?
Solved

File Auditing

Posted on 2006-06-05
12
Medium Priority
?
776 Views
Last Modified: 2013-12-04
My boss wants to figure out a way to keep track of anyone that logs into a particular folder.  Basically, she wants to make sure that I don't get into certain folders.  I set up auditing on the folder level to keep track of all domain users that use the read priledge on the folder.  The problem is, I do that to more than one folder.  Is there a clearer way to do this?

0
Comment
Question by:warriorfan808
  • 5
  • 2
  • 2
  • +3
12 Comments
 
LVL 9

Expert Comment

by:smidgie82
ID: 16836741
Hi warriorfan808,
This is off-topic, but...  Isn't that kind of a conflict of interest?  Being required to set up security measures to prevent yourself from misbehaving?  It just doesn't make any sense.  Your boss can only trust the security measures as much as she trusts you.  And, if she trusts you enough to monitor yourself, why are you not trusted enough to just keep out of the directory in the first place, if it's someplace you're not supposed to be?  Seems kinda pointless.  Unless she really does trust you and just needs the audit to prove to HER bosses that you're clean.  Or something.  I'm so confused...  (c:


0
 
LVL 1

Author Comment

by:warriorfan808
ID: 16836802
I'm confused too.  I hate setting up auditing, it slows things down.  Luckily, it's only on a few folders.
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16837006
Hi warriorfan808,

i agree - folder auditing slams your event log full of crap! as far as i know auditing has to be done a a per folder basis
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 1

Author Comment

by:warriorfan808
ID: 16837109
I was hoping that there was something in filesvr.msc that will log who accessed this particular folder and at what time.  Audits are a pain in the A and are hard to filter through, especially with all that extra garbage.

I guess she wants me to be able to tell her, who did what and at what time (including myself)
0
 
LVL 48

Expert Comment

by:Jay_Jay70
ID: 16838772
not that i am aware of although that doesnt say much really! more i learn the more there is to learn.......
0
 
LVL 16

Expert Comment

by:JammyPak
ID: 16839455
I don't know, sounds logical enough to me...I may be a sysadmin, but there's certain data that I should not have access to - AND - I don't *want* access to, because if anything goes wrong with it, I don't want to be blamed! So, if you're going to setup auditing for everyone, then that includes IT in there as well...

I know it's inefficient, but it's probably to satisfy auditors or something. I would bet that those audit logs don't get looked at too often!

So warrior, I gather you were able to setup auditing successfully by the sounds of it? It does have to be folder by folder, unless you can nest the folders and make it inherit the settings perhaps...

0
 
LVL 1

Author Comment

by:warriorfan808
ID: 16840185
I do know one way that sort of helps me.  People that have roaming profile and folder redirected (issued through Group Policy), will have files that are created by the system.  These files are given special permissions that keep me out of them.  The only way to get in is if I log in with their account, which will be obvious for the user because their password has changed.  I think this is right.  I remember trying to take ownership, but I was unable.  Probably with this is, I can't share the folder for other people to get to because I don't have ownership.
0
 
LVL 12

Expert Comment

by:gidds99
ID: 16840558
I would agree that it is not unusual for a sysadmin to not have access to certain directories on the network (e.g private personnel files).

Also I too would agree that the only way to speed this process up is to use nested folders so the audit setting can be inherited by child folders.
0
 
LVL 5

Accepted Solution

by:
kevinf40 earned 1200 total points
ID: 16842373

It is indeed common practice to audit administrators.

Warriorfan - you could easily change the permissions on folders, look at what is inside, then return the permissions - without auditing there would be no record of this.

With auditing it is much harder for you to hide these actions.  The next logical step is to use a syslog type set-up so logs are saved to a central server in real time making deleting / amending log entries very difficult. - This has to be done in many businesses for compliance (e.g. SOX).

This auditing also gives you protection - e.g. if data is stolen / mis-used the suspicion could fall on you as one of the few people who could potentially access all data - the auditing would enable you to not only investigate who did what, but also prove you had nothing to do with it should the need arise.

This isn't a matter of trust rather a matter of compliance and due diligence.

Agreed auditing can create an awful lot of noise so try to restrict what is audited to the minimum to provide the required level of comfort for your business.

cheers

Kevin
0
 
LVL 1

Author Comment

by:warriorfan808
ID: 16846985
Thanks Kevin.  Do you have a link on how to set up a syslog to save audits to a central server?  Does it have to be a server?  For instance, I could have it saved on her authenticated workstation?
0
 
LVL 16

Assisted Solution

by:JammyPak
JammyPak earned 800 total points
ID: 16848654
Microsoft has a product called MOM which can centralize event logs, or you can use a 3rd party solution to send event log info to a syslog server (windows or linux). otherwise you'll need to check the logs on each server separately.

Here's a good booklet on centralized logging:
http://www.sage.org/pubs/12_logging/

And this is a great site with tons of info and links for tools to centralize your Windows and/or linux logs:
http://www.loganalysis.org/
0
 
LVL 1

Author Comment

by:warriorfan808
ID: 16849364
Thanks a lot guys.  
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question