Solved

Windows Server 2008 R2: Auditing -  Success vs. Failure

Posted on 2016-10-19
3
49 Views
Last Modified: 2016-10-19
What is meant by Audit Account Lockout - Success / Failure?  If an account is locked out, what constitutes a "success" and what constitutes a "failure"?  When does a user successfully lockout his/her account?  When does a user fail to lockout his/her account?  The info I've seen online simply repeats Microsoft's useless one-sentence explanation.

Similarly, how is Audit File System Success / Failure supposed to work?  Do we really want to audit every time an authorized user accesses a file successfully?  Alternatively, is this intended to be helpful in tracking when an unauthorized person accessed a file successfully?  If so, how would one sort through countless successful accesses by authorized users in order to locate a successful access by an unauthorized user?

I really appreciate any help.
0
Comment
Question by:cmmcginn
3 Comments
 
LVL 34

Assisted Solution

by:Paul MacDonald
Paul MacDonald earned 200 total points
ID: 41851015
"Audit Account Lockout" is successful when a user can log in, and fails when a user's account is locked out.

"Audit File System" - is indeed useful if you need to know every user that has accessed a file.  Most organizations don't, but some do.  By definition, an unauthorized user would fail this audit, so you'd check your logs for failures.
0
 
LVL 40

Accepted Solution

by:
Adam Brown earned 300 total points
ID: 41851151
Audit Account Lockout will write an event when an attempt is made to automatically lock out an account. The event will show a success if the account was locked out and a failure if the attempt to lock the account failed for some reason (This is extremely rare and signifies a pretty major system failure) and the account wasn't locked.

When you configure auditing on the file system, you have to configure auditing on the folders as well as in the security policy (this is done with the advanced permissions settings in the File/folder properties screen). If you have files that are under some regulatory or policy reason for recording all access to them, you'll need to make sure Success and Failure auditing are set up on the file. There are plenty of situations where this would be required. The event viewer can help you filter through the results if you need to examine the logs for some reason, but for the majority of environments, this type of auditing is meant to assist in forensic investigations following a security breach, and just having it enabled is really all you need to worry about. There are also a number of third party solutions that can be used to collect and examine the logs to look for violations and patterns automatically.

While users that aren't supposed to have access to specific files will record a failure audit when they attempt to do so, there are situations where users are granted access to things when they shouldn't be, and auditing for file system access successes will help show this.
1
 

Author Closing Comment

by:cmmcginn
ID: 41851214
Thank you both very much!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We recently had an issue where out of nowhere, end users started indicating that their logins to our terminal server were just showing a "blank screen." After checking the usual suspects -- profiles, shell=explorer.exe in the registry, userinit.exe,…
To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question