Click here to get back home

Audit file/folder access
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Audit file/folder access Hugo 02-12-2007
Get Chitika Premium
Posted by Hugo on February 12, 2007, 10:52 am
Please log in for more thread options
 Hi Everyone !

I activated "Audit Object Access" with "Success and Failure" in a GPO for
one of my server. Without configuring any File/Folder for Audit (or any
other objects), my Security Event Log is filling up with files access
(normal user and System) for file access on C: and D: drives and registry
access for System user !!!

What can I do to not have those events in my event log ?

I want to monitor only one directory on D: drive...

Any idea ?

Thank you !

Hugo

PS: Sorry for my bad english, I'm french speaking !



Posted by Johan Engdahl on February 12, 2007, 12:45 pm
Please log in for more thread options
 You choose what file or folder you wish to audit and using NTFS security
tab, auditing tab and choose for Everyone what to audit. Unfortunately
Systemaccount is also included in Everyone so you won´t get rid of those
entries.

--
----------------------------------------------------------------------------------------------------------------------------
Johan Engdahl
CCSA, CCSE, CCA, MCP | johan AT firewall1 DOT nu | http://www.firewall1.nu

> Hi Everyone !
>
> I activated "Audit Object Access" with "Success and Failure" in a GPO for
> one of my server. Without configuring any File/Folder for Audit (or any
> other objects), my Security Event Log is filling up with files access
> (normal user and System) for file access on C: and D: drives and registry
> access for System user !!!
>
> What can I do to not have those events in my event log ?
>
> I want to monitor only one directory on D: drive...
>
> Any idea ?
>
> Thank you !
>
> Hugo
>
> PS: Sorry for my bad english, I'm french speaking !
>



Posted by Hugo on February 12, 2007, 12:54 pm
Please log in for more thread options
Hi Johan !

First, thank you for your time !

For the folder I want to audit, I use a more restrictive group than
Everyone, so I have only a specified group of users to be audited...

My problem is that before adding any audit using NTFS security, many many
log entries appears in Event Log.... I don't want those entries...

Any idea ?

OlLUj2sTHHA.4276@TK2MSFTNGP02.phx.gbl...
> You choose what file or folder you wish to audit and using NTFS security
> tab, auditing tab and choose for Everyone what to audit. Unfortunately
> Systemaccount is also included in Everyone so you won´t get rid of those
> entries.
>
> --
>
----------------------------------------------------------------------------------------------------------------------------
> Johan Engdahl
> CCSA, CCSE, CCA, MCP | johan AT firewall1 DOT nu | http://www.firewall1.nu
>
>> Hi Everyone !
>>
>> I activated "Audit Object Access" with "Success and Failure" in a GPO for
>> one of my server. Without configuring any File/Folder for Audit (or any
>> other objects), my Security Event Log is filling up with files access
>> (normal user and System) for file access on C: and D: drives and registry
>> access for System user !!!
>>
>> What can I do to not have those events in my event log ?
>>
>> I want to monitor only one directory on D: drive...
>>
>> Any idea ?
>>
>> Thank you !
>>
>> Hugo
>>
>> PS: Sorry for my bad english, I'm french speaking !
>>
>
>



Posted by DaveMo on February 13, 2007, 12:12 pm
Please log in for more thread options
>
> >> What can I do to not have those events in my event log ?
>
> >> I want to monitor only one directory on D: drive...
>

The system will not audit any object access unless there is a SACL
specifying the audit action. So, the entries you are seeing are caused
by a SACL, you just have to find it. There are default SACLs on the
system, but they won't do anything until the security policy to enable
object access auditing is enabled. On one server here there is such a
default SACL on the registry key that contains the paramaters for the
security log.

When you enable auditing in security policy you start getting these:

Event Type:        Success Audit
Event Source:        Security
Event Category:        Object Access
Event ID:        560
Date:                2/13/2007
Time:                8:55:08 AM
User:                EXTRANET\Administrator
Computer:        EXTRANETDC
Description:
Object Open:
        Object Server:        Security
        Object Type:        Key
        Object Name:        \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog
\Security
        Handle ID:        896
        Operation ID:        
        Process ID:        3044
        Image File Name:        C:\WINDOWS\system32\mmc.exe
        Primary User Name:        Administrator
        Primary Domain:        EXTRANET
        Primary Logon ID:        (0x0,0x1C353)
        Client User Name:        -
        Client Domain:        -
        Client Logon ID:        -
        Accesses:        Set key value

        Privileges:        -
        Restricted Sid Count:        0
        Access Mask:        0x2


If you use regedt32 to view this registry setting and click advanced/
permissions/auditing you'll see there is a SACL on the object. If you
were to remove the SACL you'll stop getting these particular audits.

Something similiar is happening on your file volumes. If you look
around you'll probably find an inheritable SACL. For any particular
path that generates an audit you should be able open that file's
properties and find a SACL either explicitly on the object or one that
is being inherited.

HTH.

Dave


Posted by Hugo on February 13, 2007, 2:19 pm
Please log in for more thread options
Hi Dave !

I found what I'm missing !

I activated "Change Permission" on the D: drive for my server... The Event
Log I got were all for temporary file created by Word/Excell etc... So, when
Word create a temporary file, Windows assign it an ACL (changing permission)
and this is what I got in the Event Log !!!

Thank you !

Hugo


1171386726.646822.277710@p10g2000cwp.googlegroups.com...
> >
>> >> What can I do to not have those events in my event log ?
>>
>> >> I want to monitor only one directory on D: drive...
>>
>
> The system will not audit any object access unless there is a SACL
> specifying the audit action. So, the entries you are seeing are caused
> by a SACL, you just have to find it. There are default SACLs on the
> system, but they won't do anything until the security policy to enable
> object access auditing is enabled. On one server here there is such a
> default SACL on the registry key that contains the paramaters for the
> security log.
>
> When you enable auditing in security policy you start getting these:
>
> Event Type: Success Audit
> Event Source: Security
> Event Category: Object Access
> Event ID: 560
> Date: 2/13/2007
> Time: 8:55:08 AM
> User: EXTRANET\Administrator
> Computer: EXTRANETDC
> Description:
> Object Open:
> Object Server: Security
> Object Type: Key
> Object Name: \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Eventlog
> \Security
> Handle ID: 896
> Operation ID:
> Process ID: 3044
> Image File Name: C:\WINDOWS\system32\mmc.exe
> Primary User Name: Administrator
> Primary Domain: EXTRANET
> Primary Logon ID: (0x0,0x1C353)
> Client User Name: -
> Client Domain: -
> Client Logon ID: -
> Accesses: Set key value
>
> Privileges: -
> Restricted Sid Count: 0
> Access Mask: 0x2
>
>
> If you use regedt32 to view this registry setting and click advanced/
> permissions/auditing you'll see there is a SACL on the object. If you
> were to remove the SACL you'll stop getting these particular audits.
>
> Something similiar is happening on your file volumes. If you look
> around you'll probably find an inheritable SACL. For any particular
> path that generates an audit you should be able open that file's
> properties and find a SACL either explicitly on the object or one that
> is being inherited.
>
> HTH.
>
> Dave
>



Similar ThreadsPosted
Object Access Failure Audit June 12, 2006, 10:37 am
audit folder access, exclude user November 27, 2007, 5:14 pm
File Access Audit on File Server June 20, 2007, 4:59 pm
Audit files July 11, 2005, 11:30 am
Audit Overhead November 15, 2005, 10:25 pm
NTFS Audit December 23, 2006, 11:32 pm
Setting Audit from CLI March 6, 2007, 8:42 pm
Audit AD passwords December 4, 2007, 9:53 am
Audit Policy Settings February 8, 2006, 3:46 pm
Quick Software Audit March 1, 2006, 6:02 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap