What are you actual auditing goals?
*ASB **http://XeeMe.com/AndrewBaker* <http://xeeme.com/AndrewBaker> *Providing Virtual CIO Services (IT Operations & Information Security) for the SMB market…* * GPG: *1AF3 EEC3 7C3C E88E B0EF 4319 8F28 A483 A182 EF3A On Tue, Sep 15, 2015 at 9:30 AM, Aakash Shah <[email protected]> wrote: > Just thought I’d try once more to see if anyone has any information about > this. > > > > Thanks! > > > > -Aakash Shah > > > > *From:* Aakash Shah > *Sent:* Thursday, September 10, 2015 9:27 PM > *To:* '[email protected]' <[email protected]> > *Subject:* File Server Auditing Question - Help Eliminating Events > Produced From Windows Folders With Default Auditing Enabled > > > > I am setting up file server auditing on a Server 2012r2 system for the > first time and I had a question about reducing/eliminating the events > produced from Windows folders that automatically have auditing defined on > them. > > > > *Current Setup* > > I enabled file server auditing by setting *Audit File System* to *Success* > under *Computer Configuration | Policies | Windows Settings | Security > Settings | Advanced Audit Configuration | Object Access*. > > > > *Behavior* > > After enabling file system auditing, I noticed that the Security log > started to log several events periodically. I’ve pasted some of the > relevant details below. If the entire event entry is needed, please let me > know. > > > > Event ID: 4656 > > Security ID: SYSTEM > > Description: A handle to an object was requested > > Process Name: C:\Windows\CCM\CcmExec.exe > > Object Name: C:\Windows\servicing > > Frequency: 3 events every 10 minutes > > > > Event ID: 4656 > > Security ID: SYSTEM > > Description: A handle to an object was requested > > Process Name: C:\Windows\System32\rundll32.exe > > Object Name: C:\Windows\WinSxS\FileMaps\<several subfolders> > > > > Event ID: 4663 > > Security ID: SYSTEM > > Description: An attempt was made to access an object > > Process Name: C:\Windows\System32\rundll32.exe > > Object Name: C:\Windows\WinSxS\FileMaps\<several subfolders> > > Frequency: The above 2 events produce about 650 events within about 1 > second. So far I have noticed it occurring in the early morning on 2 of > the days since I’ve enabled this. > > > > Upon checking the *C:\Windows\servicing* and *C:\Windows\WinSxS\FileMaps* > folders, I see that they have Auditing enabled by default. > > > > *Goal* > > I’d like to minimize the event logs produced since these events are not > something that I am interested in auditing. > > > > *Questions* > > 1. Has anyone attempted to remove auditing from the Windows folders > *C:\Windows\servicing* or *C:\Windows\WinSxS\FileMaps*? > > 2. Is there a cleaner way to not log these default audit defined > folders (the auditing I will be doing will be on a separate data volume on > the server and not on the C drive)? Or is the general approach to allow > the events to be logged and then use the filter option (or a log management > tool) to ignore these entries? > > > > Thanks! > > -Aakash Shah > > >
