> We turned on windows 2000 auditing for a particular > user on our file server(SERVER1) and found a very > interesting audit events, but we don't know what > action actually trigered all the events. We noticed > that a folder (Group1) and all of its subfolders has > been accessed within a 3 econds. Yes just within a > few > seconds. We though the user(user2) might has been > browsing through the folders and subfolders, but it > just sound impossible to browser all the folders in > less than 3 seconds !!. We also though of the user > (user2) might have copy the whole folders and paste > it > some where... This will sound more logic to do in 3 > seconds... Have you thought of asking the user? Also, since the events you posted are all success events, it would seem that the user is performing authorized activities...so, what's the point? > So, what you guyz think? . Honestly? You really need to put more thought into what auditing you enable. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 16:08:32 PST