Re: Auditing File Access - SYSTEM
From: Eric Fitzgerald [MSFT] (ericf_at_online.microsoft.com)
Date: 04/29/03
- Next message: Tony: "Re: Event ID 537 Kerberos errors"
- Previous message: Eric Fitzgerald [MSFT]: "Re: Kerberos event logging (LogLevel registry value)"
- In reply to: Jason Garms [MS]: "Auditing File Access - SYSTEM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Apr 2003 15:28:14 -0700
Also, don't audit for "full control", or for reads of any sort- audit only
for writes.
For files, my recommendation would be to audit the following accesses:
Create Files/Write Data
Create Folders/Append Data
Delete
Change Permissions
Take Ownership
You might want to restrict your auditing to include only "Authenticated
Users", instead of "Everyone", as Jason suggests.
MACS will be released with Windows Server 2003 SP1 this fall.
-- Eric Fitzgerald Program Manager, Windows Auditing and Intrusion Detection Microsoft Corporation This posting is provided "AS IS" with no warranties, and confers no rights. "Jason Garms [MS]" <JasonG@Microsoft.Com> wrote in message news:004f01c30dc5$4053d4a0$3301280a@phx.gbl... > Hi Rob, > > Unfortunately, there is no easy way to do this, aside from > post-filtering (dumping the logs to a DB and analyzing). > > Your two closest options are: > 1. Instead of putting "everyone" on the audit control, > which i assume is what you did, you can put "users", or > some other SIDs that are closest to what you really need > to audit, but do not include the SYSTEM account. > 2. Take a look at the MACS component. That's the Microsoft > Audit Control Service (system?). It's a audit control > collector. You run an agent on systems you manage, deploy > a collector service, and specify what events you want to > push to the central collector. You could simply not > forward up SYSTEM-generated object access events. MACS is > currently in beta, so depending on the timing of your > needs, it might be useful. Also, there are 3rd-party > components that provide some similar functionality that > you might look into. > > best, > -jasong > > >-----Original Message----- > >Windows 2000 Member Server > > > >I can enable auditing of File / Directory access, but > when I enable > >OBJECT and FILE access auditing for the Local Computer > Policy to make > >this happen, I get lots of alerts from the SYSTEM account > which I am > >not interested in. > > > >I need to audit access for everyone as it is for legal > reasons but is > >there any way that I can stop the Security Log flooding > with alerts > >from the SYSTEM account? > > > >I understand that this is based on the opening and > closing of handles, > >but is there a way to cut down on the "spurious" alerts > at all. > > > >Any help would be much appreciated. > >. > >
- Next message: Tony: "Re: Event ID 537 Kerberos errors"
- Previous message: Eric Fitzgerald [MSFT]: "Re: Kerberos event logging (LogLevel registry value)"
- In reply to: Jason Garms [MS]: "Auditing File Access - SYSTEM"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
