Advanced Auditing Not Working...
Windows Server 2008 R2 file server. Sensitive share is published to DFS and is available when users type a UNC path in explorer.
Acess Base Enumeration is enabled.
We enabled Advance Auditing via GPO, ran gpupdate, configured Auditng on the top-level folder of the protected share at the file server - "Everyone" - "This folder, subfolders, files" - "Successful" and "Failed" for all accesses.
We began seeing a large volume of data in the "Security" event log.
We went back and unchecked all "Successful" items and retained just a few "Failed" items ("Traverse Folder", "List Folder", "Read Permissions", etc).
Now, we are getting no events recorded when we test accessing the object with an unauthorized account.
Question: In this protected share, although we have have Access-Based Enumeration enabled, we want to determine when an unauthorized user might try to access a folder, either by trying to access the top level folder, or by entering an complete UNC path for a subfolder.
What configurations must be made, both the the GPO as well as the folder security settings in order to track/audit just those attempts by unauthorized memeber to access any part of this proctected folder?
Thank you....
Acess Base Enumeration is enabled.
We enabled Advance Auditing via GPO, ran gpupdate, configured Auditng on the top-level folder of the protected share at the file server - "Everyone" - "This folder, subfolders, files" - "Successful" and "Failed" for all accesses.
We began seeing a large volume of data in the "Security" event log.
We went back and unchecked all "Successful" items and retained just a few "Failed" items ("Traverse Folder", "List Folder", "Read Permissions", etc).
Now, we are getting no events recorded when we test accessing the object with an unauthorized account.
Question: In this protected share, although we have have Access-Based Enumeration enabled, we want to determine when an unauthorized user might try to access a folder, either by trying to access the top level folder, or by entering an complete UNC path for a subfolder.
What configurations must be made, both the the GPO as well as the folder security settings in order to track/audit just those attempts by unauthorized memeber to access any part of this proctected folder?
Thank you....
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
In this link under the "Audit Object Access Properties", has option for Success and Failure. http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access
Apart from all the links please have a look at these link..
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b18ca99b-db07-4e2e-8f13-67d58a4d1c63/windows-2008-server-files-access-real-time-monitoring
http://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx
Cheers..!!!
http://social.technet.microsoft.com/Forums/windowsserver/en-US/b18ca99b-db07-4e2e-8f13-67d58a4d1c63/windows-2008-server-files-access-real-time-monitoring
http://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx
Cheers..!!!
ASKER
I have reconfigured Advanced Auditing Policy and have reconfigured the SACL on the folders I want to auidt.
I am getting a reasonable (appropriate) volume of entries to the Security Event Log; however, with Access Based Enumeration invoked, I'm not seeing any failed attempts to access folders being audited.
Although Access-Based Enumeration will prevent unauthorized individual from seeing folders to which they do not access, I would still like to know if an individual persists in attempting to access a folder.
For example: With Access Based Enumeration enabled, a user may not be able to see a folder to click on it, and thus would not get a message indicating he did not have access. If a person attempts to access a folder by using a more direct UNC path (\\server\share\folder), I would like auditing to reflect a "Failed" attempt. So far, that's not happening.
I am getting a reasonable (appropriate) volume of entries to the Security Event Log; however, with Access Based Enumeration invoked, I'm not seeing any failed attempts to access folders being audited.
Although Access-Based Enumeration will prevent unauthorized individual from seeing folders to which they do not access, I would still like to know if an individual persists in attempting to access a folder.
For example: With Access Based Enumeration enabled, a user may not be able to see a folder to click on it, and thus would not get a message indicating he did not have access. If a person attempts to access a folder by using a more direct UNC path (\\server\share\folder), I would like auditing to reflect a "Failed" attempt. So far, that's not happening.
However I see that is the only best as there is no specific events for ABE. The only coverage is from the audit object access or audit kernel object....
http://technet.microsoft.com/en-us/library/jj852233(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/jj852233(v=ws.10).aspx
Probably this can reduce the noise and be folder specific
http://technet.microsoft.com/en-us/library/cc736421(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc736421(v=ws.10).aspx
ASKER
I'm not sure I understand what I should do.
To enable "Auditing" initially, before I contacted Experts Exchange, I configured some items in GPO, and then configured some items at the top-level folder of the items I wanted to protect.
Things seemed to be working okay except that I had all of the "Accesses" set for "Successful" and "Failed", and the volume of entries in the event log was too much.
I unchecked most of the "Successful" items and some of the "Failed" items, and now none of the object accesses, particularly attempts by unauthorized people, - none are being recorded in the event log.
What settings must be configured so that I can track just the "Failed" attempts to access the folder objects?
I also would like to audit attempts, failed or otherwise, of "Permission Change" on any of the subfolders.
Thank you...