Solved

Guidelines for Windows Server 2008 R2 file access auditing

Posted on 2016-11-22
3
100 Views
Last Modified: 2016-11-22
I've enabled auditing on my file server to track logon success/failure and file access success/failure. The Security log is recording this information, but the log file has become massive and difficult to work with.  Are there guidelines for setting up auditing in a practical manner so I can identify unauthorized logon and file access attempts without recording so many events?

Thank you
0
Comment
Question by:cmmcginn
3 Comments
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 41898383
It is best effort for a balance to take a risk measure approach as log from other security device will need to continue having the audit like the firewall and ips.

Do see practices recommended for overseeing Unauthorised access
Audit Event
Failure audit for logon/logoff

Random password hack

Audit Event
Success audit for logon/logoff

Stolen password break-in

Audit Event
Success audit for user rights, user and group management, security change policies, restart, shutdown, and system events

Misuse of privileges

Audit event
Success and failure audit for file-access and object-access events. File Manager success and failure audit of Read/Write access by suspect users or groups for the sensitive files.

Improper access to sensitive files
https://technet.microsoft.com/en-us/library/dd277403.aspx

As a whole, the minimal recommended as below

Default Domain Controllers Policy
Select Success and Failure for all policies except:
Audit object access
Audit privilege use
For these, only select Failure.

Default Domain Policy
Default Domain Policy applies to all computers on your domain except your domain controllers.


For this policy, select Success and Failure for the following:
Audit account logon events
Audit account management
Audit logon events
Audit policy change
Audit system events

You may also select Success and Failure for Audit process tracking to monitor critical processes such as the AV service or unauthorized programs such as games or malicious executable files.
0
 

Author Closing Comment

by:cmmcginn
ID: 41898426
Thank you very much. My auditing configuration is consistent with your suggestions.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 41898667
Looked at advanced auditing configuration to make the log smaller.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question