Announcement

Collapse
No announcement yet.

Audit object access and the Security log Win 2008

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Audit object access and the Security log Win 2008

    Hi

    I'd like to ask for some help and discussion about forum member's experiences and approaches to Windows file auditing. My network is a Windows 2008 Domain. There are 35 machines in the domain.

    I was playing around with this yesterday and enabled auditing on our Windows 2008 Storage Server. I did this via the local security policy: Security Settings>Local Policies>Audit Policies>Audit object access and checked both success and failure. I had also set this via the default domain policy.

    Next, I turned on auditing for Authenticated Users for one folder and all its subfolders. There were about 15 - 20 people accessing data from this folder. I turned on the following Success Audit settings for the folder: Traverse folder/execute file, List folder/read data, Create files/write data, Create folders/append data, Delete subfolders and files and Delete.

    Just before I did this I saved and cleared the Security log and configured it to archive events when the log exceeded 20MB.

    Everything worked as it should - I could see security events being logged that showed Event ID's 5140 Share accessed, 4656 handle requested, 4658 handle closed, 4663 attempt to access object, and 4660 object deleted.

    What I was not was not expecting was that the security log would log so many events. In one hour 380MB of logs had been archived. One of the archived logs (remember they are 20MB each), was created and archived in just 20 seconds, but on average it took about 10mins for the 20MB limit to be reached.

    So, after an hour's worth of logging I turned auditing off at both the local and GPO level, and removed auditing from the folder.

    Today, I enabled auditing via the local security policy only, leaving the GPO auditing settings alone (Audit object access = Not defined), and set up auditing for the same folder exactly as it was configured yesterday. The logging is far less intense than it was yesterday. In nearly three hours the log is just over 3MB in size which is quite acceptable (or is it?).

    So, what did I do wrong? Is it wrong to have both GPO and local security policy audit settings duplicated? What sort of log size do others see when object access auditing is turned on? Any good tips or tricks out there that anyone would like to share?

    Thanks!
    A recent poll suggests that 6 out of 7 dwarfs are not happy

  • #2
    Re: Audit object access and the Security log Win 2008

    Hi,

    I would suggest use GPO. Generally speaking auditing is intensive based on user activity and what kind of audit settings you have.

    leaving the GPO auditing settings alone (Audit object access = Not defined)

    it could be that you have selected more setting under LSP and when GPO applied both got merge generating a large set of audits to track which inturn caused filling up of the logs quickly.
    Thanks & Regards
    v-2nas

    MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
    Sr. Wintel Eng. (Investment Bank)
    Independent IT Consultant and Architect
    Blog: http://www.exchadtech.blogspot.com

    Show your appreciation for my help by giving reputation points

    Comment


    • #3
      Re: Audit object access and the Security log Win 2008

      Thanks, v-2nas

      Anyone else who actually does this?
      A recent poll suggests that 6 out of 7 dwarfs are not happy

      Comment


      • #4
        Re: Audit object access and the Security log Win 2008

        IMHO, do not audit file access unless you
        a) have a business need (from senior management)
        AND
        b) have the time to review the logs

        Even then, limit it to a very few key areas of the file system (HR and Management confidential)

        If not, all you are doing is filling up hard drive space!
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Audit object access and the Security log Win 2008

          Thanks, Ossian.

          I was just playing around with this and making sure that I knew the best approach for if (probably when) I need to instigate it.

          It is not something that would be monitored daily but is something that might need to be available. So, having the archived logs would be important. Any post-incident monitoring would be done using Excel to filter the logs - there would be no 'general' monitoring of staff's file access.

          I was interested in what other forum member's experiences with this were and am keen to hear from those members who have done this or are actively monitoring file access.
          A recent poll suggests that 6 out of 7 dwarfs are not happy

          Comment

          Working...
          X