I've got a client who wants to audit users' attempts to access directories they shouldn't on Windows 2003 servers. Of course, he has enable auditing object access for the specific directories, and the 560 "Failed" events start showing up in the Event Log.
The problem is, lots of unexpected failure events show up too--apparently Windows Explorer is doing "drive-by" peeks at the other folders nearby the one you're accessing?
Let me explain: If I'm auditing some of the folders under \\server\users, e.g. \\server\users\dontgohere, and I login and browse to \\server\users\myusername, then look in the Security Event Log, I will see at least 3 #560 "Failed" events saying that I just tried to read the folder \\server\users\dontgohere!
Presumably, this is because Windoze is looking at the folder properties. I assume I can't really do anything to prevent that?
So... my real question is: anyone know a way I can audit when people are really trying to access the folder, and avoid the false-alarms caused by the Windows Explorer drive-bys?