Solved

Windows Server 2008 R2: Auditing -  Success vs. Failure

Posted on 2016-10-19
3
54 Views
Last Modified: 2016-10-19
What is meant by Audit Account Lockout - Success / Failure?  If an account is locked out, what constitutes a "success" and what constitutes a "failure"?  When does a user successfully lockout his/her account?  When does a user fail to lockout his/her account?  The info I've seen online simply repeats Microsoft's useless one-sentence explanation.

Similarly, how is Audit File System Success / Failure supposed to work?  Do we really want to audit every time an authorized user accesses a file successfully?  Alternatively, is this intended to be helpful in tracking when an unauthorized person accessed a file successfully?  If so, how would one sort through countless successful accesses by authorized users in order to locate a successful access by an unauthorized user?

I really appreciate any help.
0
Comment
Question by:cmmcginn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 200 total points
ID: 41851015
"Audit Account Lockout" is successful when a user can log in, and fails when a user's account is locked out.

"Audit File System" - is indeed useful if you need to know every user that has accessed a file.  Most organizations don't, but some do.  By definition, an unauthorized user would fail this audit, so you'd check your logs for failures.
0
 
LVL 40

Accepted Solution

by:
Adam Brown earned 300 total points
ID: 41851151
Audit Account Lockout will write an event when an attempt is made to automatically lock out an account. The event will show a success if the account was locked out and a failure if the attempt to lock the account failed for some reason (This is extremely rare and signifies a pretty major system failure) and the account wasn't locked.

When you configure auditing on the file system, you have to configure auditing on the folders as well as in the security policy (this is done with the advanced permissions settings in the File/folder properties screen). If you have files that are under some regulatory or policy reason for recording all access to them, you'll need to make sure Success and Failure auditing are set up on the file. There are plenty of situations where this would be required. The event viewer can help you filter through the results if you need to examine the logs for some reason, but for the majority of environments, this type of auditing is meant to assist in forensic investigations following a security breach, and just having it enabled is really all you need to worry about. There are also a number of third party solutions that can be used to collect and examine the logs to look for violations and patterns automatically.

While users that aren't supposed to have access to specific files will record a failure audit when they attempt to do so, there are situations where users are granted access to things when they shouldn't be, and auditing for file system access successes will help show this.
1
 

Author Closing Comment

by:cmmcginn
ID: 41851214
Thank you both very much!
0

Featured Post

Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will show how to push an installation of Backup Exec to an additional server in both 2012 and 2014 versions of the software. Click on the Backup Exec button in the upper left corner. From here, select Installation and Licensing, then I…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question