Re: Track user behaviour through event log

From: Eric Fitzgerald [MS] (ericf@online.microsoft.com)
Date: 06/05/02

• Next message: Jason Strom: "Terminal Services"
• Previous message: Eric Fitzgerald [MS]: "Re: Security Audit Failure and Mutant State?"
• In reply to: Søren Maigaard: "Track user behaviour through event log"
• Next in thread: Elliot Gingold: "Re: Track user behaviour through event log"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Eric Fitzgerald [MS]" <ericf@online.microsoft.com>
Date: Tue, 4 Jun 2002 16:08:12 -0700

The security log does NOT record user behavior- this is a really common
mistake people make. The security log records system actions, and whose
request initiated the action.

So, for instance, you may right-click and drag a file from a
\\server1\share1 window to a \\server2\share2 window in Explorer, and choose
"move" from the context menu.

You won't get an audit "User U used Explorer to move file F from Server1 to
Server2". Instead, you'll get a file delete audit on Server1 and (possibly)
an object access audit on the parent directory of \\server2\share2 that says
that the "create child" permission was used.

The audits are completely correct, from the system's point of view, but as
you see they don't convey the user's actions, but rather the system's view
of the user's actions.

Eric

--
Eric Fitzgerald
Program Manager, Windows Auditing and Intrusion Detection
Microsoft Corporation
"Søren Maigaard" <spam@maigaard.com> wrote in message
news:#f25zvJCCHA.1576@tkmsftngp04...
> Is there a program that can track user behaviour through the event log?
> That is, see which files she opens, when and how many, how many times she
> tries to log on and at what hours - and then create a profile for that
user
> over time. If she then does something outside of this profile (for
instance
> tries to access different files than she usually does and at 3 o'lock at
> night) it would alert the administrator. Is that possible?
>
> TIA,
>
> - Søren
>
>

• Next message: Jason Strom: "Terminal Services"
• Previous message: Eric Fitzgerald [MS]: "Re: Security Audit Failure and Mutant State?"
• In reply to: Søren Maigaard: "Track user behaviour through event log"
• Next in thread: Elliot Gingold: "Re: Track user behaviour through event log"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Ghost in the Recycle Bin ... Audit account logon events ... Prevent local guests group from accessing application log ... Prevent local guests group from accessing security log ... (microsoft.public.windowsxp.help_and_support) Re: administrator sign on ... I dont' think Windows audits this by default. ... Event log in the Security log, in the Computer Management MMC. ... also audit success of, say, logon events, and probably also system events, ... (microsoft.public.security) Re: Audit the administrator account? ... In a Windows NT domain, the security log of the PDC can be configured to ... "Audit these events" and turn on auditing for "User and Group Management"... ... Event Log for the PDC for event ID 628. ... (microsoft.public.win2000.security) Re: Audit problem ... I already enabled the suditing ... fail audit options. ... Then, try to check your security log, ... >> I enable object access audit setting and apply all audit ... (microsoft.public.win2000.security) Re: DC Policy: just want to audit files, not set security ... definition to deliver only Audit SACL to some storage ... > to audit everything. ... Just enabling auditing of object access will generate ... > lot of events in the security log. ... (microsoft.public.windows.server.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint