[Dshield] RE: [Dshield] Has anyone seen this? "æurity=Impersonation Dynamic False"

Bob Savage bsavage at rnr-inc.com
Thu Jul 11 13:19:40 GMT 2002


Yes, I have these same 1KB files appearing on my ISA server and I've
also been concerned and curious.  Wayne's question prompted me to do a
little research.

I was able to match the two most recent file creation times to success
audit events in the security log.  These events are ID # 617, "Policy
Change".

In the Microsoft Knowledge Base I found the following information in
Q272460:

"When the "Audit policy change" policy is enabled for either success or
failure in the Default Domain Policy or Default Domain Controllers
Policy Group Policy objects (GPO), a success event, event 617, is logged
in the Windows 2000 Security log regardless of whether or not a policy
change occurred. 

The following list describes when a Security policy is propagated by
default: 

	Every five minutes when the domain controller's GPO is refreshed

	Every 16 hours, regardless of whether or not a policy change has
occurred 
	When you use the SECEDIT /RefreshPolicy machine_policy /enforce
command to propagate Group Policy changes"

Looks like the audit event is part of an automatic process just to show
the audit process is turned on.  Apparently the strange one line text
files are generated as part of this test/check/confirmation.

However, I was unable to turn up anything in the KB searching on the
file names or on the file content.  Also Google turned up nothing
useful.

The whole is probably harmless, but it's sure odd, isn't it?  If anybody
else knows more than this I'll be happy to change my mind!

Bob Savage
IT Manager
RNR, Inc.
Minneapolis, MN


Wayne Beckham wrote:

Our DNS server has recently popped up with a couple of dozen files,
apparently text files, all named something like
""æcurity=Impersonation Dynamic False" - no extension and a variety
of ASCII as the leading characters.

If you open the file with notepad, a single line is repeated over and
over again: "Error 0 to send control flag 0 over to server."

Has anyone else seen this?  Is it time to start worrying?

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list