Re: File Auditing confusion

From: Steven L Umbach (sumbach_at_nospam-ameritech.net)
Date: 03/04/04 

Date: Wed, 03 Mar 2004 23:11:58 GMT

That is pretty much how auditing of folders/files works. You will get a LOT
of events. Try to audit the bare minimum of folders for bare minimum of
permissions from bare number of users - avoid auditing the everyone/users
group. If you want to see if an unathorized user is trying to delete a
folder for instance, just audit permission to delete instead of every
permission. If you want to see who has accessed a folder, just audit read,
etc. You still will have a lot of events, though you can use filter view or
dunp to a spreadshett for further analysis. --- Steve

"TDM" <tdm3@verizon.net> wrote in message
news:1078354689.130026@cswreg.cos.agilent.com...
>
> I am completely confused on setting file auditing. I hope this does not
> get too verbose. Logistics, Win2K Pro, SP4, all security updates applied
via
> windows update. Member of WORKGROUP, no domain account.
>
> After googling till I am blue in the face, I came to the conclusion that
> in order to audit file access, one needs to enable Object Access auditing
> so I did. No problems here. I then enabled file auditing on /temp for
> testing purposes, did some stuff in /temp and then looked at the security
> log. Sure enough, the auditing was there, but so what a ton of other
useless
> banter about basically access to EVERY object on the system, be it a DLL,
> a .EXE, you name it, it was there. To put it in more detail, just the
simple
> creation of a folder in /temp created a whopping 1.2MB log file. At this
> rate,
> the log file will fill up very fast, much faster than I would like. Then
> turn back
> on real time virus protection and the log file goes bonkers with object
> accesses
> from snortin Norton. I set the file size to 256MB and at this rate, I
think
> it will
> fill up daily.
>
> From what I read on google, I was under the impression that you HAD to
> enable Object Access auditing to get file auditing which appears to be the
> case from testing, but I dont want all the other useless information. Have
I
> missed something
> here, done something wrong ?? I simply want to audit file access on
specific
> folders and forget all the other auditing. Any and all help is greatly
> appreciated.
>
> TIA
>
> TDM
>
>

Relevant Pages

  • Enabling Auditing for files and folders
    ... To have the ability to audit the usage of files and folders on a MS ... SBSbeing accessed by client computers. ... I needed to set up the auditing policy. ...
    (microsoft.public.windows.server.sbs)
  • RE: Auditing object access from network
    ... Before Windows 2000 can audit access to files and folders, ... After auditing is enabled in Group Policy, view the security log in Event ...
    (microsoft.public.win2000.security)
  • Re: Win2k file share monitor
    ... Just enable auditing on the folders that you have shared. ... Then select the folders you want to audit and what specific ... specified access will be logged to the security log in the event viewer. ...
    (Security-Basics)
  • Re: Permissions for shared folders
    ... bottom folders, since the propagation occurrs. ... Be aware of such of tricky securty settings.. ... >You would enable Auditing to track file access. ... >must both enable logging in the overall computer policy ...
    (microsoft.public.win2000.security)
  • RE: Sharing Folder and Files
    ... you need to enable Local Security Auditing and then auditing on your ... The audited entries can be viewed under Event Viewer --> Security. ... --> Enable auditing on your folders. ...
    (microsoft.public.win2000.file_system)