--------------------
Content-Class: urn:content-classes:message
From: "Q" <
[email protected]>
Sender: "Q" <
[email protected]>
Subject: Auditing Features
Date: Mon, 17 Nov 2003 11:36:32 -0800
Lines: 4
Message-ID: <
[email protected]>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Newsreader: Microsoft CDO for Windows 2000
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300
Thread-Index: AcOtQhr7Y/Cqi5oMSOeqORN5lYj/Fw==
Newsgroups: microsoft.public.win2000.security
Path: cpmsftngxa06.phx.gbl
Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:15912
NNTP-Posting-Host: TK2MSFTNGXA09 10.40.1.161
X-Tomcat-NG: microsoft.public.win2000.security
When auditing Object Access, Windows will log numerous
failures even as an administrator. Are there any good
descriptions on auditing Object Access and what it really
does?
Howdy!
Indeed almost all auditing will generate both successes and failures in a
properly functioning system.
Audit object access
The Audit object access setting determines whether to audit the event of a
user accessing an object - for example, a file, folder, registry key,
printer, and so forth - that has its own SACL specified. If you define this
policy setting, you can specify whether to audit successes, audit failures,
or not audit the event type at all. Success audits generate an audit entry
when a user successfully accesses an object that has a SACL specified.
Failure audits generate an audit entry when a user unsuccessfully attempts
to access an object that has a SACL specified; some failure events are to
be expected in the course of normal system operations. For example, many
applications, such as Microsoft Word, always attempt to open files with
both read and write privileges; if they are unable to do so they then try
to open them with read - only privileges. When this happens, a failure
event will be recorded if you have enabled failure auditing and the
appropriate SACL on that file.
Enabling auditing of object access and configuring SACLs on objects can
generate a large volume of entries in the security logs on systems in your
enterprise; therefore, you should only enable these settings if you
actually intend to use the information that is logged.
Note Enabling the capability to audit an object, such as a file, folder,
printer, or registry key, is a two - step process in Microsoft Windows
Server 2003. After enabling the audit object access policy, you must
determine the objects to which you want to monitor access, and then modify
their SACLs accordingly. For example, if you want to audit any attempts by
users to open a particular file, you can set a Success or Failure attribute
directly on the file that you want to monitor for that particular event
using Windows Explorer or group policy.
Hop this helps!
/Siddharth
PSS Security
