Educause Security Discussion mailing list archives
Re: security for Windows logoff scripts writing to log files
From: Themba Flowers <themba.flowers () YALE EDU>
Date: Fri, 18 Jan 2008 10:33:41 -0500
Another way around this would be to use an http POST to a cgi or database as opposed to writing directly to the file itself. At logoff, trigger a .bat script which takes environment info and uses wsendmail to send an email to an address set-up for this purpose. A filter for the account takes any email which matches a certain criteria (ie subject header="LOGOFF *") and executes a script which appends the contents to a file. It would probably be more secure/ reliable to have the .bat script trigger a wget driven http POST instead, we just haven't done so. That way, the user never touches the data file itself. Themba Flowers *-*--*----*--------*----------------* Social Science Research Services/ITG http://www.yale.edu/statlab Yale University Academic Media & Technology 140 Prospect Street, Room 100 New Haven, CT 06520 t.203-432-6931 f.203-432-6976 On Jan 18, 2008, at 9:17 AM, Mike Phillips wrote:
Kevin: I am doing similar tracking in a central log file. Here is how I had to setup the log file share and folder permissions for the Authenticated Users group: Windows Share: READ, CHANGE Folder Permissions: Create Files / Write Data Create Folders / Append Data Write Attributes Write Extended Attributes Delete With these settings Authenticated Users can append to the existing log file, but cannot list the contents of the share/folder or delete files. Mike Phillips Clarion University of Pennsylvania -----Original Message----- From: Kevin Shalla [mailto:kshalla () UIC EDU] Sent: Thursday, January 17, 2008 5:57 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] security for Windows logoff scripts writing to log files I'm writing a vbscript logoff script to track time, computer, IP address, username, and other stuff for our Windows computers. Now I've got it configured so that the script (on the server) is open to everyone for reading, and the log file (again on the server) is open to writing for everyone. Before I put this into production, I would like to set it so that users can only update the log file while running the logoff script, and then can only append records at the end. Is there a way to set this up?
Current thread:
- security for Windows logoff scripts writing to log files Kevin Shalla (Jan 17)
- <Possible follow-ups>
- Re: security for Windows logoff scripts writing to log files Brad Judy (Jan 17)
- Re: security for Windows logoff scripts writing to log files Mike Phillips (Jan 18)
- Re: security for Windows logoff scripts writing to log files Themba Flowers (Jan 18)