Hi Ken,
Thank you for the posting again. I understand your concern on the network
access.
NOTE: If your computer is connected to a network, security logging may be
restricted or disabled by a network policy.
Security auditing for workstations, member servers, and domain controllers
can be enabled remotely only by domain administrators. To do this, create
an organizational unit, add the appropriate machine accounts to the
organizational unit, and then use Active Directory Users and Computers to
create a policy to enable security auditing.
You can see the "Audit Object Access" is "Local Security Settings". If you
enable this and then try to access the shared file and folder from network,
you can find Logon/Logoff Security Event ID 538 for success.
Event ID: 538 (0x021A)
Type: Success Audit
Description: User Logoff
User Name: %1 Domain: %2
Logon ID: %3 Logon Type: %4
You can see from the User Name to see who is attempting to access the
network share.
Auditing to Detect Unauthorized Access
==================================
You can detect unauthorized access attempts in the Windows Security log,
these attempts can appear as warning or error log entries. You can also
archive these logs for later use.
To detect possible security problems by reviewing the Windows Security log:
1. Click Start, point to Settings, and then click Control Panel.
2. Double-click Administrative Tools, and then double-click Computer
Management.
3. Expand System Tools, and then expand Event Viewer.
4. Click Security Log.
5. Inspect the logs for suspicious security events, including the following
events:
- Invalid logon attempts.
- Unsuccessful use of privileges.
- Unsuccessful attempts to access and modify .bat or .cmd files.
- Attempts to alter security privileges or the audit log.
- Attempts to shut down the server.
How to Enable Security Auditing
============================
You set up security auditing differently depending on whether the computer
is a standalone computer or a domain controller.
Standalone Servers, Member Servers, or Windows 2000 Professional
1. Click Start, click Run, type mmc /a, and then click OK.
2. On the Console menu, click "Add/Remove Snap-in", and then click Add.
3. Under "Snap-in", click Group Policy, and then click Add.
4. In the "Select Group Policy Object" box, click Local Computer, click
Finish, click Close, and then click OK.
5. In the Local Computer Policy box, click Computer Configuration, click
Windows Settings, click Security Settings, click Local Policies, and then
click Audit Policy.
6. In the details pane, click "Audit logon events".
7. Click Action, click Security, select "Unsuccessful logon attempts", and
then click OK.
Windows 2000-Based Domain Controllers
1. Click Start, point to Programs, point to Administrative Tools, and then
click "Active Directory Users and Computers"
2. In the console tree, click Domain Controllers.
3. Click Action, and then click Properties.
4. Click the Group Policy tab, click Default Domain Controllers Policy, and
then click Edit.
5. Click to expand Computer Configuration, Windows Settings, Security
Settings, Local Policies, and then Audit Policy.
6. In the details pane, click "Audit logon events".
7. On the Action menu, click Security, click to select the "Define these
policy settings" check box, click to select the "Failure" check box, and
then click OK.
For more information, please refer to this knowledge base article:
300958 HOW TO: Monitor for Unauthorized User Access in Windows 2000
http://support.microsoft.com/?id=300958
Hope the above information and suggestion helps and answers your question.
If anything is unclear, please let me know.
Sincerely,
Cherry Qian
MCSE2000, MCSA2000, MCDBA2000
Microsoft Partner Online Support
Get Secure! -
www.microsoft.com/security
====================================================
When responding to posts, please Reply to Group via your newsreader so
that others may learn and benefit from your issue.
====================================================
This posting is provided AS IS with no warranties, and confers no rights.