File Auditing

My boss wants to figure out a way to keep track of anyone that logs into a particular folder.  Basically, she wants to make sure that I don't get into certain folders.  I set up auditing on the folder level to keep track of all domain users that use the read priledge on the folder.  The problem is, I do that to more than one folder.  Is there a clearer way to do this?

LVL 1
warriorfan808Asked:
Who is Participating?
 
kevinf40Connect With a Mentor Commented:

It is indeed common practice to audit administrators.

Warriorfan - you could easily change the permissions on folders, look at what is inside, then return the permissions - without auditing there would be no record of this.

With auditing it is much harder for you to hide these actions.  The next logical step is to use a syslog type set-up so logs are saved to a central server in real time making deleting / amending log entries very difficult. - This has to be done in many businesses for compliance (e.g. SOX).

This auditing also gives you protection - e.g. if data is stolen / mis-used the suspicion could fall on you as one of the few people who could potentially access all data - the auditing would enable you to not only investigate who did what, but also prove you had nothing to do with it should the need arise.

This isn't a matter of trust rather a matter of compliance and due diligence.

Agreed auditing can create an awful lot of noise so try to restrict what is audited to the minimum to provide the required level of comfort for your business.

cheers

Kevin
0
 
smidgie82Commented:
Hi warriorfan808,
This is off-topic, but...  Isn't that kind of a conflict of interest?  Being required to set up security measures to prevent yourself from misbehaving?  It just doesn't make any sense.  Your boss can only trust the security measures as much as she trusts you.  And, if she trusts you enough to monitor yourself, why are you not trusted enough to just keep out of the directory in the first place, if it's someplace you're not supposed to be?  Seems kinda pointless.  Unless she really does trust you and just needs the audit to prove to HER bosses that you're clean.  Or something.  I'm so confused...  (c:


0
 
warriorfan808Author Commented:
I'm confused too.  I hate setting up auditing, it slows things down.  Luckily, it's only on a few folders.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
Jay_Jay70Commented:
Hi warriorfan808,

i agree - folder auditing slams your event log full of crap! as far as i know auditing has to be done a a per folder basis
0
 
warriorfan808Author Commented:
I was hoping that there was something in filesvr.msc that will log who accessed this particular folder and at what time.  Audits are a pain in the A and are hard to filter through, especially with all that extra garbage.

I guess she wants me to be able to tell her, who did what and at what time (including myself)
0
 
Jay_Jay70Commented:
not that i am aware of although that doesnt say much really! more i learn the more there is to learn.......
0
 
JammyPakCommented:
I don't know, sounds logical enough to me...I may be a sysadmin, but there's certain data that I should not have access to - AND - I don't *want* access to, because if anything goes wrong with it, I don't want to be blamed! So, if you're going to setup auditing for everyone, then that includes IT in there as well...

I know it's inefficient, but it's probably to satisfy auditors or something. I would bet that those audit logs don't get looked at too often!

So warrior, I gather you were able to setup auditing successfully by the sounds of it? It does have to be folder by folder, unless you can nest the folders and make it inherit the settings perhaps...

0
 
warriorfan808Author Commented:
I do know one way that sort of helps me.  People that have roaming profile and folder redirected (issued through Group Policy), will have files that are created by the system.  These files are given special permissions that keep me out of them.  The only way to get in is if I log in with their account, which will be obvious for the user because their password has changed.  I think this is right.  I remember trying to take ownership, but I was unable.  Probably with this is, I can't share the folder for other people to get to because I don't have ownership.
0
 
gidds99Commented:
I would agree that it is not unusual for a sysadmin to not have access to certain directories on the network (e.g private personnel files).

Also I too would agree that the only way to speed this process up is to use nested folders so the audit setting can be inherited by child folders.
0
 
warriorfan808Author Commented:
Thanks Kevin.  Do you have a link on how to set up a syslog to save audits to a central server?  Does it have to be a server?  For instance, I could have it saved on her authenticated workstation?
0
 
JammyPakConnect With a Mentor Commented:
Microsoft has a product called MOM which can centralize event logs, or you can use a 3rd party solution to send event log info to a syslog server (windows or linux). otherwise you'll need to check the logs on each server separately.

Here's a good booklet on centralized logging:
http://www.sage.org/pubs/12_logging/

And this is a great site with tons of info and links for tools to centralize your Windows and/or linux logs:
http://www.loganalysis.org/
0
 
warriorfan808Author Commented:
Thanks a lot guys.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.