Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 85
  • Last Modified:

Windows Server 2008 R2: Auditing - Success vs. Failure

What is meant by Audit Account Lockout - Success / Failure?  If an account is locked out, what constitutes a "success" and what constitutes a "failure"?  When does a user successfully lockout his/her account?  When does a user fail to lockout his/her account?  The info I've seen online simply repeats Microsoft's useless one-sentence explanation.

Similarly, how is Audit File System Success / Failure supposed to work?  Do we really want to audit every time an authorized user accesses a file successfully?  Alternatively, is this intended to be helpful in tracking when an unauthorized person accessed a file successfully?  If so, how would one sort through countless successful accesses by authorized users in order to locate a successful access by an unauthorized user?

I really appreciate any help.
0
cmmcginn
Asked:
cmmcginn
2 Solutions
 
Paul MacDonaldDirector, Information SystemsCommented:
"Audit Account Lockout" is successful when a user can log in, and fails when a user's account is locked out.

"Audit File System" - is indeed useful if you need to know every user that has accessed a file.  Most organizations don't, but some do.  By definition, an unauthorized user would fail this audit, so you'd check your logs for failures.
0
 
Adam BrownSr Solutions ArchitectCommented:
Audit Account Lockout will write an event when an attempt is made to automatically lock out an account. The event will show a success if the account was locked out and a failure if the attempt to lock the account failed for some reason (This is extremely rare and signifies a pretty major system failure) and the account wasn't locked.

When you configure auditing on the file system, you have to configure auditing on the folders as well as in the security policy (this is done with the advanced permissions settings in the File/folder properties screen). If you have files that are under some regulatory or policy reason for recording all access to them, you'll need to make sure Success and Failure auditing are set up on the file. There are plenty of situations where this would be required. The event viewer can help you filter through the results if you need to examine the logs for some reason, but for the majority of environments, this type of auditing is meant to assist in forensic investigations following a security breach, and just having it enabled is really all you need to worry about. There are also a number of third party solutions that can be used to collect and examine the logs to look for violations and patterns automatically.

While users that aren't supposed to have access to specific files will record a failure audit when they attempt to do so, there are situations where users are granted access to things when they shouldn't be, and auditing for file system access successes will help show this.
1
 
cmmcginnAuthor Commented:
Thank you both very much!
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now