Results 1 to 5 of 5

Thread: Configuring the audit directories in Windows Server 2008

  1. #1
    Join Date
    Jul 2010
    Posts
    142

    Configuring the audit directories in Windows Server 2008

    I am trying to explain how to audit object access. I am sure that someone must be looking for it. Follow the steps :
    1. Start by creating a directory and share to be accessible by the client. I chose to call this directory "Audit_Folder".
    2. Once the directory is created, it must now configure auditing on this directory. Indeed, we have only enabled the audit settings on the client.
    3. You must configure the directories to be audited. To do this, right click on the directory with you want to audit access, then do "Properties". In the "Security" tab, go to "Advanced".
    4. In the window that appears, click the "Audit" and then "Edit".
    5. In the window that appears, click "Add".
    6. You must now configure what permissions you want to audit success, failure. In my case, I decided to audit the creation of folders and files successfully, the Attribute Changes Failed files and deleting and renaming files and folders into success and failure.
    7. Once you click "Add", choose which group of Active Directory security audit.
    8. You can select "Authenticated Users" to all authenticated users or only a group corresponding to a service (Financial, CIO ...) or a user group that you created.
    9. Indeed, audit the removal and change of name can successfully find out who has deleted a file or folder to avoid being accused of striking its place important files in an enterprise.
    10. Audit the creation of directories and files which allows to know the evolution of a directory and increase disk space.. Audit change attributes stranded solves the problems of rights in the directories.
    11. Once your permissions set, confirm. You get a summary of your choice.

  2. #2
    Join Date
    Nov 2008
    Posts
    38

    Re: Enable Auditing on the machines via a GPO in Windows Server 2008

    I would like to discuss about the enabling Auditing on the machines via a GPO. An audit policy can be implemented for various reasons:
    • Detect intrusion attempts on a network
    • Solve problems of rights and security
    For example, auditing failures on logons, we can determine if a hacker trying to break into our network using brute force methods. In this case, we have to lock the account if the person was able to log in or contact account owner to deepen the problem. Another example is to audit access to objects to define which users access resources and restrict access to persons not entitled. We can also provide access to users who need but can not do.
    1. To begin, go to "Run / Administrative Tools / Group Policy Management".
    2. Then expand your domain, then create a new GPO to the container "Group Policy Object". Give it a meaningful name. Edit it and go.
      Computer Configuration / Policies / Windows Settings / Security Settings / Local Policies / Audit Policy.
    3. You now have access to all the elements that you can audit.
    From this window, we can now audit:
    • Audit account logon events
    • Audit account management
    • Audit directory service access
    • Audit logon events
    • Audit object access
    • Audit policy change
    • Audit privilege use
    • Audit process tracking
    • Audit system events

    You can choose for each item, if you want to audit successes, failures, or 2. By default, the security model "security.inf" is applied. This security model includes defaults for auditing the account logon events (success and failure) and events in connection successful. If we want to audit other events, so they should be set.

  3. #3
    Join Date
    Nov 2008
    Posts
    27

    Re: Configuring the audit directories in Windows Server 2008

    The audit is used to track user activities and system events and save the generated log files in order to exploit them. Windows Server 2008 includes the new version of the event log: "Windows Eventing 6.0. This latest version allows you to record events in XML format offering scalability, availability and enhanced management options. Moreover, we can now assign a task to an event such as, sending mail, start a program. We must choose what we want to audit before implementing a strategy because the log files can quickly become very large. This would result, a decline in performance on our server, and a search difficult and inefficient. It is possible to define store our logs to a file system to solve the problem of disk space. An audit strategy should be carefully considered to be the most effective and easily exploitable.

  4. #4
    Join Date
    May 2008
    Posts
    248

    Re: Configuring the audit directories in Windows Server 2008

    To test your audit strategy, you should apply to your user to the GPO you created earlier. Then you should create a global security group (gg-audit) and added your user (anonymous) inside. I have done this and I am explaining my steps. I started by restricting user rights " anonymous " at the directory "Audit_Folder" back to alerts. I take away the rights of deletions and name changes. Now we are going in the Event Viewer to see the logs generated by Windows Server 2008. To do this, go to Start / Administrative Tools / Event Viewer". The event log can classify all the logs. We have 5 categories of logs: Application: Contains events generated by applications installed on the system Security: Contains the audit events generated by (opening and closing sessions, access to resources and changes in strategies) System: Contains events generated by components and Windows Services. However, we must first define the size of each log file not to be very cumbersome log files. After you change the audit policy on the directory "Audit_Folder" the observer event has generated an event. When the logo, next to the event is not key, it is a success so that when the event is a failure, we have a lock. After the client "anonymous" has created the folder "New Folder" directory `Audit_Folder, the client attempts to delete it. We can see the user “anonymous " could not rename the folder "New Folder". (DELETE is the name change while DELETE FILES AND FOLDER corresponds to the deletion). After authorizing the user "anonymous" to rename and delete files and folders Viewer event back a new event into success.

  5. #5
    Join Date
    Apr 2011
    Posts
    1

    Re: Configuring the audit directories in Windows Server 2008

    so... after a lot of looking around i was able to get auditing set up, but how do i find a specific file that was deleted? lets say C:a folder\other folder\example.txt was deleted, how can i find who and when it was lost? my event viewer shows who did the action and when, but not the name of the file. with previous versions i can find the general time frame if that is important.

Similar Threads

  1. Windows Server 2003 Active Directory Audit
    By Steve BB in forum Active Directory
    Replies: 2
    Last Post: 09-01-2012, 10:52 PM
  2. Configuring Disk Mirroring for Windows Server 2008 R2
    By Steadfast in forum Operating Systems
    Replies: 2
    Last Post: 02-11-2010, 01:37 PM
  3. Configuring security settings of Windows server 2008
    By Alexis25 in forum Networking & Security
    Replies: 3
    Last Post: 12-05-2009, 11:10 AM
  4. Replies: 1
    Last Post: 06-05-2009, 09:09 PM
  5. Configuring IIS 7 on Server 2008 for WSUS 3
    By Nadeem in forum Server Update Service
    Replies: 2
    Last Post: 13-05-2008, 09:21 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,711,656,961.87597 seconds with 17 queries