Re: logging data accessed by user

From: jas0n (no_at_email.here)
Date: 04/27/05

• Next message: Roger Abell: "Re: logging data accessed by user"
• Previous message: Nunya Beeswax: "Decode Event 560"
• In reply to: Roger Abell: "Re: logging data accessed by user"
• Next in thread: Roger Abell: "Re: logging data accessed by user"
• Reply: Roger Abell: "Re: logging data accessed by user"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Tue, 26 Apr 2005 23:02:42 +0100

In article <#vgMXgmSFHA.3444@tk2msftngp13.phx.gbl>, mvpNOSpam@asu.edu
says...
> Before you implement this, consider whether it will actually do
> what you are after. Yes, you could use a group that contains the
> accounts of concern (I would highly recommend not using Users
> or equivalent broad groups, but a more narrow custom group)
> and set a SACL to trigger event messages on all accesses.
>
> However, what I question is whether you would actually be able
> to make use of the information, whether you would really monitor
> the generated data and be able to detect "abnormal, suspect" access
> patterns. Beyond that, I question whether even if you did monitor
> the event log and detect such accesses within an actionable time
> if then you could/would be able to do anything about it. One day
> delay in taking action means the data travelled home that night.
>

Yes, its one of these top level 'wish list' items that just wont work in
the real world - that was my thinking as well. It would put a general
strain on things and hardly be utilised.

I mean, what could you call the group for starters, the 'untrusted'? ;)

I guess it may give them an idea of what could have gone ... although,
its not like we're internal country security or something!

---

• Next message: Roger Abell: "Re: logging data accessed by user"
• Previous message: Nunya Beeswax: "Decode Event 560"
• In reply to: Roger Abell: "Re: logging data accessed by user"
• Next in thread: Roger Abell: "Re: logging data accessed by user"
• Reply: Roger Abell: "Re: logging data accessed by user"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: logging data accessed by user ... I question whether even if you did monitor ... the event log and detect such accesses within an actionable time ... delay in taking action means the data travelled home that night. ... > prompted by the large scale use of usb memory sticks. ... (microsoft.public.win2000.security) Re: logging data accessed by user ... I question whether even if you did monitor ... >> the event log and detect such accesses within an actionable time ... >> delay in taking action means the data travelled home that night. ... removable storage items including usb sticks, cameras, cdrw, floppies, ... (microsoft.public.win2000.security) Re: Utility to monitor who accesses a particular directory? ... I think you want to look at event log management type tools then that can give you more of a spoon fed view. ... monitor to see who accesses it and attempts to access it. ... Ideally, I would like a program that monitors a directory, and writes to a log file each time someone accesses it, or attempts to. ... (microsoft.public.windows.server.security) Re: Utility to monitor who accesses a particular directory? ... driver to do something that is already available. ... monitor to see who accesses it and attempts to access it. ... a log file each time someone accesses it, or attempts to (we're in an AD ... (microsoft.public.windows.server.security) Re: logging data accessed by user ... I question whether even if you did monitor ... >> the event log and detect such accesses within an actionable time ... So we both see the potential high overhead and the potential for ... It is all in understanding what is "the watcher" of the untrusted. ... (microsoft.public.win2000.security)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(15)