Re: Auditing folder moves
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 06/04/04
- Next message: Steven L Umbach: "Re: "Cannot find the file rundll32.exe" problem"
- Previous message: Thomas: "Security on a user folder"
- In reply to: BJF: "Re: Auditing folder moves"
- Next in thread: BJF: "Re: Auditing folder moves"
- Reply: BJF: "Re: Auditing folder moves"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 04 Jun 2004 15:57:19 GMT
I tried it out on a W2K server locally and I found that after enabling auditing of
both delete permissions that when I moved [dragged and dropped] a sub folder named
new folder from the folder being audited [inetpub] that an event ID 560 showing a
delete was recorded in the security log as shown below while I was logged on as
administrator. --- Steve
Object Server: Security
Object Type: File
Object Name: C:\Inetpub\New Folder
New Handle ID: 1480
Operation ID: {0,761363}
Process ID: 1984
Primary User Name: administrator
Primary Domain: UMBACH1
Primary Logon ID: (0x0,0x9D4CA)
Client User Name: -
Client Domain: -
Client Logon ID: -
Accesses DELETE
SYNCHRONIZE
ReadAttributes
"BJF" <bf001@abovetheline.biz> wrote in message
news:O5x7uOkSEHA.1732@TK2MSFTNGP09.phx.gbl...
> That was my assumption also, but I did a more thorough test and found out it
> doesn't work the way we expected. Let me know what you find out. Thanks.
> Ben
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:3pMvc.3790$%F2.549@attbi_s04...
> > Maybe I was wrong. I though that a move would record a folder delete for
> that parent
> > folder- that would make sense. I will try some testing on my end and see
> if I can
> > find out anything. --- Steve
> >
> >
> > "BJF" <bf001@abovetheline.biz> wrote in message
> > news:OsUasDKSEHA.3528@TK2MSFTNGP09.phx.gbl...
> > > Steve,
> > > That's what I thought. I've been monitoring all deletes, and I
> > > *expected* that I'd catch the 'delete' part of the move. So much for
> > > expectations... Nothing was logged.
> > > I'd be satisfied if I could catch just the delete part, but it would
> be
> > > nice to also get the destination. How can I at least capture the delete
> > > part of the move event? I'm getting all other file/folder deletes in
> the
> > > system, just not those caused by a move.
> > > Ben
> > > "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> > > news:%vavc.29464$IB.12193@attbi_s04...
> > > > Moving is a two part operation - copy and delete. So you would need to
> > > audit the
> > > > destination folder for write permissions. Of course that is difficult
> > > since you do
> > > > not know exactly what folder that will be. Maybe you can configure
> > > permissions so
> > > > that users can not move folders by creating special permission for
> just
> > > the folder or
> > > > folder and subfolders while allowing them modify permissions to files
> or
> > > > ubfolder. -- Steve
> > > >
> > > >
> > > > "BJF" <bf001@abovetheline.biz> wrote in message
> > > > news:u1FQGmASEHA.1216@TK2MSFTNGP10.phx.gbl...
> > > > > We've had some folders unexpectedly moved to odd places on our
> > > shared
> > > > > drive. We turned audit logging on, and that's capturing the
> deletes,
> > > but
> > > > > not the moves. If we rename a file, that gets captured. If we move
> it
> > > to a
> > > > > different folder, nothing shows up in the log.
> > > > > Any idea what we need to set to turn on logging of moved files
> and
> > > > > folders?
> > > > > Thanks in advance.
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
- Next message: Steven L Umbach: "Re: "Cannot find the file rundll32.exe" problem"
- Previous message: Thomas: "Security on a user folder"
- In reply to: BJF: "Re: Auditing folder moves"
- Next in thread: BJF: "Re: Auditing folder moves"
- Reply: BJF: "Re: Auditing folder moves"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
