|
Posted by Jimmy on June 29, 2005, 4:05 am
Please log in for more thread options Checked that "audit the access of global system objects" is disabled.
Jimmy
"Steven L Umbach" wrote:
> Auditing of object access can make a huge amount of entries in the security
> log even when you have not enabled auditing on any folders yet. One thing to
> check is that in Local Security Policy [secpol.msc], or whatever appropriate
> security policy, that the security option for audit:audit the access of
> global system objects is disabled. I can tell you right now that keeping
> track of read activities will generate a huge amount of events. When you do
> audit a folder it is best to audit absolute minimum number of permissions
> for absolute minimum number of users/groups and avoid auditing for everyone,
> users, authenticated user groups but instead use a global/local group of
> just the users you want to track. The free MS too Event Comb can help in
> tracking object access events and it can search by text string such as for
> filename or user name. The link below may help. --- Steve
>
>
http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/default.mspx
>
> > Our company has an Exchange 2003 SP1 server runs on Windows 2003 Std. It
> > will
> > update to SP1 in a few weeks. The server also does file sharing for all
> > our
> > 40+ users.
> >
> > We want to enable auditing to keep track of read/write activities on the
> > file shares. I did attempt turn on Success/Failure of Object Access in
> > Local
> > Security Policy. I didn't turn on auditing on any File System yet. Then I
> > discovered a lot of Exchange object access (ID 562) were tracked in
> > security
> > log. Size increase is more than 6MB for merely an hour. That makes
> > auditing
> > impractical to implement.
> >
> > Did I do anything wrong on the setup or this is a necessary evil of
> > auditing
> > on E2K3?
> >
> > Jimmy
> >
>
>
>
| 
XML Sitemap