Re: logging data accessed by user
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 04/27/05
- Next message: Roger Abell: "Re: Group Scope Question"
- Previous message: Nunya Beeswax: "Decode Event 560"
- In reply to:(deleted message) jas0n: "Re: logging data accessed by user"
- Next in thread: jas0n: "Re: logging data accessed by user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 26 Apr 2005 18:12:08 -0700
"jas0n" <no@email.here> wrote in message
news:MPG.1cd8cadd39a36324989688@news.microsoft.com...
> In article <#vgMXgmSFHA.3444@tk2msftngp13.phx.gbl>, mvpNOSpam@asu.edu
> says...
> > Before you implement this, consider whether it will actually do
> > what you are after. Yes, you could use a group that contains the
> > accounts of concern (I would highly recommend not using Users
> > or equivalent broad groups, but a more narrow custom group)
> > and set a SACL to trigger event messages on all accesses.
> >
> > However, what I question is whether you would actually be able
> > to make use of the information, whether you would really monitor
> > the generated data and be able to detect "abnormal, suspect" access
> > patterns. Beyond that, I question whether even if you did monitor
> > the event log and detect such accesses within an actionable time
> > if then you could/would be able to do anything about it. One day
> > delay in taking action means the data travelled home that night.
> >
>
> Yes, its one of these top level 'wish list' items that just wont work in
> the real world - that was my thinking as well. It would put a general
> strain on things and hardly be utilised.
>
> I mean, what could you call the group for starters, the 'untrusted'? ;)
>
> I guess it may give them an idea of what could have gone ... although,
> its not like we're internal country security or something!
:-) the "untrusted"
So we both see the potential high overhead and the potential for
lack of utilization. Why not ask them what the budget is for a
monitoring/alerting system that will make the logging useful,
and/or what percentage of a man-year is allocated to doing so?
It might make them think beyond just having the idea of "set up
a watcher on mass access to our proprietary info files".
It is all in understanding what is "the watcher" of the untrusted.
-- Roger
- Next message: Roger Abell: "Re: Group Scope Question"
- Previous message: Nunya Beeswax: "Decode Event 560"
- In reply to:(deleted message) jas0n: "Re: logging data accessed by user"
- Next in thread: jas0n: "Re: logging data accessed by user"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
