RE: security auditing under windows 2000 server
From: dave klimen (dave_at_netmedic.net)
Date: 06/27/03
- Previous message: Dirk Wierdemann: "Limiting the creation of new files to specific types."
- In reply to: Richard Worwood: "security auditing under windows 2000 server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Richard Worwood'" <richardw@tdbnetworks.com>, <FOCUS-MS@securityfocus.com> Date: Thu, 26 Jun 2003 22:46:45 -0400
Richard,
You have probably set the following for your auditing:
[Event Audit]
AuditSystemEvents = 3
AuditLogonEvents = 3
AuditObjectAccess = 3
AuditPrivilegeUse = 3
AuditPolicyChange = 3
AuditAccountManage = 3
AuditProcessTracking = 3
AuditDSAccess = 3
AuditAccountLogon = 3
3= Audit success and failure,
and set:
AuditLogRetentionPeriod = 2
Which means "Do not over write clear logs manually.
And set the following reg keys:
machine\system\currentcontrolset\control\lsa\auditbaseobjects=4,1
machine\system\currentcontrolset\control\lsa\crashonauditfail=4,1
The problem with this is even on a modearatley used server you would fill up
a 500MB security log in a few hours.
Even if you choose overwrite files after 1 day old, it would still over fill
the log.
You choices are:
1. Shut off the
machine\system\currentcontrolset\control\lsa\auditbaseobjects (set to 0)
2. Set you AuditObjectAccess and AuditProcessTracking to failure only not
success and failure.
These 2 options should allow you to clear and save your logs about every 5
or so days depending on the log size you pick.
3. Clear you security log every few hours. :) Definitely not a good choice.
4. Shut off the
machine\system\currentcontrolset\control\lsa\crashonauditfail (set to 0)
Hope this helps.
_____________________
Dave Kleiman
dave@netmedic.net
www.netmedic.net
"High achievement always takes place in the framework of high expectation."
Jack Kinder
-----Original Message-----
From: Richard Worwood [mailto:richardw@tdbnetworks.com]
Sent: Thursday, June 26, 2003 09:02
To: FOCUS-MS@securityfocus.com
Subject: security auditing under windows 2000 server
I've just configured a domain policy which requires full system auditing,
but ever since this has been configured we have been seeing issues whereby
the system is unable to write to the audit log and blue screens. I really
need some help in understanding what would cause this logging issue and what
can be done to alleviate it.
Thanks in advance
Richard
________________________________________________________
Richard Worwood, TDB Networks
4 High Street, Twyford, Berkshire RG10 9AE
Office: +44 (0) 118 934 0056
Mobile: +44 (0) 7771 662880
Email: richardw@tdbnetworks.com
Web: www.tdbnetworks.com
----------------------------------------------------------------------------
-
----------------------------------------------------------------------------
-- ----------------------------------------------------------------------------- ------------------------------------------------------------------------------
- Previous message: Dirk Wierdemann: "Limiting the creation of new files to specific types."
- In reply to: Richard Worwood: "security auditing under windows 2000 server"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
