interpertation of SECURITY log for Auditing of access to file syst

Discussion in 'Server Security' started by Terence, May 4, 2005.

  1. Terence

    Terence Guest

    I have a Win2003 Standard Server which has Auditing enabled on a specific
    folder (d:\abc), the Auditing is enabled to audit successful open, delete,
    create, to any files and sub-folders under d:\abc. There are quite a lot of
    entries logged and written into the SECURITY log of the server.

    Based on which EVENT ID or attribute (e.g. "Accesses:", "Object Name:",
    etc.) of a security record to extract any auditing information related to
    Open, Creation and Deletion of a file or folder?
     
    Terence, May 4, 2005
    #1
    1. Advertisements

  2. The best way to find out is to test it out to see the results. Auditing of
    object access can be challenging. Also look at events that are generated
    with the same timestamp as often you will need more then one Event ID to
    establish file deletion, etc. Try to audit the bare minimum permissions such
    as just delete or write otherwise you will have so many events to sift
    through it is almost futile. The free Event Comb tool from Microsoft can
    help by allowing text string searches for keywords such as delete, filename,
    or user name. The link below may be helpful. --- Steve


    http://www.microsoft.com/technet/security/prodtech/windows2000/secmod144.mspx
     
    Steven L Umbach, May 4, 2005
    #2
    1. Advertisements

  3. Event 560= open
    Event 562= close

    These may vary slightly for deletes.
     
    Eric Fitzgerald [MSFT], May 10, 2005
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.