Yep I agree, you can usually see what the application is doing via filemon of Process Explorer, or procmon, and its not pretty when most of the Office Suite requires modify or full control permissions to work the right ways. Also and what is more annoying is .exe and dll writing to themselves, when in the heck should an .exe or .dll ever be writable in an application, humm Never :)
Z -----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Sent: Monday, December 24, 2007 2:40 PM To: NT System Admin Issues Subject: Re: Real world security (was RE: Audit recommendation) On Dec 24, 2007 2:26 PM, Ziots, Edward <[EMAIL PROTECTED]> wrote: > I agree, it's a balance, what matters the most, usually audit for the > expection, not what has been allowed ... The problem is that even "what is denied" is quite a lot. I gather that a lot of software (again, including Windows Explorer and MS Office) follows a paradigm of first trying to acquire full access, and when that gets denied by the OS, trying for more limited access. The result is a constant stream of Audit Failure events, as processes (running with user privilege) try for full access to various parts of the system, DLLs, EXEs, and so on. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
