Re: auditing help needed
From: Steven L Umbach (n9rou_at_nsattbi.com)
Date: 06/27/03
- Next message: Josh Halbrook: "Is it possible???"
- Previous message: Steven L Umbach: "Re: Unauthorized software installation"
- In reply to: supamaki_at_nospam.hotmail.com: "auditing help needed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 27 Jun 2003 00:10:05 GMT
Hi Thomas. Though your plan sounds reasonable, in reality it will not be
viable because if you audit access to all files and folders you will
generate tens of thousands of entries in the security log in probaly an hour
or two. I was just replying to another post where I mentioned that I enabled
auditing of a folder for just list/read data and one access of folder caused
nine entires in the log. Auditing of files and folders certainly has its
place, such as on very sensitivel data or where you are trying to track down
a malicious user based on other evidence, etc. I would suggest concentrating
more on making sure proper share/ntfs permissions are in place and possibly
using EFS encryption for senstive data, only after you understand how it
works and all the risks involved. You may also find auditing of account log
on and log on events to be more productive to tracking malicious behavoir.
Anyhow to answer your question. It is best to enable auditing on domain
controllers at the domain controller policy level. For other domain
workstations/servers you may be able to do it at the local policy level if
there is no domain/OU policy overriding the auditing settings - by default
there is not, but you can always check by viewing the "effective" policy
setting on the Local Security Policy of a computer. If you want to enable
auditing on a large group of computer you could move them to a new OU and
implement the policy for that OU via a new GPO that you would have to create
and configure. If you enabled auditing at the domain policy level, it would
affect all computers [except domain controllers in their container] that are
in the default computer container. Keep in mind that group policies work
only on W2K/W2003/XP Pro computers. --Steve
http://www.labmice.net/security/
http://securityadmin.info/faq.htm
<supamaki@nospam.hotmail.com> wrote in message
news:26vlfvkrpl5lf6qq2o8nudbiuoqib6o2nj@4ax.com...
> I'm interning at a small company, about 100 users, in 4 offices all
> linked together. It's 1 domain, with, I think 2 Domain controllers. I
> want to enable auditing on every file/folder for failure so I can see
> which files people are trying to access. I don't know if I should be
> setting this up as a local policy, or group policy, or if I need to
> create an OU to get this done. I'm pretty much stumped, and I looked
> through Microsoft's site to find descriptions of things, but not how
> to implement. I'd also like to enable success&failure on certain
> folders that I know some people are making changes to, but I'll get to
> that later.
>
> I'd appreciate any help.
> Thomas
- Next message: Josh Halbrook: "Is it possible???"
- Previous message: Steven L Umbach: "Re: Unauthorized software installation"
- In reply to: supamaki_at_nospam.hotmail.com: "auditing help needed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
