I have a number of servers in the corporate domain that seem to randomly lose ACL permissions to the TEMP folders (c:\temp, c:\windows\temp and any temp folder defined in the environment variables).
Instead of the normal permissions (administrators full control, users read/write, network service read etc.) - the folder is reset to Everyone - read.
Is there a tool that will allow me to monitor the folders in question to see who/what/when makes the change?
I'm currently trying to use the windows auditing system, but it's not perfect - on windows 2003 it doesn't have a specific event for folder permissions change. And anyway, the security event log is getting filled up EXTREMELY fast by regular logins and our hardening software's routine scans.
Any idea where I can look?
You should be able to filter this a bit anyway, but if the log is being completely filled too often you can temporarily disable most of the other security auditing and simply audit "Change permissions" (particularly the "successful" ones).