File Auditing

[patrick]

On Windows 2000 Server with SP4,

I have
1) set up for C:\ D:\ file auditing for Everyone for file delete/write.
2) On Security Policy, set Audit of Object Access to Success and Failure

Observation
1) Even though I have NOT selected under file/directory properties->Audit->
audiiting of successful file read (without write), object handle open/close
of any files are audited when Security Policy is set to audit *successful*
object access-> I don't want to audit absolutely every single file
access!!!!
2) When Audit Policy is set to only audit Failure to object access, then no
successful file deletes/writes are audited at all!!

 

[Roger Abell]

In order to assist you need to tell us exactly what you have
enabled in the Auditing SACL, including the "Applies onto"
dropbox selection (which is likely where your mistake is).

 

[Steven L Umbach]

The nature of auditing of object access is that there will be many seemingly
unrelated events recorded in the security log. Try not to audit users and everyone
but instead create a global group or local groups of users you want to audit. Then
avoid auditing a whole drive but instead audit only critical folders. If possible
avoid auditing write or you will continue to large amounts in the security log. For
instance if this is a computer using the internet, a user will write thousands of
files to his temporary internet files in a short period of time. --- Steve