Solved

Windows Server 2008 R2: Auditing -  Success vs. Failure

Posted on 2016-10-19
3
29 Views
Last Modified: 2016-10-19
What is meant by Audit Account Lockout - Success / Failure?  If an account is locked out, what constitutes a "success" and what constitutes a "failure"?  When does a user successfully lockout his/her account?  When does a user fail to lockout his/her account?  The info I've seen online simply repeats Microsoft's useless one-sentence explanation.

Similarly, how is Audit File System Success / Failure supposed to work?  Do we really want to audit every time an authorized user accesses a file successfully?  Alternatively, is this intended to be helpful in tracking when an unauthorized person accessed a file successfully?  If so, how would one sort through countless successful accesses by authorized users in order to locate a successful access by an unauthorized user?

I really appreciate any help.
0
Comment
Question by:cmmcginn
3 Comments
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 200 total points
ID: 41851015
"Audit Account Lockout" is successful when a user can log in, and fails when a user's account is locked out.

"Audit File System" - is indeed useful if you need to know every user that has accessed a file.  Most organizations don't, but some do.  By definition, an unauthorized user would fail this audit, so you'd check your logs for failures.
0
 
LVL 38

Accepted Solution

by:
Adam Brown earned 300 total points
ID: 41851151
Audit Account Lockout will write an event when an attempt is made to automatically lock out an account. The event will show a success if the account was locked out and a failure if the attempt to lock the account failed for some reason (This is extremely rare and signifies a pretty major system failure) and the account wasn't locked.

When you configure auditing on the file system, you have to configure auditing on the folders as well as in the security policy (this is done with the advanced permissions settings in the File/folder properties screen). If you have files that are under some regulatory or policy reason for recording all access to them, you'll need to make sure Success and Failure auditing are set up on the file. There are plenty of situations where this would be required. The event viewer can help you filter through the results if you need to examine the logs for some reason, but for the majority of environments, this type of auditing is meant to assist in forensic investigations following a security breach, and just having it enabled is really all you need to worry about. There are also a number of third party solutions that can be used to collect and examine the logs to look for violations and patterns automatically.

While users that aren't supposed to have access to specific files will record a failure audit when they attempt to do so, there are situations where users are granted access to things when they shouldn't be, and auditing for file system access successes will help show this.
1
 

Author Closing Comment

by:cmmcginn
ID: 41851214
Thank you both very much!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been working as System Administrators since 2003. I recently started working as a FreeLancer and was amazed to find out that very few people are taking full advantage of their Windows Server Machines. Microsoft Windows Server comes with so…
To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now