windows xp pro auditing object access

M

m0rg4n

hi from Spain,

I have a laptop with windows xp pro 2002 sp 3. I'm studying auditing
policies so i decided to enable auditing object access (successfull and
failed) over "My Documents" to list every "List Folder/ Read data" access.
What happens is that only a few seconds later and after i made a single
access to the folder the list of items under event viewer is really huge. I
remember from another occasion that that's not the way it should be, it
should only list a few access items.
What am I doing wrong?

Thanks.
 
M

MowGreen

m0rg4n said:
hi from Spain,

I have a laptop with windows xp pro 2002 sp 3. I'm studying auditing
policies so i decided to enable auditing object access (successfull and
failed) over "My Documents" to list every "List Folder/ Read data" access.
What happens is that only a few seconds later and after i made a single
access to the folder the list of items under event viewer is really huge. I
remember from another occasion that that's not the way it should be, it
should only list a few access items.
What am I doing wrong?

Thanks.


70-270 Windows XP TechNotes - Auditing
http://www.techexams.net/technotes/xp/auditing.shtml

It appears that by auditing My Documents you are also auditing all of
it's subfolders, too, hence the large size of the log.
Not sure if you can change the Auditing permissions to just monitor My
Docs.
What you could do is to set the auditing of My Docs to Failure instead
of Success or Both or audit the My Docs subfolders individually.




MowGreen
================
*-343-* FDNY
Never Forgotten
================

"Security updates should *never* have *non-security content* prechecked
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top