Re: File Auditing with Group Policy
- From: MPerrault <mperrault@xxxxxxxxxxxxxxx>
- Date: 25 May 2007 10:21:30 -0700
On May 18, 2:56 am, "Jeremy" <jer...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
1: Setaclhttp://setacl.sourceforge.net/can be used to set the SACL
(auditing settings) of files and folder. You will need a GPO to enable
object access auditing as you have described and a script to turn auditing
of the events you are after for each object (file and folder). The script
is a one off since new files should inherit the settings on the parent.
2: The only thing you are missing is that the Windows event log can only
hold around 300-400 Mb of data (despite what you may think). So if you
start generating shirtloads of audit events you might blow out your logs so
that they only hold a small amount of data (hours or days). You might need
to think about your log backup regime. Let me know if you want more detail
about what I have done for this in the past.
3: Once you work out how to use setacl you can be as granular as you like in
so far as what you audit or don't. The GPO doesn't come into this though.
4: There are 3rd party products that can consolidate your logs and notify
you of spurious activity. SNARE comes to mind.http://sourceforge.net/projects/snare/
"Dan Heim" <DanH...@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E5FAB674-04EC-4AAC-AFAA-2E7724FEB086@xxxxxxxxxxxxxxxx
Hi guys,
I am hoping anyone that is doing enterprise auditing can help out with
this
one. We have a new project and it can really be broken down into 3
objectives
First - Use auditing to monitor the modification and deletion of files on
workstations/servers
Second - Try to keep security logs as clean as possible by auditing only
cetain folders we and only the create/write data successes and delete
success
events.
Third - Find a way through script or GPO to roll this out to all of our
workstations/servers
When I manually take a certain directory and audit with just successful
delete & create/write data it seems to work pretty good and not generate
to
much other garbage.
1 - Is there a command line way to apply auditing that I could put in a
script? (I do not think CALCs will do it)
I am trying to use GPO to do it, but see 2 huge problems. First is I can
not get it to work. I have enabled GPO Computer Configuration->Windows
Settings->Local Policies-<Audit Policy and modified "Audit Object Access"
to
Success and "Audit Privilege Use" to Success and rebooted workstation and
they are getting and applying the GPO(verified with gpresult) but they are
not auditing file changes like they should.
2 - Is there anything I am missing there?
3 - If I do use GPO is there anyway to narrow down the level of auditing
to
just get results for deleting/modifiying files similar to the way you can
when you do it manually?
4 - Is there anyone else out there doing something similar through a 3rd
party product they would recommend?- Hide quoted text -
- Show quoted text -
You can also use third party applications for this. File system
auditor from scriptlogic is a good option. it lets you monitor whoi
touched what when. here is the link: http://www.scriptlogic.com/products/filesystemauditor/
Michael P. Perrault
MCSE, CCNA, A+, MBA
Senior Systems Engineer,
ScriptLogic Corporation
.
- References:
- Re: File Auditing with Group Policy
- From: Jeremy
- Re: File Auditing with Group Policy
- Prev by Date: Re: Remove logoff and shutdown...only have restart available after ctrl-alt-del
- Next by Date: Re: No GP plugin on MMC 3.0 ??!!??
- Previous by thread: Re: File Auditing with Group Policy
- Next by thread: Check group member ship in custom policy
- Index(es):
Relevant Pages
|
Loading
