Re: Logging activity on client PCs
- From: "Steven L Umbach" <n9rou@xxxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 25 Aug 2006 18:25:33 -0500
The first thing that I would do is to verify that only those files/folders
that need to be shared are shared and then that only authorized users/groups
have the minimum needed permissions to the shares. For shares you need to
configure both share and the underlying folder/NTFS permissions to restrict
access. The link below explains more if you need more information
http://www.mcmcse.com/microsoft/guides/ntfs_and_share_permissions.shtml
Yes you can audit access to folders/files but it is not very user friendly.
First you need to enable auditing of object access on the server and then
enable auditing of the folders/files you want to audit which will show what
users are accessing the files for the permissions you audit. To minimize the
object access events only audit the bare number of objects for the bare
number or permissions to accomplish what you want. Even so you will have
thousands of object access events in the security log so be sure to increase
the size substantially to like 50MB. To sift through all those events you
can use the free Event Comb from Microsoft and it can search for specific
events and text strings like a file or folder name and permission. I don't
know of a way that you can determine the application being used to access
data on the server itself unless the application is known to use specific
ports for access and it may be the case where a user is downloading data and
then using his application to open it. Enabling auditing of process tracking
on the client computer could give that information and by matching
timestamped events to the server for object access events you may find out
what you want assuming the computer are pretty much in synch time wise.
Anyhow auditing as I described is a start and the link below explains more
on how to implement it.
Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;300549 --- also
applies to XP and W2003
http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/smpgch02.mspx
-- info on Event Comb and where to download it.
"Skc" <Skc@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:456A62DB-A9EE-4FEB-9B36-D8B38D411667@xxxxxxxxxxxxxxxx
I have a Windows 2000 Server machine acting as a member server on a SBS
2003
domain.
The member server is a file server, with shared volumes which clients map
to.
One particular drive contains .dbf and .mdx dBase 5.7 proprietry software,
where the developer has suspected someone has opened a .dbf in "exclusive"
mode, hence locking the file. He suspects that it could be Excel/Access
or
FoxPro. This file has read/write access because it records what users
have
entered as search parameters in the software.
What I am concerned about is the fact that someone on the network is
opening
the files and maybe gaining knowledge of the table structures etc... of
this
software.
So, is there:
1) a logger software I can install onto the server or clients that logs
every file opened/accessed?
2) a logger software which I can install onto the server only which can
tell
me if a file was opened by a third party program, i.e. Excel/Access?
3) someone to help me???
Thanks,
S
.
- Follow-Ups:
- Re: Logging activity on client PCs
- From: QuidnuncSimcha
- Re: Logging activity on client PCs
- Prev by Date: Re: Encrypted Data Recovery Agents
- Next by Date: Re: I have just visited a hacked site... visit another!
- Previous by thread: Re: Encrypted Data Recovery Agents
- Next by thread: Re: Logging activity on client PCs
- Index(es):
Relevant Pages
|
Loading
