Auditing security

  • Thread starter Thread starter alvin
  • Start date Start date
A

alvin

First Question:
I'm encounter a problem when i set the folder with audit permission to cross
check if there is anyone to move/copy file from this folder (example. copy
file from server to other client workstation). I'm tick the tranverse folder
/ execute file folder options but this seem does not work at all. I have try
to move/copy a file from server to my workstation and i can't find the
message to show me that i have move/copy the file to other folder at event
viewer. If there any way to set the folder security to keep track anyone
have move/copy any files from this folder to other location (example within
the computer or other workstation computer).

Second question :
I want to set a security only allow user to write/read on that files but
disallow user to move or copy the file out of the folder?

Thank You.
 
You first have to enable auditing of object access on a computer in order for folder
auditing to work. Once you do that you will find a tremendous amount of events in the
security log. Usually the delete operations will be found in pairs of events with the
same timestamp for Event ID 560 and 562. Moving of a file should generate a delete
event from the folder it was moved out of. See the link below for more details on
auditing that also talks about object access. Audit the bare number of permissions
for the bare number of users and avoid everyone/users but use a created group
instead. The deletion should be there, but will take a while to find.

http://www.microsoft.com/technet/security/guidance/secmod144.mspx

Users need delete permissions in order to move files. If they have
read/list/execute/write access, they will not be able to move files. Note that if
creator owner is present in permissions the user who is owner of the file will have
creator owner permissions which often is full control. A user would be owner if they
created the file. Also keep in mind that users often need modify permissions to
modify a files versus append to it. --- Steve
 
Read here:

http://securityadmin.info/faq.asp#auditing

I would not audit "traverse / execute" but write. It will be hard to audit
copying and moving, as these actions look identical to any other file
reading and writing.

There is no good way to prevent a user that can read a file from copying a
file [unless you try to restrict where that user has permission to write
to]. Also, for Microsoft Office files like Word and Excel files, there is
no good way to remove the Delete permission, in which case users can still
delete and move files as well. Your best bet is some kind of file backup
like tape backup that runs at least once every night.

Maybe there is some third party file auditing utility I dont' know about out
there that could help you [somehow I doubt it]. You could try searching
Google.
 
Back
Top