Re: security for Windows logoff scripts writing to log files

[Brad Judy <Brad.Judy () COLORADO EDU>]

I don't know of any way to allow a user/process to only append new data
to the end of a file without some other layer in between.  You can
either modify the file or you can't, there isn't a granularity of append
versus other modifications.  You could log the event to either the local
Windows event log or a remote syslog type server.  Another approach
would be an application/database pair that allowed a user to add rows,
but not edit existing rows.  Or, you could create new log files for each
event, but that would add up quickly.  

Using the Windows event log or syslog approach would also address your
concern about users being able to update the log outside of the script
(to a degree anyway).

Brad Judy

> -----Original Message-----
> From: Kevin Shalla [mailto:kshalla () UIC EDU] 
> Sent: Thursday, January 17, 2008 3:57 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] security for Windows logoff scripts 
> writing to log files
>
> I'm writing a vbscript logoff script to track time, computer, 
> IP address, username, and other stuff for our Windows 
> computers.  Now I've got it configured so that the script (on 
> the server) is open to everyone for reading, and the log file 
> (again on the server) is open to writing for everyone.  
> Before I put this into production, I would like to set it so 
> that users can only update the log file while running the 
> logoff script, and then can only append records at the end.  
> Is there a way to set this up?