Also Randy Franklin Smiths Security Blog has a lot of information on what should and shouldn't be audited in Windows 2008/R2 and reasoning and how to do it. Was what I utilized along with the Windows 2008 Security Resource Kit for Auditing documentation.
The links I utilized are below: I am happy to forward a copy of the document I came up with to help others where there documentation, just email me offline and I will send you a copy if you wish. Advanced Security Policy Settings: http://technet.microsoft.com/en-us/library/dd772712(WS.10).aspx Auditpol Command Reference: http://technet.microsoft.com/en-us/library/cc731451(WS.10).aspx Ultimately Windows Security Eventlog Event ID's (Randy Franklin Smiths Site) (Highly Recommended) http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default. aspx Auditing and Compliance in Windows Server 2008 http://technet.microsoft.com/en-us/magazine/2008.03.auditing.aspx Z Edward E. Ziots CISSP, Network +, Security + Security Engineer Lifespan Organization Email:[email protected] Cell:401-639-3505 From: Rankin, James R [mailto:[email protected]] Sent: Thursday, June 09, 2011 4:43 PM To: NT System Admin Issues Subject: Re: Object auditing event overload I did, got it sorted with the follow-up mails I posted Typed frustratingly slowly on my BlackBerry(r) wireless device ________________________________ From: Miller Bonnie L. <[email protected]> Date: Thu, 9 Jun 2011 12:15:24 -0700 To: NT System Admin Issues<[email protected]> ReplyTo: "NT System Admin Issues" <[email protected]> Subject: RE: Object auditing event overload Do you have success logging turned on for the firewall? (Control panel, admin, Windows firewall..., properties of the top node...) ________________________________ From: James Rankin [[email protected]] Sent: Wednesday, June 08, 2011 1:44 AM To: NT System Admin Issues Subject: Object auditing event overload Anyone have any idea why, when I turn on "audit object access" on my Windows 2008 R2 servers, my security logs get swamped with event id 5156 "the Windows Filtering Platform has permitted a connection"? I found a reference to turning off audit subcategories by using this command - auditpol /set /subcategory:"Filtering Platform Connection" /success: disable /failure: disable - but that only works for plain 2008, not 2008 R2. Anyone know how to get around this, or what command I could use to disable it? TIA, JRR -- "On two occasions...I have been asked, 'Pray, Mr Babbage, if you put into the machine wrong figures, will the right answers come out?' I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question." IMPORTANT: The information in this email is CONFIDENTIAL. If its contents are disclosed in any way my lawyers will swoop down from black helicopters like Seal Team Six and drag you away with a black bag over your head. They will then take you to a secret prison and make you fight to the death with other people who dared to share this email. You will be given a large bowie knife and a supply of methamphetamines while I watch the said deathmatch and wager vast sums of money on who will be the winner. If the fight becomes boring or there is a stalemate, I will release rabid dogs and my two-stone cat into the arena to liven things up a bit. If these animals become in any way docile, I will squirt them with water pistols until they become a bit more temperamental. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
<<image001.jpg>>
