Filtering the auditing of file access

Filtering the auditing of file access
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Applications Security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Filtering the auditing of file access Remko 05-10-2006
Posted by =?Utf-8?B?UmVta28=?= on May 10, 2006, 4:20 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi,

I have enabled the auditing of object access on our file-server (2003)
through the Group Policy Object Editor. After that i added some groups for
auditing on a folder on our data-disk.
This works fine.
There is only one problem, the eventlog is filling up very fast with events
of object access of files like c:\windows\system32\lsass.exe.
Does anyone know an option to disable auditing on the system-files??


Posted by S. Pidgorny on May 10, 2006, 6:52 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Yes - do not audit access to the %windir% (Windows directory)

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

> Hi,
>
> I have enabled the auditing of object access on our file-server (2003)
> through the Group Policy Object Editor. After that i added some groups for
> auditing on a folder on our data-disk.
> This works fine.
> There is only one problem, the eventlog is filling up very fast with
> events
> of object access of files like c:\windows\system32\lsass.exe.
> Does anyone know an option to disable auditing on the system-files??
>



Posted by =?Utf-8?B?UmVta28=?= on May 10, 2006, 7:07 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Ok, but when i open explorer and check the auditing under the security-tab
there is no person or group added for auditing.
So how do i disable auditing on the system32-dir?

"S. Pidgorny <MVP>" wrote:

> Yes - do not audit access to the %windir% (Windows directory)
>
> --
> Svyatoslav Pidgorny, MS MVP - Security, MCSE
> -= F1 is the key =-
>
> > Hi,
> >
> > I have enabled the auditing of object access on our file-server (2003)
> > through the Group Policy Object Editor. After that i added some groups for
> > auditing on a folder on our data-disk.
> > This works fine.
> > There is only one problem, the eventlog is filling up very fast with
> > events
> > of object access of files like c:\windows\system32\lsass.exe.
> > Does anyone know an option to disable auditing on the system-files??
> >
>
>
>

Posted by Steven L Umbach on May 10, 2006, 12:11 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
In my experienced it is normal to see a lot of seemingly unrelated object
access events recorded in the security log when you audit folders/files. The
one thing I would check is to make sure that the security option for
auditing global objects is disabled in Local Security Policy which is the
default and to audit only the bare number of folders, for the bare number of
users, and for the bare number of permissions to accomplish what you want.
You also will need to increase the size of your security log substantially
from default if you have not done that yet and you will find that the free
Event Comb from Microsoft will help sift through the security log for
important events that you can search for by Event ID and text string that
could include file name, and access level such as delete. --- Steve


> Hi,
>
> I have enabled the auditing of object access on our file-server (2003)
> through the Group Policy Object Editor. After that i added some groups for
> auditing on a folder on our data-disk.
> This works fine.
> There is only one problem, the eventlog is filling up very fast with
> events
> of object access of files like c:\windows\system32\lsass.exe.
> Does anyone know an option to disable auditing on the system-files??
>



Similar ThreadsPosted
Execute File Auditing on a File Share April 25, 2007, 11:46 pm
Auditing File deletion April 19, 2006, 3:26 am
Auditing / File Security May 22, 2008, 1:02 pm
Auditing Whom delete an file or folder. June 15, 2005, 3:06 am
Enable file auditing on many servers December 22, 2006, 2:21 pm
File auditing for MOVED files. May 30, 2008, 11:26 am
Security Event Log Performance for File and Folder Auditing January 26, 2007, 3:59 pm
Email Access Auditing June 11, 2007, 10:41 am
Auditing access to shared folders? December 1, 2005, 10:32 pm
Auditing Attempted Shared Folder Access March 5, 2007, 10:28 am

The site map in XML format XML site map

Contact Us | Privacy Policy