First you have to find the marble in the oatmeal. On Wed, Sep 21, 2011 at 9:52 AM, David Lum <[email protected]> wrote:
> Thanks. I seem to remember trying to enable this kind of auditing and it > was like drinking from a fire hose... > > Dave > > -----Original Message----- > From: Ben Scott [mailto:[email protected]] > Sent: Tuesday, September 20, 2011 11:01 PM > To: NT System Admin Issues > Subject: Re: NTFS permissions > > On Tue, Sep 20, 2011 at 1:10 PM, David Lum <[email protected]> wrote: > > I can turn on logging to capture ACL changes can't I? > > You would need to enable "File access" auditing in Audit Policy (under > Security Policy in GPO-land). > > You would then need to create SACLs (Security ACLs, used for auditng > (permissions are DACLs)) on the objects in question (files/folders), > auditing Success for WRITE_DAC. > > That's the theory, anyway. In practice, NT generates all kinds of audit > events for permissions that were simply requested but never used, and it > turns out that lots of things (including Windows > Explorer) request everything for everything they do. > > Microsoft eventually introduced some separate event IDs for actually > *using* the thing being audited. I don't remember if that had shown up by > 2003 or not. And without subcategory audit policies (I'm pretty sure those > are not in 2003) you still get a ton of useless audit events to slow down > the system and fill up the log. > > -- Ben > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ < > http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
