Re: security for Windows logoff scripts writing to log files

[Mike Phillips <mphillips () CLARION EDU>]

Kevin:

I am doing similar tracking in a central log file.  Here is how I had to
setup the log file share and folder permissions for the Authenticated Users
group:

Windows Share:
READ, CHANGE

Folder Permissions:
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Delete

With these settings Authenticated Users can append to the existing log file,
but cannot list the contents of the share/folder or delete files.

Mike Phillips
Clarion University of Pennsylvania

-----Original Message-----
From: Kevin Shalla [mailto:kshalla () UIC EDU]
Sent: Thursday, January 17, 2008 5:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] security for Windows logoff scripts writing to log files

I'm writing a vbscript logoff script to track time, computer, IP
address, username, and other stuff for our Windows computers.  Now
I've got it configured so that the script (on the server) is open to
everyone for reading, and the log file (again on the server) is open
to writing for everyone.  Before I put this into production, I would
like to set it so that users can only update the log file while
running the logoff script, and then can only append records at the
end.  Is there a way to set this up?