anonymus@discussions.microsoft.com> wrote in message
| news:ck5uic$gtm$1@newsfeed.th.ifl.net...
|
| Hi
|
| We now have this software restriction policy which prevents users
| running applications from various places. Not only would we like to stop
| them, we'd like to know who tried :-)
|
| How can I turn on auditing for this? I'd like it to record every time a
| user tries to run an app?
|
| tia
| andy
Just to sort of 'close the call' you were right, the events are recorded
in the local logs. I can use eventquery to pull the data off into a file
and view it from there.
thanks for your help
andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBbjH6qmlxlf41jHgRAkZiAKDRRXeU8Nggdqde/F1R254pBpdAWgCgziwj
W1i3lOMhObyw72X5jUg8cFM=
=UhNU
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Steven L Umbach wrote:
| I think that the events would be recorded in the application or system
log
| without enabling any more policies. I know of no specific audit policy
that
| could track that otherwise unless you want to enable auditing of object
| access on the computer and then audit folders for failure for the execute
| permissions for files only in the apply onto selection. The problem with
| enabling auditing of object access is that a lot of events may be
recorded
| in the security log by the system for seemingly unrelated events and it
| would not work on removeable media. --- Steve
|
|
| "andy smart" <anonymus@discussions.microsoft.com> wrote in message
| news:ck5uic$gtm$1@newsfeed.th.ifl.net...
|
| Hi
|
| We now have this software restriction policy which prevents users
| running applications from various places. Not only would we like to stop
| them, we'd like to know who tried :-)
|
| How can I turn on auditing for this? I'd like it to record every time a
| user tries to run an app?
|
| tia
| andy
Just to sort of 'close the call' you were right, the events are recorded
in the local logs. I can use eventquery to pull the data off into a file
and view it from there.
thanks for your help
andy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBbjH6qmlxlf41jHgRAkZiAKDRRXeU8Nggdqde/F1R254pBpdAWgCgziwj
W1i3lOMhObyw72X5jUg8cFM=
=UhNU
-----END PGP SIGNATURE-----
Related ressources:
- ForumSoftware Restriction Policy major screw up
- ForumMS Cleanup Installer Software Restriction Policy
- Forumsoftware restriction policy
- ForumGPO Computer Software Restriction Policy Stopped Working
- Forumsoftware restriction policy not working when running defau..
- ForumSoftware Restriction Policy ?????
- Forumsoftware restriction policy
- ForumThe policy software restriction policies
- ForumSoftware Restriction Policy Logging...?
- ForumSUS/WSUS & Software Restriction Policies
- ForumSoftware Restriction Policies - Question
- ForumSoftware restriction policy
- ForumGroup Policy to allow user to run program without bring lo..
- ForumParallel and com ports not appearing in device manager
- Forumlogon failure audit
- Forumlogon failed audit
- ForumUser can share a directory but unable to install software.
- Forumlogon and account logon audit events
- ForumLogon restriction
- ForumPassword Policy
- More resources
!
