I agree, it's a balance, what matters the most, usually audit for the expection, not what has been allowed ( file access ( Success) etc etc)
Unless its sensitive data that needs all file and folder access logged, then that might be the only case that makes sense, other than that it doesn't. Z -----Original Message----- From: Ben Scott [mailto:[EMAIL PROTECTED] Sent: Monday, December 24, 2007 2:11 PM To: NT System Admin Issues Subject: Re: Real world security (was RE: Audit recommendation) On Dec 24, 2007 2:00 PM, kenw <[EMAIL PROTECTED]> wrote: > It does us no good to have an OS that is, in theory, capable of being > completely secure, if the administration requirements to keep it that > way are impractical. Indeed. Real world example: On one of our high-security systems, they tried to give us a requirement to basically log the Security "Audit Failure" events for every file access. That sounds good in theory -- "Let's see when users are trying to access things they don't have access to". Then you discover that a lot of software (including Windows Explorer, MS Office, the AV software, etc.) trigger audit failures constantly as part of their normal operations. The security log thus would contain thousands and thousands of failure events for every day. How does that help security? -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~ ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
