Solved

Guidelines for Windows Server 2008 R2 file access auditing

Posted on 2016-11-22
3
64 Views
Last Modified: 2016-11-22
I've enabled auditing on my file server to track logon success/failure and file access success/failure. The Security log is recording this information, but the log file has become massive and difficult to work with.  Are there guidelines for setting up auditing in a practical manner so I can identify unauthorized logon and file access attempts without recording so many events?

Thank you
0
Comment
Question by:cmmcginn
3 Comments
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 41898383
It is best effort for a balance to take a risk measure approach as log from other security device will need to continue having the audit like the firewall and ips.

Do see practices recommended for overseeing Unauthorised access
Audit Event
Failure audit for logon/logoff

Random password hack

Audit Event
Success audit for logon/logoff

Stolen password break-in

Audit Event
Success audit for user rights, user and group management, security change policies, restart, shutdown, and system events

Misuse of privileges

Audit event
Success and failure audit for file-access and object-access events. File Manager success and failure audit of Read/Write access by suspect users or groups for the sensitive files.

Improper access to sensitive files
https://technet.microsoft.com/en-us/library/dd277403.aspx

As a whole, the minimal recommended as below

Default Domain Controllers Policy
Select Success and Failure for all policies except:
Audit object access
Audit privilege use
For these, only select Failure.

Default Domain Policy
Default Domain Policy applies to all computers on your domain except your domain controllers.


For this policy, select Success and Failure for the following:
Audit account logon events
Audit account management
Audit logon events
Audit policy change
Audit system events

You may also select Success and Failure for Audit process tracking to monitor critical processes such as the AV service or unauthorized programs such as games or malicious executable files.
0
 

Author Closing Comment

by:cmmcginn
ID: 41898426
Thank you very much. My auditing configuration is consistent with your suggestions.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 41898667
Looked at advanced auditing configuration to make the log smaller.
0

Featured Post

The problems with reply email signatures

Do you wish that you could place an email signature under a reply? Well, unfortunately, you can't. That great Exchange/Office 365 signature you've created will just appear at the bottom of an email chain. What a pain! Is there really no way to solve this? Well, there might be...

Join & Write a Comment

Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now