Announcement

Collapse
No announcement yet.

Auditing info needed

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Auditing info needed

    Hello all,

    I have a folder on a windows server 2008 member server which needs to be audited. Pic1 shows the settings that I have made on local gpedit.msc. Pic2 shows the settings that I have made on the parent folder. I have not enabled the read option because many users access this folder and too many logs are created.

    Below mentioned things I cannot track, please let me know how I can achieve this --
    when I create a new file/folder, there is no new event in the event viewer.
    when I rename a file it shows that the file is deleted but the new name is not listed.

    Can you please let me know how I can achieve this? I googled this but could not find any link ....



    Thank you all in advance.
    Vaibhav
    Attached Files

  • #2
    Re: Auditing info needed

    I hope this will be helpful,
    http://technet.microsoft.com/en-us/l...8WS.10%29.aspx

    Enable Security > Audit Object access, and change the security settings to include that particular folder for Auditing.


    Good Luck!
    Mohan Mathew[VU3MMU]
    MCITP [AD]

    Comment


    • #3
      Re: Auditing info needed

      If you look at the images the OP has posted, that has already been done.

      If all attributes are audited, does it work properly?
      Tom Jones
      MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
      PhD, MSc, FIAP, MIITT
      IT Trainer / Consultant
      Ossian Ltd
      Scotland

      ** Remember to give credit where credit is due and leave reputation points where appropriate **

      Comment


      • #4
        Re: Auditing info needed

        Apologies for the late response

        Tom : when I check all the options and create a new file/folder ...entry is not made... When I edit a file then entry is made in event logs ...


        I tried different things but not able to get event generated for new folder/file created


        Thank you all

        Comment


        • #5
          Re: Auditing info needed

          When I create a folder I see the following entry in the Security Log. This appears at the point at which I click 'Make a new folder' on my XP machine to create a new folder in a shared folder named Districts on our storage server:

          Code:
          Log Name:      Security
          Source:        Microsoft-Windows-Security-Auditing
          Date:          04/02/2012 10:09:56
          Event ID:      4656
          Task Category: File System
          Level:         Information
          Keywords:      Audit Success
          User:          N/A
          Computer:      Orion.htlincs.local
          Description:
          A handle to an object was requested.
          
          Subject:
          	Security ID:		HTLINCS\blood
          	Account Name:		blood
          	Account Domain:		HTLINCS
          	Logon ID:		0x11101b79f
          
          Object:
          	Object Server:		Security
          	Object Type:		File
          	Object Name:		D:\Districts\New Folder
          	Handle ID:		0x3144
          
          Process Information:
          	Process ID:		0x4
          	Process Name:		
          
          Access Request Information:
          	Transaction ID:		{00000000-0000-0000-0000-000000000000}
          	Accesses:		DELETE
          			SYNCHRONIZE
          			
          	Access Mask:		0x110000
          	Privileges Used for Access Check:	-
          	Restricted SID Count:	0
          .............
          I then see pretty much the same entries as I name the folder Test, etc.

          Under the local security policy on the storage server, I have the following entries configured:



          The directory auditing settings are configured as follows:



          So, I don't actually see a 'creation' event, but I do see a request for a 'handle' to a new object. To be honest I am not sure if I even have this set up properly... However, it works for me and allows me to see when files are accessed, created and deleted.

          I created a txt file named new text dcoument.txt. When I rename it, the first entry I see is:

          Code:
          Log Name:      Security
          Source:        Microsoft-Windows-Security-Auditing
          Date:          04/02/2012 10:29:03
          Event ID:      4656
          Task Category: File System
          Level:         Information
          Keywords:      Audit Success
          User:          N/A
          Computer:      Orion.htlincs.local
          Description:
          A handle to an object was requested.
          
          Subject:
          	Security ID:		HTLINCS\blood
          	Account Name:		blood
          	Account Domain:		HTLINCS
          	Logon ID:		0x11101b79f
          
          Object:
          	Object Server:		Security
          	Object Type:		File
          	Object Name:		D:\Districts\test\New Text Document.txt
          	Handle ID:		0x38a8
          
          Process Information:
          	Process ID:		0x4
          	Process Name:		
          
          Access Request Information:
          	Transaction ID:		{00000000-0000-0000-0000-000000000000}
          	Accesses:		ReadData (or ListDirectory)
          			ReadAttributes
          			
          	Access Mask:		0x81
          	Privileges Used for Access Check:	-
          	Restricted SID Count:	0
          Event Xml:
          .............
          I then see a request to the folder 'test' which hosts new text document.txt

          Code:
          Log Name:      Security
          Source:        Microsoft-Windows-Security-Auditing
          Date:          04/02/2012 10:29:26
          Event ID:      4656
          Task Category: File System
          Level:         Information
          Keywords:      Audit Success
          User:          N/A
          Computer:      Orion.htlincs.local
          Description:
          A handle to an object was requested.
          
          Subject:
          	Security ID:		HTLINCS\blood
          	Account Name:		blood
          	Account Domain:		HTLINCS
          	Logon ID:		0x11101b79f
          
          Object:
          	Object Server:		Security
          	Object Type:		File
          	Object Name:		D:\Districts\test
          	Handle ID:		0x3764
          
          Process Information:
          	Process ID:		0x4
          	Process Name:		
          
          Access Request Information:
          	Transaction ID:		{00000000-0000-0000-0000-000000000000}
          	Accesses:		ReadData (or ListDirectory)
          			
          	Access Mask:		0x1
          	Privileges Used for Access Check:	-
          	Restricted SID Count:	0
          Event Xml:
          .............
          But, although I see this access, like you, I see the deletion of new text document.txt, but I don't see the new name. Weird.

          If you sort this out, please post back
          A recent poll suggests that 6 out of 7 dwarfs are not happy

          Comment

          Working...
          X