.

Auditing Folder Access in Windows

<<

ewall

User avatar

Newbie
Newbie

Posts: 4

Joined: Wed Aug 15, 2007 11:26 am

Location: Online and Offline

Post Wed Aug 15, 2007 1:01 pm

Auditing Folder Access in Windows

Hey, folks... I've been lurking on EHN lately and am glad to post and interact some more now. Here's an interesting one that's been bugging me lately:

I've got a client who wants to audit users' attempts to access directories they shouldn't on Windows 2003 servers. Of course, he has enable auditing object access for the specific directories, and the 560 "Failed" events start showing up in the Event Log.

The problem is, lots of unexpected failure events show up too--apparently Windows Explorer is doing "drive-by" peeks at the other folders nearby the one you're accessing?

Let me explain: If I'm auditing some of the folders under \\server\users, e.g. \\server\users\dontgohere, and I login and browse to \\server\users\myusername, then look in the Security Event Log, I will see at least 3 #560 "Failed" events saying that I just tried to read the folder \\server\users\dontgohere!

Presumably, this is because Windoze is looking at the folder properties. I assume I can't really do anything to prevent that?

So... my real question is: anyone know a way I can audit when people are really trying to access the folder, and avoid the false-alarms caused by the Windows Explorer drive-bys?

TIA--
<<

boney

User avatar

Jr. Member
Jr. Member

Posts: 61

Joined: Mon Jan 15, 2007 8:46 am

Location: India

Post Wed Aug 15, 2007 1:52 pm

Re: Auditing Folder Access in Windows

Well in Windows Server 2003, you dont have any option to see particular error/security logs.
C|EH

All my life I wanted a computer...
Now I want my life back !
<<

ewall

User avatar

Newbie
Newbie

Posts: 4

Joined: Wed Aug 15, 2007 11:26 am

Location: Online and Offline

Post Wed Aug 15, 2007 2:46 pm

Re: Auditing Folder Access in Windows

Ah... wouldn't you know it, I think I may have found a trail to follow...

When Windoze Exploder gives the false alarms, it is only asking for a few permisions, namely "ReadData (or ListDirectory)" and sometimes "SYNCHRONIZE"--which works out to be Access Mask 0x1 or 0x100001.

So, if I filter out the 560 errors with those access masks, I get only the "real" alarms, in which actual attempts to browse that folder request much more access ("READ_CONTROL", "ReadEA", etc.... mask 0x120089, for example).

I may have answered my own question.
<<

boney

User avatar

Jr. Member
Jr. Member

Posts: 61

Joined: Mon Jan 15, 2007 8:46 am

Location: India

Post Wed Aug 15, 2007 5:17 pm

Re: Auditing Folder Access in Windows

it depends on the no. of logs dude.
what if you have 2500 logs ? :-\
C|EH

All my life I wanted a computer...
Now I want my life back !
<<

morpheus063

User avatar

Sr. Member
Sr. Member

Posts: 393

Joined: Sun Jun 25, 2006 10:08 am

Location: Cochin - India

Post Wed Aug 15, 2007 5:19 pm

Re: Auditing Folder Access in Windows

You can use Microsoft LogParser for filtering out your Log files (remotely also). Enter the parameters and you can get the output in various formats.

Download Microsoft LogParser 2.2
http://www.microsoft.com/downloads/deta ... laylang=en

Microsoft Log Parser Toolkit [ILLUSTRATED]
http://www.amazon.com/Microsoft-Parser- ... 1932266526
Manu Zacharia
MVP (Enterprise Security), ISLA-2010 (ISC)², C|EH, C|HFI, CCNA, MCP,
Certified ISO 27001:2005 Lead Auditor

[b]There are 3 roads to spoil; women, gambling & hacking. The most pleasant with women, the quickest with gambling, but the surest is hacking - c0c0n
<<

ewall

User avatar

Newbie
Newbie

Posts: 4

Joined: Wed Aug 15, 2007 11:26 am

Location: Online and Offline

Post Wed Aug 15, 2007 9:48 pm

Re: Auditing Folder Access in Windows

Ah, yes, thanks guys... you're totally right. We/the client do have a lot of logs to monitor, but they have 3rd-party tools like Ecora to do the querying, and I may end up recommending others to do more real-time updates, too.

The MS Log Parser would definitely do the trick, though. I never seem to use that enough!
<<

What90

Full Member
Full Member

Posts: 120

Joined: Sat Jun 09, 2007 2:23 am

Location: Syndey, Australia

Post Thu Aug 16, 2007 7:28 am

Re: Auditing Folder Access in Windows

You may want to remove some of the more curious users's tendancies by hiding the folders they shouldn't be poking around in the first place.  :)


Have a look at this:

http://www.windowsnetworking.com/articl ... -2003.html

Return to Other

Who is online

Users browsing this forum: No registered users and 0 guests

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software