Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 224
  • Last Modified:

Guidelines for Windows Server 2008 R2 file access auditing

I've enabled auditing on my file server to track logon success/failure and file access success/failure. The Security log is recording this information, but the log file has become massive and difficult to work with.  Are there guidelines for setting up auditing in a practical manner so I can identify unauthorized logon and file access attempts without recording so many events?

Thank you
0
cmmcginn
Asked:
cmmcginn
1 Solution
 
btanExec ConsultantCommented:
It is best effort for a balance to take a risk measure approach as log from other security device will need to continue having the audit like the firewall and ips.

Do see practices recommended for overseeing Unauthorised access
Audit Event
Failure audit for logon/logoff

Random password hack

Audit Event
Success audit for logon/logoff

Stolen password break-in

Audit Event
Success audit for user rights, user and group management, security change policies, restart, shutdown, and system events

Misuse of privileges

Audit event
Success and failure audit for file-access and object-access events. File Manager success and failure audit of Read/Write access by suspect users or groups for the sensitive files.

Improper access to sensitive files
https://technet.microsoft.com/en-us/library/dd277403.aspx

As a whole, the minimal recommended as below

Default Domain Controllers Policy
Select Success and Failure for all policies except:
Audit object access
Audit privilege use
For these, only select Failure.

Default Domain Policy
Default Domain Policy applies to all computers on your domain except your domain controllers.


For this policy, select Success and Failure for the following:
Audit account logon events
Audit account management
Audit logon events
Audit policy change
Audit system events

You may also select Success and Failure for Audit process tracking to monitor critical processes such as the AV service or unauthorized programs such as games or malicious executable files.
0
 
cmmcginnAuthor Commented:
Thank you very much. My auditing configuration is consistent with your suggestions.
0
 
McKnifeCommented:
Looked at advanced auditing configuration to make the log smaller.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now