File Access Auditing on Exchange 2003 Server

Discussion in 'Server Security' started by Jimmy, Jun 28, 2005.

  1. Jimmy

    Jimmy Guest

    Our company has an Exchange 2003 SP1 server runs on Windows 2003 Std. It will
    update to SP1 in a few weeks. The server also does file sharing for all our
    40+ users.

    We want to enable auditing to keep track of read/write activities on the
    file shares. I did attempt turn on Success/Failure of Object Access in Local
    Security Policy. I didn't turn on auditing on any File System yet. Then I
    discovered a lot of Exchange object access (ID 562) were tracked in security
    log. Size increase is more than 6MB for merely an hour. That makes auditing
    impractical to implement.

    Did I do anything wrong on the setup or this is a necessary evil of auditing
    on E2K3?

    Jimmy, Jun 28, 2005
    1. Advertisements

  2. Auditing of object access can make a huge amount of entries in the security
    log even when you have not enabled auditing on any folders yet. One thing to
    check is that in Local Security Policy [secpol.msc], or whatever appropriate
    security policy, that the security option for audit:audit the access of
    global system objects is disabled. I can tell you right now that keeping
    track of read activities will generate a huge amount of events. When you do
    audit a folder it is best to audit absolute minimum number of permissions
    for absolute minimum number of users/groups and avoid auditing for everyone,
    users, authenticated user groups but instead use a global/local group of
    just the users you want to track. The free MS too Event Comb can help in
    tracking object access events and it can search by text string such as for
    filename or user name. The link below may help. --- Steve
    Steven L Umbach, Jun 28, 2005
    1. Advertisements

  3. Jimmy

    Jimmy Guest

    Checked that "audit the access of global system objects" is disabled.


    Jimmy, Jun 29, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.