UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / IT Audit / Windows Server

Auditing Folder Permissions - In detail...

security.guy — Thu, 08 Jul 2010 13:36:03 GMT

Hi,

I was wondering if anybody has any pointers on how to do "detailed" folder auditing. I am aware of enable object auditing policies and setting up Change Permission and Take Ownership on the actual folder. I am interested in determining "who" granted/revoked "what" to "whom" and "when".

So if an IT admin grants permission to a folder to a user, I'd like to be able to see the details of that activity in the event log (Windows 2003). I currently see events 560, but this only tells me a DAC was changed... how do I monitor the details of what was changed via the event log and my SIEM?

Thanks!

SOD - practically for Windows administrators

sulovsky — Tue, 23 Jun 2009 10:03:54 GMT

Hi,

During the IT audit I have hit into practical problem asked by auditees - how we can practically organise the segregation of duty in MS Windows environmnet, so that administrators would not have access to top management file server, or i.e. their Exchange mail? Of course, SOD could be applied at least to different roles of admins (MS Exchange v.s. file server admin), but as they often need to be domain admins to do their regular job, I am not sure if chance to take priviledges is not a risk. Of course, turning on audit trail could be a way, but I believe this kind of activity will be under carpet within 6m.

I was also thinking if ILP (Information leak protection) systems could not help them in this risk control?

Thanks for any open ideas,

Jiri

Should security audit policy ever include the Application and System logs?

TomMartin — Tue, 06 Jul 2010 00:48:36 GMT

Hello,
I know this site seems to be focused on the Security logs.. and for good cause. But, I was wondering if it's ever a good idea to monitor some of the other Windows logs, such as, Application and System?
Thanks,
Tom

Audit Start & Stop Event for Windows Server (7035 EventID)

legallf — Fri, 24 Jul 2009 09:03:14 GMT

Hello,

I search how to setup audit on stop and start events for Windows Service for a member server.
Event are generated in system log (7035)

How to easily obtain Event Log activity metrics

ottermaton — Fri, 01 May 2009 17:17:48 GMT

How much log data and/or how many events is a given server creating in a typical day? In a typical week? At its peak moment (Monday morning)?

This question is of particular interest for Domain Controllers, and I don't know the answer. Are there any built-in Windows tools or interfaces for displaying this type of data? Or any simple (and free) third party tools for doing so?