[prev in list] [next in list] [prev in thread] [next in thread]
List: loganalysis
Subject: Re: [logs] Looking for Directory service information
From: "Wynn S. Fenwick" <wynn.fenwick () cgi ! com>
Date: 2004-06-03 14:03:24
Message-ID: 40BF2FAC.6030402 () cgi ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Tyler,
In my experience, often these identifiers are GUIDs. GUIDs are names
dynamically generated for objects that are instantiated in memory from
an object class, so it is not always searchable. There are some
well-known GUIDS that correspond to Windows system objects. I usually
just punch the GUID into google and the answer is there pretty quick as
to whether it's well known or not.
>From http://www.webopedia.com/TERM/G/GUID.html
Short for Globally Unique Identifier, a unique 128-bit <bit.html> number
that is produced by the Windows OS <operating_system.html> or by some
Windows applications <application.html> to identify a particular
component, application, file, database <database.html> entry, and/or
user. For instance, a Web site may generate a GUID and assign it to a
user's browser <browser.html> to record and track the session. A GUID is
also used in a Windows registry to identify COM <COM.html> DLLs
<DLL.html>. Knowing where to look in the registry and having the correct
GUID yields a lot information about a COM object (i.e., information in
the type library, its physical location, etc.). Windows also identifies
user accounts by a username (computer/domain and username) and assigns
it a GUID. Some database administrators even will use GUIDs as primary
key values in databases.
GUIDs can be created in a number of ways, but usually they are a
combination of a few unique settings based on specific point in time
(e.g., an IP address <IP_address.html>, network MAC address
<MAC_address.html>, clock date/time, etc.).
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_wellknownobjects.asp \
provides a list, but again, Google is your friend for access into many
web-based lists like this.
In your example, the Object name came up with nothing (which makes sense
because this should be unique and specific to domain). The type did get
a hit (which makes sense because a type is more of a property of an
object class than unique to an object instance).
http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=GUID+list+19195a5b-6da0-11d0-afd3-00c04fd930c9
"Window NT Domain with DNS-based (DC=) naming."
It seems that this is an object name that corresponds to a particular AD
domain. I bet you can create a map of your domains to GUIDs over time if
you care to. I am sure there are other Windows experts out there that
can elaborate in more depth...
Wynn
Tyler, Grayling wrote:
> I've been searching for information relating to auditing of Active
> directory (AD) access. When Directory service access auditing is
> turned on, various events are produced (e.g. 563, 565 etc) to log the
> action taken by the account making the call. To-date I have been
> unable to locate any information regarding the "Object Type" and
> "Object Name" fields reported in the logs (see sample below). So I
> thought I'd ask the list just in case anyone has ran across this type
> of information. If you have I'd appreciate an email.
>
> SEC,6/1/2004,23:55:30,Security,565,Success,Directory Service Access
> ,TDomain\administrator,DC01,Object Open:^` Object Server: DS^`
> Object Type: \{19195a5b-6da0-11d0-afd3-00c04fd930c9\}^`
> Object Name: \{aa687b49-3737-4053-ab8b-c6216ff20e04\}^` New
> Handle ID: 0^` Operation ID: \{0 7375296\}^` Process ID:
> 308^` Primary User Name: DC01$^` Primary Domain:
> TDomain^` Primary Logon ID: (0x0 0x3E7)^` Client User
> Name: administrator^` Client Domain: DC01^` Client
> Logon ID: (0x0 0xE4BF)^` Accesses Control
> Access ^` ^` Privileges -^`^`
> Properties:^`Control Access ^`
> \{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2\}^`^`\par
>
> }
>
>
> Thanks
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> LogAnalysis mailing list
> LogAnalysis@lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/loganalysis
>
>
--
Wynn Fenwick, GCIH, GCIA
Senior Consultant, Information Security COE
CGI Information Systems & Management Consultants
[Attachment #5 (text/html)]
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body text="#000000" bgcolor="#ffffff">
Tyler,<br>
<br>
In my experience, often these identifiers are GUIDs. GUIDs are names
dynamically generated for objects that are instantiated in memory from
an object class, so it is not always searchable. There are
some well-known GUIDS that correspond to Windows system objects. I
usually just
punch the GUID into google and the answer is there pretty quick as to
whether it's well known or not. <br>
<br>
>From <i><a class="moz-txt-link-freetext"
href="http://www.webopedia.com/TERM/G/GUID.html">http://www.webopedia.com/TERM/G/GUID.html</a><br>
<br>
Short for </i><i><b>G</b>lobally <b>U</b>nique <b>Id</b>entifier, a
unique 128-<a href="bit.html">bit</a> number that is produced by the
Windows <a href="operating_system.html">OS</a> or by some Windows <a
href="application.html">applications</a> to identify a particular
component, application, file, <a href="database.html">database</a>
entry, and/or user. For instance, a Web site may generate a GUID and
assign it to a user's <a href="browser.html">browser</a> to record and
track the session. A GUID is also used in a Windows registry to
identify <a href="COM.html">COM</a> <a href="DLL.html">DLLs</a>.
Knowing where to look in the registry and having the correct GUID
yields a lot information about a COM object (i.e., information in the
type library, its physical location, etc.). Windows also identifies
user accounts by a username (computer/domain and username) and assigns
it a GUID. Some database administrators even will use GUIDs as primary
key values in databases. </i>
<p><i>GUIDs can be created in a number of ways, but usually they are a
combination of a few unique settings based on specific point in time
(e.g., an <a href="IP_address.html">IP address</a>, network <a
href="MAC_address.html">MAC address</a>, clock date/time, etc.). </i><br>
</p>
<p><a class="moz-txt-link-freetext" \
href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adsche \
ma/a_wellknownobjects.asp">http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_wellknownobjects.asp</a>
provides a list, but again, Google is your friend for access into many
web-based lists like this.<br>
</p>
<p>In your example, the Object name came up with nothing (which makes
sense because this should be unique and specific to domain). The type
did get a hit (which makes sense because a type is more of a property
of an object class than unique to an object instance).<br>
</p>
<a class="moz-txt-link-freetext"
href="http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=GUID+list+19195a5 \
b-6da0-11d0-afd3-00c04fd930c9">http://www.google.com/search?hl=en&lr=&ie=UTF-8&q=GUID+list+19195a5b-6da0-11d0-afd3-00c04fd930c9</a><br>
<br>
<i> "Window NT Domain with DNS-based (DC=) naming."</i><br>
<br>
It seems that this is an object name that corresponds to a particular
AD domain. I bet you can create a map of your domains to GUIDs over
time if you care to. I am sure there are other Windows experts out
there that can elaborate in more depth...<br>
<br>
<br>
Wynn<br>
<br>
Tyler, Grayling wrote:<br>
<blockquote type="cite"
cite="mid3773C7BF491F2E45936617937492C222F7E810@flexch01.foodlion.ad.delhaize.com">
<meta http-equiv="Content-Type" content="text/html; ">
<meta name="Generator" content="MS Exchange Server version 6.5.6944.0">
<title>Looking for Directory service information</title>
<!-- Converted from text/rtf format -->
<p><font size="2" face="Arial">I've been searching for information
relating to auditing of Active directory (AD) access. When Directory
service access auditing is turned on, various events are produced (e.g.
563, 565 etc) to log the action taken by the account making the call.
To-date I have been unable to locate any information regarding the
"Object Type" and "Object Name" fields reported in the logs (see sample
below). So I thought I'd ask the list just in case anyone has ran
across this type of information. If you have I'd appreciate an \
email.</font></p> <p><font size="2" \
face="Arial">SEC,6/1/2004,23:55:30,Security,565,Success,Directory Service Access \
,TDomain\administrator,DC01,Object Open:^` Object Server: \
DS^` Object Type: \
\{19195a5b-6da0-11d0-afd3-00c04fd930c9\}^` \
Object Name: \
\{aa687b49-3737-4053-ab8b-c6216ff20e04\}^` \
New Handle ID: 0^` Operation ID: \{0 \
7375296\}^` Process ID: 308^` \
Primary User Name: \
DC01$^` Primary Domain: \
TDomain^` Primary Logon \
ID: (0x0 0x3E7)^` Client User \
Name: \
administrator^` Client Domain: \
DC01^` Client Logon \
ID: (0x0 0xE4BF)^` \
Accesses \
Control Access ^` \
^` \
Privileges \
-^`^` Properties:^`Control Access ^`
\{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2\}^`^`\par</font></p>
<p><font size="2" face="Arial">}</font> <br>
<font size="2" face="Arial"> </font> </p>
<p><font size="2" face="Arial">Thanks</font> </p>
<pre wrap=""><hr width="90%" size="4">
_______________________________________________
LogAnalysis mailing list
<a class="moz-txt-link-abbreviated"
href="mailto:LogAnalysis@lists.shmoo.com">LogAnalysis@lists.shmoo.com</a>
<a class="moz-txt-link-freetext"
href="http://lists.shmoo.com/mailman/listinfo/loganalysis">http://lists.shmoo.com/mailman/listinfo/loganalysis</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="78">--
Wynn Fenwick, GCIH, GCIA
Senior Consultant, Information Security COE
CGI Information Systems & Management Consultants
</pre>
</body>
</html>
_______________________________________________
LogAnalysis mailing list
LogAnalysis@lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/loganalysis
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic