Some-thing or Some-one is changing file permissions occasionally on files on my Windows Server 2003 Domain Controller.
I'd like to track these changes. Initially I thought one could do this with Auditing via the Default Domain Controllers Policy, but while there is File Access auditing, I can't seem to find any sort of tracking for permissions changes.
I'd like to know if permissions changes happen on a certain set of files and directories whether a human or an application/service or even a disk error makes the change. I'd like to see what has changed, when it has changed and, possibly, what did it.
Is this possible?
The built-in auditing for permission changes is handled through "Audit object access". If you look at the types of auditing that you can configure on a filesystem object you'll see that "Change Permissions" is one of the auditable items.
You're going to find that the log data generated by "Audit object access" is painfully verbose and difficult to parse, though. The actual permissions change (a "WRITE_DAC" event-- DAC meaning "Discretionary Access Control") will only reference a handle ID, so you'll have to parse backwards from the WRITE_DAC to find the handle open event. That event will tell you the name of the object being modified by the WRITE_DAC. Rather tiresome...
I had one Customer who explored using the CPTRAX File System Audit Trails for Windows utility for a similiar situation. I don't believe they ever actually implemented it, but as part of their exploration I reviewed the documentation and found that it appeared to be "sane", at least. I can't give any kind of personal recommendation for it, but it looked like it would do what the manufacturer claimed.
Edit:
I had a few minutes tonight, so I wrote a crazy, painful CMD script to track permission changes. Parsing the event log is painful (and really requires a state machine to get it right), so this is a second-best attempt.
The script expects to be passed the filename of a file to track the permissions on, and a path and "base" filename of a file to store the permissions observed in. Let's assume a fake set of arguments:
perm-track.cmd "C:\Program Files\Some Application\File To Track.exe" "C:\Permission Tracker\File to Track.exe"The first time the script runs (at, say, 12:51:30 on July 18, 2010) the permissions set on "C:\Program Files\Some Application\File To Track.exe" will be stored in the file "C:\Permission Tracker\File to Track.exe.20100718_125130.permissions.txt".
The next time the script is run, with the same arguments, the permissions stored in the most recently-created "C:\Permission Tracker\File to Track.exe.*.permissions.txt" file will be compared against the current permissions on "C:\Program Files\Some Application\File To Track.exe". If there's a change, the new permissions will be stored in an appropriately named "File to Track.exe.ISODATE.permissions.txt" file in "C:\Permission Tracker".
Wiring this up to send emails would be pretty easy. Running it as a scheduled task, or in a loop would be pretty easy, too.
This is definitely quick-and-dirty, and it probably has bugs, but this script might do what you need.
Use a host based IDS, which is sometimes referred to as a filesystem IDS. I've used AIDE successfully against Windows before. It can be compiled with cygwin.
An alternative to AIDE is OSSEC, which appears to have a Windows port.
Varonis DatAdvantage for Windows is a great way to solve this issue. It monitors all file system events (create, open, delete, move, modify, permission change) and builds a searchable audit trail. You can setup recurring reports or real-time alerts based on trigger criteria, such as a permission change on your DC or when someone is elevated to Domain Admin.
Perhaps the best part is that DatAdvantage doesn't require native auditing (which can be slow and taxing) and never writes to disk on the servers that you monitor, so it's super low overhead.
(Disclosure: I work for Varonis, but wouldn't post this if I didn't think it were a fit.)