Re: Enterprise file auditing
- From: Dan Heim <DanHeim@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 18 May 2007 10:09:00 -0700
Great post, but still having some issues. I went through and created a
security template to just modify the SACLs on c:\Temp and did not specify any
other locations. In that same template I also enabled GPO Computer
Configuration->Windows Settings->Local Policies-<Audit Policy and modified
"Audit Object Access" to Success and "Audit Privilege Use" to Success. I am
trying to keep the Security Log as clean as possible, but I am still getting
ridicuous amounts objects Access from c:\Windows\explorer even though I am
trying to not audit any of those directories. Any ideas on why I am getting
all the extra events?
"Roger Abell [MVP]" wrote:
.
"Dan Heim" <DanHeim@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E1907380-26E8-4DAE-855C-738D6C293D06@xxxxxxxxxxxxxxxx
Hi guys,
I am hoping anyone that is doing enterprise auditing can help out with
this
one. We have a new project and it can really be broken down into 3
objectives
First - Use auditing to monitor the modification and deletion of files on
workstations/servers
Second - Try to keep security logs as clean as possible by auditing only
cetain folders we and only the create/write data successes and delete
success
events.
Third - Find a way through script or GPO to roll this out to all of our
workstations/servers
When I manually take a certain directory and audit with just successful
delete & create/write data it seems to work pretty good and not generate
to
much other garbage.
OK, so I will not give the song and dance about getting all sorts of
extra stuff as users work, temp files, etc. but will take this as your
saying you have some audit settings you can live with.
1 - Is there a command line way to apply auditing that I could put in a
script? (I do not think CALCs will do it)
Cacls only does DACLs, not SACLs. The same is true for xcacls
and xcacls.vbs, but the last is provided in source (doh, .vbs right)
and recoding to do SACLs is possible following the exampled code
that is there for the DACLs.
IIRC SetAcl and FileAcls do handle SACLs - but you would be
better off doing this with GPO.
I am trying to use GPO to do it, but see 2 huge problems. First is I can
not get it to work. I have enabled GPO Computer Configuration->Windows
Settings->Local Policies-<Audit Policy and modified "Audit Object Access"
to
Success and "Audit Privilege Use" to Success and rebooted workstation and
they are getting and applying the GPO(verified with gpresult) but they are
not auditing file changes like they should.
Well, that enabled auditing of objects, but you do still need to name
which objects should be audited for what, right? Or, are you saying
that you have set the NTFS auditing (i.e. the SACLs).
2 - Is there anything I am missing there?
above
3 - If I do use GPO is there anyway to narrow down the level of auditing
to
just get results for deleting/modifiying files similar to the way you can
when you do it manually?
Yes. In a GPO or security template there is a Filesystem section.
If you only want to set the auditing (SACL) and not the permissions
(DACL) then you cannot do this directly, but you can do it. If both
should be set then just use a GPO and define where to set both the
permissions and auditing and set it to replace (so it inherits on down
from that/those points). It may however be more convenient to set
an inhertiable SACL at the very top, letting it inherit to all even
though parts of that "all" have different permissions (DACLs).
To set only the SACL you need to use the Security Templates
MMC snapin. Define a new, empty template, in the filesystem
section define the root area, and then edit the security. Do not
pay much attention to the permissions part, it will be deleted.
Access the Audit area and define what you want to generate an
audit record. Save the template, which will be a plain old text
file with .inf extension. Open the template in notepad. Find the
line starting with the path you defined. Look at the long SDDL
that encodes the permissions and auditing. The part the starts
with D:( is the DACL, the part that starts with S:( is the SACL.
Delete all of the DACL and save.
You then have a template, which you can import into a GPO.
You can edit that template to name a different path as needed
for importing to a different GPO that will target other machines
where the storage of concern is at a different location.
You probably should look up SDDL in the MSDN docs to help
you see what is what in the SDDL encoding.
4 - Is there anyone else out there doing something similar through a 3rd
party product they would recommend?
Keep an eye on the System Center product set MS is rolling out.
Roger
- Follow-Ups:
- Re: Enterprise file auditing
- From: msnews mvp
- Re: Enterprise file auditing
- References:
- Re: Enterprise file auditing
- From: Roger Abell [MVP]
- Re: Enterprise file auditing
- Prev by Date: PKI User certificate auto-enrollment for XP clients not logging onto domain computer
- Next by Date: Re: Enterprise file auditing
- Previous by thread: Re: Enterprise file auditing
- Next by thread: Re: Enterprise file auditing
- Index(es):
Relevant Pages
|
