Re: Win2k Audit Logs - What happened here?

• Previous message: Damian Gerow: "Re: Rooted, .haos on system"
• In reply to: Johnny Walker: "Win2k Audit Logs - What happened here?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 16 Dec 2002 13:41:32 -0800 (PST)
From: H C <keydet89@yahoo.com>
To: incidents@securityfocus.com

 
> We turned on windows 2000 auditing for a particular
> user on our file server(SERVER1) and found a very
> interesting audit events, but we don't know what
> action actually trigered all the events. We noticed
> that a folder (Group1) and all of its subfolders has
> been accessed within a 3 econds. Yes just within a
> few
> seconds. We though the user(user2) might has been
> browsing through the folders and subfolders, but it
> just sound impossible to browser all the folders in
> less than 3 seconds !!. We also though of the user
> (user2) might have copy the whole folders and paste
> it
> some where... This will sound more logic to do in 3
> seconds...

Have you thought of asking the user? Also, since the
events you posted are all success events, it would
seem that the user is performing authorized
activities...so, what's the point?

> So, what you guyz think? .

Honestly? You really need to put more thought into
what auditing you enable.

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Next message: James-lists: "fswserv.html ????"
• Previous message: Damian Gerow: "Re: Rooted, .haos on system"
• In reply to: Johnny Walker: "Win2k Audit Logs - What happened here?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]