Re: File access auditing fills security log too fast

From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 03/19/05 

Date: Sat, 19 Mar 2005 11:28:50 -0500

I agree with the other two posts. You should probably not be auditing
successful file accesses for all files, especially if you have no plans to
ever look at those logs. Some sane recommendations are given in the Win2K
security guides at www.nsa.gov/snac and in the windows 2003 security guide
at www.microsoft.com/technet/security Some guides like DISA and possibly
NIST tell you to enable way too much auditing.

I would also suggest you make your auditing log somewhat larger, and
consider changing the event log to overwrite events as necessary, and/or
don't forbid users from logging in when the logs fill up. Those are old
recommendations that are no longer advisable. System availability is a part
of computer security, and so good security settings should not interfere so
severely with availability. The latest MS windows 2003 security guide above
gives the latest guidance, and NSA approves the MS guidance.

If you are really bound to preserve all of these events [I hope you are
not], then you could consider using something like NTSYSLOG or a Host-based
IDS like ISS or better yet Enterasys Dragon to spit all of those log entries
to a central syslog server using encrypted and authenticated channels like
via IPsec and PKI machine certificates. However, if these things fill up
your logs, then logging all of these events on the network would also impact
your network bandwidth. Most people do filtering of events so that not
every event gets transmitted, like HIDS typically do.

"ParamusAdmin" <ParamusAdmin@discussions.microsoft.com> wrote in message
news:8839A676-F174-4B92-B388-7403204BD453@microsoft.com...
> I am attempting to enable file and application auditing to meet HIPAA
> compliance. The issue I am having is the security log fills up way to
fast,
> eventually locking out all but administrators from logging on. I know I
can
> disable this, but I would rather just audit when the file or app was
accessed
> and by whom. I have been experimenting with the auditing settings, but no
> matter what I do, even opening one folder creates 10 security items in the
> event log. Does anyone have any tips on how to narrow down what is
entered
> into the event log?

Relevant Pages

  • Re: Security logging stopped
    ... login successes and failure events was turned on in the RAS server settings. ... enable auditing on your RAS server: ... Note that to enable logging of access to files or registry settings, ... security properties in Windows Explorer or the REGEDT32 registry editor. ...
    (microsoft.public.security)
  • Re: track user logons
    ... including user actions such as logging on and logging off, and the success and failure of key ... Before you enable auditing, it will be important for you to define exactly ... For example, if you decide to audit account logon sessions, you need to consider what the information ... Your security administrators group might be interested in logging failed logon events ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Honeypot server?
    ... >maximum audit logging to catch worms and hackers. ... Honeypots are nice for security auditing and planning, ...
    (microsoft.public.win2000.security)
  • Re: audit user activity
    ... you can set filter to view the Security log for a particular user. ... Microsoft CSS Online Newsgroup Support ... This newsgroup only focuses on SBS technical issues. ... Right-click Small Business Server Auditing Policy and click Edit. ...
    (microsoft.public.windows.server.sbs)
  • Re: Pen-testing Internships?
    ... I know that Wells Fargo has a program for IT auditing where they go to ... > very good resource for learning and collaboration among IT Security ... Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. ... You have an option to go with a managed service or an enterprise software. ...
    (Pen-Test)