Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Guidelines for Windows Server 2008 R2 file access auditing

Posted on 2016-11-22
3
Medium Priority
?
178 Views
Last Modified: 2016-11-22
I've enabled auditing on my file server to track logon success/failure and file access success/failure. The Security log is recording this information, but the log file has become massive and difficult to work with.  Are there guidelines for setting up auditing in a practical manner so I can identify unauthorized logon and file access attempts without recording so many events?

Thank you
0
Comment
Question by:cmmcginn
3 Comments
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 41898383
It is best effort for a balance to take a risk measure approach as log from other security device will need to continue having the audit like the firewall and ips.

Do see practices recommended for overseeing Unauthorised access
Audit Event
Failure audit for logon/logoff

Random password hack

Audit Event
Success audit for logon/logoff

Stolen password break-in

Audit Event
Success audit for user rights, user and group management, security change policies, restart, shutdown, and system events

Misuse of privileges

Audit event
Success and failure audit for file-access and object-access events. File Manager success and failure audit of Read/Write access by suspect users or groups for the sensitive files.

Improper access to sensitive files
https://technet.microsoft.com/en-us/library/dd277403.aspx

As a whole, the minimal recommended as below

Default Domain Controllers Policy
Select Success and Failure for all policies except:
Audit object access
Audit privilege use
For these, only select Failure.

Default Domain Policy
Default Domain Policy applies to all computers on your domain except your domain controllers.


For this policy, select Success and Failure for the following:
Audit account logon events
Audit account management
Audit logon events
Audit policy change
Audit system events

You may also select Success and Failure for Audit process tracking to monitor critical processes such as the AV service or unauthorized programs such as games or malicious executable files.
0
 

Author Closing Comment

by:cmmcginn
ID: 41898426
Thank you very much. My auditing configuration is consistent with your suggestions.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 41898667
Looked at advanced auditing configuration to make the log smaller.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article covers the basics of data encryption, what it is, how it works, and why it's important. If you've ever wondered what goes on when you "encrypt" data, you can look here to build a good foundation for your personal learning.
Experts Exchange expands question security options for members.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question