Re: How to apply file/folder auditing

From: Rich S. (mis_manager_at_judsoncenter.org)
Date: 08/08/03


Date: Fri, 8 Aug 2003 09:32:50 -0400


More/less as a quick test, I simply selected all the available "failure"
options from the auditing tab of a shares properties. The reason I'm taking
this (as a first-try approach) is the simplicity, although I may not stick
with this in favor of a gropu policy. Right now, all my servers are in 2
OU's: Domain Controllers and Computers. Can you give me a hint as to
setting this up via Group Policies? That is still an area that I have a lot
to learn about.

Thank,s
Rich

"Steven L Umbach" <n9rou@nsattbi.com> wrote in message
news:IJEYa.93307$YN5.67378@sccrnsc01...
> You could enable auditing of object access which would then give
you
> the ability to set auditing of files and folders. You can do this at the
> Local Security Policy level if the domain policy does not override it or
put
> those servers you want to audit in there own Organizational Unit and apply
a
> separate policy to just them. You need to audit just the bare minimum or
you
> will have a huge amount of entries. Try enabling auditing of just folders
> and subfolders for just the administrators group and only for change
> permissions. --- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
> http://www.brienposey.com/kb/auditing_events,_part_3.asp
>
>
> "Rich S." <mis_manager@judsoncenter.org> wrote in message
> news:#ppmfkRXDHA.1004@TK2MSFTNGP12.phx.gbl...
> > Hello,
> >
> > I think this issue is security related so I hope this is the correct
list.
> >
> > My agency has had several instances where permissions change on shared
> > folders and sub-folders. I try to also apply security using groups. In
> > each instance, a security group seems to have been removed and/or
> replaced.
> > We have multiple users in my company with administrator privileges but
of
> > course no one admits to changing anything. Political forces are
currently
> > preventing taking steps to be more secure (renaming the administrator
> > account, assigning a 2nd account w/admin rights for the individuals,
> > changing and keeping admin account password private, etc).
> >
> > As a result of this, I would like to set auditing for basically
everything
> > on our file (and other role (ie database, application...) servers.
> Because
> > they all have multiple Gb of files, I don't want to sit for hours and
> watch
> > this happen at my desk or do it in the middle of the day and impact
system
> > performance. Can anyone suggest a relatively quick / efficient way to
do
> > this? Are this viable options:?
> >
> > Group Policy
> > Windows Scripting
> > Other programmatic methods
> > Set the audit changes just before leaving for the weekend?
> > Anything else
> >
> > TIA,
> > Rich
> >
> >
>
>



Relevant Pages

  • Re: HELP - File Auditing
    ... > We have performed all of the below on many servers with no results... ... Auditing must be enabled on ... > individual objects for audit events to be logged. ... >>audit policy setting take effect only when the policy ...
    (microsoft.public.win2000.security)
  • Re: HELP - File Auditing
    ... We have performed all of the below on many servers with no results... ... Enabling either success or failure event auditing does ... individual objects for audit events to be logged. ... >audit policy setting take effect only when the policy ...
    (microsoft.public.win2000.security)
  • Re: Print Auditing
    ... Setup auditing on the Print Queue itself. ... Only configure successful writes to the queue, ... > Event Type: Success Audit ... >>> administrator to turn on auditing using Group Policy Editor. ...
    (microsoft.public.windows.server.security)
  • Re: Question on Audit Policy
    ... domain controller policy level. ... access auditing where you have to enable auditing for file/folder, etc.], ... > security policy for Audit directory service access ...
    (microsoft.public.win2000.security)
  • Re: audit access to cmd.exe
    ... You turn on accessing of all objects, then you set auditing on the ... > 1) secpol.msc--Security Settings, Local Policies, Audit Policy. ... > "George Hester" wrote in message ...
    (microsoft.public.security)