Auditing File System Access
- Windows Server 2003 supports granular auditing based on user or group accounts and the specific actions performed by those accounts.
- To configure auditing, you must complete three steps: specify auditing set_tings, enable audit policy, and evaluate events in the security log.
i) Specify Audit Settings
- To specify the actions you wish to monitor and track, you must configure audit settings in the file’s or folder’s Advanced Security Settings dialog box.
- The Auditing tab, shown in Figure below, looks strikingly similar to the Permissions tab before it. Instead of adding permissions entries, however, you add auditing entries.
Click Add to select the user, group, or computer to audit. Then, in the Auditing Entry dialog box, as shown in Figure above, indicate the permission uses to audit.
Successes can be used to audit the following:
■ To log resource access for reporting and billing.
■ To monitor for access that would indicate that users are performing actions greater than what you had planned, indicating permissions are too generous.
■ To identify access that is out of character for a particular account, which might be a sign that a user account has been breached by a hacker.
Auditing for failed access allows you:
■ To monitor for malicious attempts to access a resource to which access has been denied.
■ To identify failed attempts to access a file or folder to which a user does require access. This would indicate that permissions are not sufficient to achieve a business task.
ii)Enabling Auditing
Configuring auditing entries in the security descriptor of a file or folder does not, in itself, enable auditing. Auditing must be enabled through policy. Once auditing is enabled, the security subsystem begins to pay attention to the audit settings, and to log access as directed by those settings.
iii) Examining the Security Log
Once audit entries have been configured on files or folders, and auditing object access has been enabled through local or group policy, the system will begin to log access according to the audit entries. You can view and examine the results using Event Viewer and selecting the Security log, as shown in Figure below.
No comments:
Post a Comment