+1 If you turn up auditing to provide that level of detail, even a single workstation will generate tens-of-thousands of records per day.
Regards, Michael B. Smith, MCITP:SA,EMA/MCSE/Exchange MVP My blog: http://TheEssentialExchange.com/blogs/michael I'll be at TEC'2009! http://www.tec2009.com/vegas/index.php -----Original Message----- From: Ben Scott [mailto:[email protected]] Sent: Wednesday, January 07, 2009 5:15 PM To: NT System Admin Issues Subject: Re: Auditing Everything On Wed, Jan 7, 2009 at 10:49 AM, Durf <[email protected]> wrote: > Christ you all. It doesn't have to be this hard. Yes, it does. > For AD, just turn on appropriate auditing and use GFI EventSentry to gather > and report on events. > > That's it, you're done. What about logging all file I/O, as the OP requested? In my experience, logging even Audit Failures for file I/O for a single workstation can generate thousands of Audit Failure records per day. That's because a lot of software tries to do various things that security policy won't allow. Ironically, anti-virus software is one of the biggest offenders on that workstation. -- Ben ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
