RE: Win2k audit logs - HELP!

From: Kolde, Jennifer E. (jkoldeat_private)
Date: Thu Dec 19 2002 - 14:43:22 PST

Next message: Richard Sharpe: "Re: [tcpdump-workers] TCP/UDP Data Streams - Packet Reassembly"

Previous message: Bryan Strong: "Re: TCP/UDP Data Streams - Packet Reassembly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In a message dated 12/15/02, 7:47 AM Pacific Standard Time,
johnny_mamakat_private writes:

<<We turned on windows 2000 auditing for a particular user on our file
server(SERVER1) and found a very interesting audit events...a folder
(Group1) and all of its subfolders has been accessed within a 3
econds...BTW, What we do is we turned on ALL the audit features(yes, ALL)
that available for that particular folder, thats why the logs is so many for
one event...>>

Hello,

I have not looked at your detailed logs, but from your message below and
your description of how you have enabled Windows auditing...this is
normal/expected behavior for Windows.

Windows can log an enormous amount of detail about activity on the system.
If you are auditing ALL types of access to the folder and its contents
(read, write, modify...) then you will collect a vast amount of data.

For example...

Even if you are only auditing "Read" access to a file, "Read" is considered
a high-level permission.  It is actually made up of the more fine-grained
permissions of:

 - Read data / list folder contents
 - Read file attributes
 - Read extended file attributes
 - Read permissions

So, if you are auditing "Read" access to a file and you use Windows Explorer
to view the file system, expand the directory tree, browse to the file, and
double-click that file to open it...that "simple" set of actions will
probably generate 20 - 30 entries in your security log.  The fact that all
of these accesses are occurring as a result of the Explorer process explains
why they occur in a matter of seconds.

You can see this level of detail in your sample logs below; Accesses =
ReadAttributes, Accesses = ReadData (or ListDirectory), etc.

You can help weed out some of the above "noise" by fine-tuning the type of
access you audit.  Simply select the more granular permissions above - if
you only want to know if someone actually reads the file, only audit for
"Read data" access.

Regards,
Jennifer

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Richard Sharpe: "Re: [tcpdump-workers] TCP/UDP Data Streams - Packet Reassembly"
Previous message: Bryan Strong: "Re: TCP/UDP Data Streams - Packet Reassembly"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Dec 19 2002 - 19:21:23 PST