Previous Topic: Non-IPv4 telnet Connections Are Not Secured on Windows Server 2008Next Topic: Windows Registry Protection

Endpoint Administration Guide for WindowsManaging ResourcesWindows Services ProtectionView Access Attempts to a Protected Windows Service

View Access Attempts to a Protected Windows Service

When CA ControlMinder protects a Windows service, it intercepts, and records in the audit log, access attempts that are related to the service. These access attempts may be a result of using the services.exe process to manage the service (start, stop, and so on), or a result of registry access to the service database management area of the protected service. While the former access is audit contains only the service name, the latter (registry access) contains the full registry path. To view all access attempts related to a Windows service, you have to use wildcards.

To view access attempts to a protected Windows service, create an audit filter that filters audit records of class WINSERVICE and resource name *myService*

CA ControlMinder displays all audit records for the WINSERVICE resource you defined (whether access was attempted through the registry or through a service management interface).

Example: View All Access Attempts to the Print Spooler Service

This example assumes that you defined the Print Spooler service to CA ControlMinder with no access as follows:

er winservice spooler defaccess(none) owner(nobody)

You can then use the seaudit utility to list all access attempts to the Print Spooler service as follows:

seaudit -resource WINSERVICE *spooler* *

This command lists all audit records for the class WINSERVICE that were recorded for access attempts to the Print Spooler service. The resulting output can look as follows:

seaudit - Audit log lister
03 Apr 2008 16:53:48 D WINSERVICE   bigHost1\Administrator Read       69  2 Spooler
   c:\WINDOWS\system32\services.exe bigHost1.comp.com
03 Apr 2008 16:53:48 D WINSERVICE   bigHost1\Administrator Read       69  2 Spooler
   c:\WINDOWS\system32\services.exe bigHost1.comp.com
03 Apr 2008 16:53:50 D WINSERVICE   bigHost1\Administrator Read       69  2 Spooler
   c:\WINDOWS\system32\services.exe bigHost1.comp.com
03 Apr 2008 16:53:50 D WINSERVICE   bigHost1\Administrator Read       69  2 Spooler
   c:\WINDOWS\system32\services.exe bigHost1.comp.com
03 Apr 2008 16:53:53 D WINSERVICE   bigHost1\Administrator Read       69  2 Spooler
   c:\WINDOWS\system32\services.exe bigHost1.comp.com
03 Apr 2008 16:53:53 D WINSERVICE   bigHost1\Administrator Read       69  2 Spooler
   c:\WINDOWS\system32\services.exe bigHost1.comp.com
03 Apr 2008 16:54:10 D WINSERVICE   bigHost1\Administrator Read       69  2 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler
   C:\WINDOWS\regedit.exe bigHost1.comp.com
03 Apr 2008 16:54:10 D WINSERVICE   bigHost1\Administrator Read       69  2 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler
   C:\WINDOWS\regedit.exe bigHost1.comp.com
03 Apr 2008 16:54:19 D WINSERVICE   bigHost1\Administrator Read       69  2 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler
   C:\WINDOWS\regedit.exe bigHost1.comp.com
03 Apr 2008 16:54:26 D WINSERVICE   bigHost1\Administrator Read       69  2 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler
   C:\WINDOWS\regedit.exe bigHost1.comp.com
03 Apr 2008 16:54:26 D WINSERVICE   bigHost1\Administrator Modify     69  2 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Spooler
   C:\WINDOWS\regedit.exe bigHost1.comp.com

Total records displayed 11