Re: Auditing object access from network

kenw_at_kmsi.net
Date: 08/19/03 

Date: Tue, 19 Aug 2003 17:51:16 GMT

Thank you for that long, detailed posting that, again, doesn't address my
question.

PLEASE READ THIS POSTING CAREFULLY. IN THE MESSAGE BELOW, I WILL
CAPITALIZE KEY POINTS TO REDUCE CONFUSION.

This issue is on a Windows 2000 Active Directory domain controller and file
server with domain member clients accessing the target file structure via
normal network shares. It is the only such server in the domain, which
consists of the server and less than 10 workstation. All configuration was
performed while logged into the Administrator account on the domain
controller.

I want to audit file deletions in specific directories of a file server,
and I AM ABLE TO DO THAT, with limitations that are the entire point of
this thread.

THE PROBLEM, again, is that IT ONLY AUDITS DELETIONS BY LOCALLY LOGGED-IN
USERS, NOT BY USERS ACCESSING FILES VIA THE NETWORK. It almost appears
that file deletions on behalf of remote users, by system processes (e.g.,
the SMB server), are not auditable on the server where the files are
located. Is that possible?

When enabling auditing on a directory, it appears (unless I'm blind) that
one must specify a user group to audit. One cannot configure to log all
access regardless of user group. Seems screwey, but there you are.

It seems reasonable, it that case, to select the group "Everyone"; but how
can I be sure that there is not some system process that is not a member of
"Everyone"? If so, it could explain my results. And if that is the case,
what should I do? I could:
a) Set up auditing ACLs for every entity in Active Directory, to be sure I
don't miss anything?
b) Try to set up Group Policies to enable auditing of remote file access on
every client workstation? It is possible to access these file from systems
that don't implement group policies, this defeating this measure

Is it possible for some system process to delete files without being
audited at all?

NO MATTER WHO IS DELETEING THE FILES, OR HOW, I WANT TO KNOW WHO IS DOING
IT, and when.

To summarize, I CAN ALREADY AUDIT LOCAL FILE DELETIONS. I CAN'T AUDIT
NETWORK DELETIONS.

QUESTION: WHAT CAN CAUSE THAT DIFFERENCE? IS THERE ANYTHING SPECIAL ONE
MUST NORMALLY DO TO AUDIT NETWORK FILE ACCESS VERSUS LOCAL ACCESS? E.g.,
must I use a group other than "Everyone"? Is this documented anywhere?

On Thu, 14 Aug 2003 14:14:08 GMT, you wrote:

>NOTE: If your computer is connected to a network, security logging may be
>restricted or disabled by a network policy.

NOTE: I clearly stated in my previous postings, more than once, that this
is a network issue. That's the whole point. What policies can disable
network access auditing and still allow local access auditing?

>Security auditing for workstations, member servers, and domain controllers
>can be enabled remotely only by domain administrators. To do this, create
>an organizational unit, add the appropriate machine accounts to the
>organizational unit, and then use Active Directory Users and Computers to
>create a policy to enable security auditing.

What do you mean by "for" domain controllers? Do you mean "on" them? Are
you saying that if I want to audit access to files on a file server by a
remote networked workstation, I have to enable auditing on that remote
workstation, rather than on the file server? Where is this documented?

Please, let's dispense with the boilerplate "auditing for dummies" stuff,
OK? I've already indicated I know the basics, and have implemented them
successfully.

The problem, as I have tried unsuccessfully to make clear, is in an aspect
of the details, which no one seems to have even taken the time to notice,
let alone address. I'm getting a little frustrated here; perhaps it shows.

/kenw
Ken Wallewein
Calgary, Alberta
kenw@kmsi.net
www.kmsi.net
Ken Wallewein CDP,CNE,MCSE,CCA,CCNA
K&M Systems Integration
Phone (403)274-7848
Fax (403)275-4535
kenw@kmsi.net
www.kmsi.net

Relevant Pages

  • HELP - File Auditing
    ... not automatically trigger any new "object access" audit ... individual objects for audit events to be logged. ... To enable auditing on a file/directory do the following: ... GPEDIT.msc in that server, ...
    (microsoft.public.win2000.security)
  • Re: enabling Auditing on a shared folder for Windows SBS 2003
    ... I thought I had setup the auditing in the past but today ... Both object and policy need to be configured. ... You must perform a two-step process to enable the capability to audit ... Server 2003. ...
    (microsoft.public.windows.server.sbs)
  • Re: Auditing-- where?? and why ??
    ... but i was wondering where r the auditing files stored, ... are actively trying to harden your server. ... Audit User Access of Files, Folders, and Printers in Windows XP - ...
    (microsoft.public.security)
  • Re: File is disappeared after saving?
    ... I tried to turn on the audit on the network folder, ... setup auditing to this excel update group. ... Then I turned on the audit on domain security policy on audit object access. ... event viewer of this server. ...
    (microsoft.public.win2000.general)
  • Re: Auditing folders
    ... As we agree about the useof excessive audit trails ... I'm not sure of the value of auditing successful file ... you could consider syslogging your event logs to a syslog server ... >>> problem is our event log files are huge by the end of the day because ...
    (microsoft.public.security)