How to apply file/folder auditing

  • Thread starter Thread starter Rich S.
  • Start date Start date
R

Rich S.

Hello,

I think this issue is security related so I hope this is the correct list.

My agency has had several instances where permissions change on shared
folders and sub-folders. I try to also apply security using groups. In
each instance, a security group seems to have been removed and/or replaced.
We have multiple users in my company with administrator privileges but of
course no one admits to changing anything. Political forces are currently
preventing taking steps to be more secure (renaming the administrator
account, assigning a 2nd account w/admin rights for the individuals,
changing and keeping admin account password private, etc).

As a result of this, I would like to set auditing for basically everything
on our file (and other role (ie database, application...) servers. Because
they all have multiple Gb of files, I don't want to sit for hours and watch
this happen at my desk or do it in the middle of the day and impact system
performance. Can anyone suggest a relatively quick / efficient way to do
this? Are this viable options:?

Group Policy
Windows Scripting
Other programmatic methods
Set the audit changes just before leaving for the weekend?
Anything else

TIA,
Rich
 
You could enable auditing of object access which would then give you
the ability to set auditing of files and folders. You can do this at the
Local Security Policy level if the domain policy does not override it or put
those servers you want to audit in there own Organizational Unit and apply a
separate policy to just them. You need to audit just the bare minimum or you
will have a huge amount of entries. Try enabling auditing of just folders
and subfolders for just the administrators group and only for change
permissions. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;301640
http://www.brienposey.com/kb/auditing_events,_part_3.asp
 
More/less as a quick test, I simply selected all the available "failure"
options from the auditing tab of a shares properties. The reason I'm taking
this (as a first-try approach) is the simplicity, although I may not stick
with this in favor of a gropu policy. Right now, all my servers are in 2
OU's: Domain Controllers and Computers. Can you give me a hint as to
setting this up via Group Policies? That is still an area that I have a lot
to learn about.

Thank,s
Rich
 
In Active Directory Users and Computers, select the domain/right
click/new/Organizational Unit. Name it something appropriate. Then for the
OU select properties/Group Policy/new to create a Group Policy Object. Name
it something appropriate. In the security settings of that GPO, configure
your audit poliy. Move the computers that you want to have that audit policy
into that OU. Run secedit /refreshpolicy machine_policy /enforce on the
domain controller. Do the same on those servers or reboot and they should
inherit the OU audit settings. --- Steve
 
Back
Top