source: http://www.petri.co.il/forums/showthread.php?t=52923
Hi
I'd like to ask for some help and discussion about forum member's
experiences and approaches to Windows file auditing. My network is a
Windows 2008 Domain. There are 35 machines in the domain.
I was playing around with this yesterday and enabled auditing on our
Windows 2008 Storage Server. I did this via the local security policy:
Security Settings>Local Policies>Audit Policies>Audit object
access and checked both success and failure. I had also set this via the
default domain policy.
Next, I turned on auditing for Authenticated Users for one folder and
all its subfolders. There were about 15 - 20 people accessing data from
this folder. I turned on the following Success Audit settings for the
folder: Traverse folder/execute file, List folder/read data, Create
files/write data, Create folders/append data, Delete subfolders and
files and Delete.
Just before I did this I saved and cleared the Security log and configured it to archive events when the log exceeded 20MB.
Everything worked as it should - I could see security events being
logged that showed Event ID's 5140 Share accessed, 4656 handle
requested, 4658 handle closed, 4663 attempt to access object, and 4660
object deleted.
What I was not was not expecting was that the security log would log so
many events. In one hour 380MB of logs had been archived. One of the
archived logs (remember they are 20MB each), was created and archived in
just 20 seconds, but on average it took about 10mins for the 20MB limit
to be reached.
So, after an hour's worth of logging I turned auditing off at both the
local and GPO level, and removed auditing from the folder.
Today, I enabled auditing via the local security policy only, leaving
the GPO auditing settings alone (Audit object access = Not defined), and
set up auditing for the same folder exactly as it was configured
yesterday. The logging is far less intense than it was yesterday. In
nearly three hours the log is just over 3MB in size which is quite
acceptable (or is it?).
So, what did I do wrong? Is it wrong to have both GPO and local security
policy audit settings duplicated? What sort of log size do others see
when object access auditing is turned on? Any good tips or tricks out
there that anyone would like to share?
Thanks!
source: http://www.petri.co.il/forums/showthread.php?t=52923
No comments:
Post a Comment