On Dec 24, 2007 2:26 PM, Ziots, Edward <[EMAIL PROTECTED]> wrote: > I agree, it's a balance, what matters the most, usually audit for the > expection, not what has been allowed ...
The problem is that even "what is denied" is quite a lot. I gather that a lot of software (again, including Windows Explorer and MS Office) follows a paradigm of first trying to acquire full access, and when that gets denied by the OS, trying for more limited access. The result is a constant stream of Audit Failure events, as processes (running with user privilege) try for full access to various parts of the system, DLLs, EXEs, and so on. -- Ben ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
