Re: File Access Auditing on Exchange 2003 Server

From: Jimmy (Jimmy_at_discussions.microsoft.com)
Date: 06/29/05


Date: Wed, 29 Jun 2005 04:05:02 -0700

Checked that "audit the access of global system objects" is disabled.

Jimmy

"Steven L Umbach" wrote:

> Auditing of object access can make a huge amount of entries in the security
> log even when you have not enabled auditing on any folders yet. One thing to
> check is that in Local Security Policy [secpol.msc], or whatever appropriate
> security policy, that the security option for audit:audit the access of
> global system objects is disabled. I can tell you right now that keeping
> track of read activities will generate a huge amount of events. When you do
> audit a folder it is best to audit absolute minimum number of permissions
> for absolute minimum number of users/groups and avoid auditing for everyone,
> users, authenticated user groups but instead use a global/local group of
> just the users you want to track. The free MS too Event Comb can help in
> tracking object access events and it can search by text string such as for
> filename or user name. The link below may help. --- Steve
>
> http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/default.mspx
>
> "Jimmy" <Jimmy@discussions.microsoft.com> wrote in message
> news:9F05E958-9BFE-40E7-939F-F2A4BAB5BD89@microsoft.com...
> > Our company has an Exchange 2003 SP1 server runs on Windows 2003 Std. It
> > will
> > update to SP1 in a few weeks. The server also does file sharing for all
> > our
> > 40+ users.
> >
> > We want to enable auditing to keep track of read/write activities on the
> > file shares. I did attempt turn on Success/Failure of Object Access in
> > Local
> > Security Policy. I didn't turn on auditing on any File System yet. Then I
> > discovered a lot of Exchange object access (ID 562) were tracked in
> > security
> > log. Size increase is more than 6MB for merely an hour. That makes
> > auditing
> > impractical to implement.
> >
> > Did I do anything wrong on the setup or this is a necessary evil of
> > auditing
> > on E2K3?
> >
> > Jimmy
> >
>
>
>



Relevant Pages

  • troubleshooting 560 object access failure audit entries
    ... security policy. ... I'm auditing all of my hard disk ... partitions for for "failure" on all events, ... audit" "object access" 560 errors in my security event log. ...
    (microsoft.public.windows.server.general)
  • Re: Autoexec.nt file missing?
    ... you can't enable Auditing on a computer running Home Edition. ... You must specify what to audit. ... example, a file, folder, registry key, printer, and so forth-that has its ...
    (microsoft.public.windowsxp.newusers)
  • Re: auditing
    ... Enable auditing of account management will log the creation and changes to ... You can audit Directory Service access to audit OU's. ... This security setting determines whether to audit each event of account ... For specific instructions about how to configure auditing policy settings, ...
    (microsoft.public.win2000.active_directory)
  • Re: Autoexec.nt file missing?
    ... you can't enable Auditing on a computer running Home Edition. ... You must specify what to audit. ... > example, a file, folder, registry key, printer, and so forth-that has its ...
    (microsoft.public.windowsxp.newusers)
  • Re: Auditing Privilege Use - failure only but still get Success
    ... Success only (applies to remote access, ... Audit account management: No Auditing ... Audit privilege use: No Auditing ...
    (microsoft.public.win2000.group_policy)