Too much auditing?

From: Invisible (orphi69_at_hotmail.com)
Date: 06/19/03

• Next message: Andrew: "Permissions not working properly"
• Previous message: Ryan Stevens: "Re: How do I prevent windows from passing through the current authentication?"
• Next in thread: One who knows better: "Too much auditing?"
• Reply: One who knows better: "Too much auditing?"
• Reply: Eric Fitzgerald [MSFT]: "Re: Too much auditing?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 19 Jun 2003 05:15:14 -0700

Alright, so this isn't exactly a "security" question, it's
an "auditing" question... but I wasn't quite sure where
else to put it.

Anyway, getting to the point... I see that the folks over
at my company's American branch have put together a
standard Group Policy for all AD domains. One of the more,
um, "interesting" items was their auditing settings: they
propose to overwrite event logs as needed, set the event
log sizes to 512KB each, and audit EVERYTHING.

Yes, you heard me: everything. Logon, logoff, GP change,
account change, system events, process events, EVERYTHING.

Now, I myself happen to think this is a fairly silly idea -
 especially since the event logs will probably only be
looked at by a human being roughly once a year (unless
something stops working - if you follow ;-).

For starters, I'm told auditing Process events is only
supposed to be used for debugging, and generates masses of
very verbose events about just about anything any thread
on the system ever does.

In short, SURELY these people are just going to end up
with event logs that only cover the last 7 minutes of
sever activity and contain nothing of any value at all.
(Or if they do, it's totally burried amoung all the junk!)

Now, what I want to know is this: have I totally
misunderstood how Windows 2000 works, or are my American
friends actually air-heads?

Thanks.

---

• Next message: Andrew: "Permissions not working properly"
• Previous message: Ryan Stevens: "Re: How do I prevent windows from passing through the current authentication?"
• Next in thread: One who knows better: "Too much auditing?"
• Reply: One who knows better: "Too much auditing?"
• Reply: Eric Fitzgerald [MSFT]: "Re: Too much auditing?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Files and folder monitor ... before it shows up in the Event logs to use this nifty utility, ... to be enabled on the machine, whether thru Group Policy or a local policy to ... monitor files, folder and/or printer access. ... Enable and Apply Windows Security Auditing: ... (microsoft.public.windows.server.networking) Re: Audit Object Access Problem ... You will normally get some events even if you do not have any auditing ... You might want to use the free tool dumpsec from SomarSoft to see ... security option on those computers in Local Security Policy to make sure ... > event logs fill up in a couple of minutes even if I set them to 100 ... (microsoft.public.win2000.security) Re: Audit Inbox access ... peoples email but it's usually for Calendars. ... I have turned on auditing and ... monitor the event logs but is there a tool or third party application to ... You can try C2C's Exchange Security Risk Auditor ... (microsoft.public.exchange.admin) Auditing of exporting data to removable media ... Does W2K auditing have the capability to log to one of the ... event logs the fact that a user has copied data from the ... (microsoft.public.win2000.security) Too much auditing? ... sure what your "friends" have between their ears, ... >propose to overwrite event logs as needed, ... I'm told auditing Process events is only ... it's totally burried amoung all the ... (microsoft.public.win2000.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.win2000.security  > 2003-06