Educause Security Discussion mailing list archives

Re: security for Windows logoff scripts writing to log files

From: Themba Flowers <themba.flowers () YALE EDU>
Date: Fri, 18 Jan 2008 10:33:41 -0500

Another way around this would be to use an http POST to a cgi or
database as opposed to writing directly to the file itself.    At
logoff, trigger a .bat script which takes environment info and uses
wsendmail to send an email to an address set-up for this purpose.  A
filter for the account takes any email which matches a certain
criteria (ie subject header="LOGOFF *") and executes a script which
appends the contents to a file. It would probably be more secure/
reliable to have the .bat script trigger a wget driven http POST
instead, we just haven't done so.

That way, the user never touches the data file itself.

Themba Flowers
*-*--*----*--------*----------------*
Social Science Research Services/ITG
http://www.yale.edu/statlab
Yale University Academic Media & Technology
140 Prospect Street, Room 100
New Haven, CT 06520
t.203-432-6931     f.203-432-6976



On Jan 18, 2008, at 9:17 AM, Mike Phillips wrote:

Kevin:

I am doing similar tracking in a central log file.  Here is how I
had to
setup the log file share and folder permissions for the
Authenticated Users
group:

Windows Share:
READ, CHANGE

Folder Permissions:
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Delete

With these settings Authenticated Users can append to the existing
log file,
but cannot list the contents of the share/folder or delete files.

Mike Phillips
Clarion University of Pennsylvania

-----Original Message-----
From: Kevin Shalla [mailto:kshalla () UIC EDU]
Sent: Thursday, January 17, 2008 5:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] security for Windows logoff scripts writing to
log files

I'm writing a vbscript logoff script to track time, computer, IP
address, username, and other stuff for our Windows computers.  Now
I've got it configured so that the script (on the server) is open to
everyone for reading, and the log file (again on the server) is open
to writing for everyone.  Before I put this into production, I would
like to set it so that users can only update the log file while
running the logoff script, and then can only append records at the
end.  Is there a way to set this up?

Current thread:

security for Windows logoff scripts writing to log files Kevin Shalla (Jan 17)
- <Possible follow-ups>
- Re: security for Windows logoff scripts writing to log files Brad Judy (Jan 17)
- Re: security for Windows logoff scripts writing to log files Mike Phillips (Jan 18)
- Re: security for Windows logoff scripts writing to log files Themba Flowers (Jan 18)