Solved

Guidelines for Windows Server 2008 R2 file access auditing

Posted on 2016-11-22
3
123 Views
Last Modified: 2016-11-22
I've enabled auditing on my file server to track logon success/failure and file access success/failure. The Security log is recording this information, but the log file has become massive and difficult to work with.  Are there guidelines for setting up auditing in a practical manner so I can identify unauthorized logon and file access attempts without recording so many events?

Thank you
0
Comment
Question by:cmmcginn
3 Comments
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 41898383
It is best effort for a balance to take a risk measure approach as log from other security device will need to continue having the audit like the firewall and ips.

Do see practices recommended for overseeing Unauthorised access
Audit Event
Failure audit for logon/logoff

Random password hack

Audit Event
Success audit for logon/logoff

Stolen password break-in

Audit Event
Success audit for user rights, user and group management, security change policies, restart, shutdown, and system events

Misuse of privileges

Audit event
Success and failure audit for file-access and object-access events. File Manager success and failure audit of Read/Write access by suspect users or groups for the sensitive files.

Improper access to sensitive files
https://technet.microsoft.com/en-us/library/dd277403.aspx

As a whole, the minimal recommended as below

Default Domain Controllers Policy
Select Success and Failure for all policies except:
Audit object access
Audit privilege use
For these, only select Failure.

Default Domain Policy
Default Domain Policy applies to all computers on your domain except your domain controllers.


For this policy, select Success and Failure for the following:
Audit account logon events
Audit account management
Audit logon events
Audit policy change
Audit system events

You may also select Success and Failure for Audit process tracking to monitor critical processes such as the AV service or unauthorized programs such as games or malicious executable files.
0
 

Author Closing Comment

by:cmmcginn
ID: 41898426
Thank you very much. My auditing configuration is consistent with your suggestions.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41898667
Looked at advanced auditing configuration to make the log smaller.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Most MSPs worth their salt are already offering cybersecurity to their customers. But cybersecurity as a service is wide encompassing and can mean many things.  So where are MSPs falling in this spectrum?
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question