Page 1 of 2 12 LastLast
Results 1 to 15 of 16

Thread: Auditing changes to Shared folders

  1. #1
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406

    Auditing changes to Shared folders

    I want to audit changes to network shared folders. I was going to apply the seetings using policies, but I don't remember how to do it. I did read about it 2 months ago, and I have so much stuff on my PC that I can't remember the doc where I wrote it all. I looked in technet but I couldn't really find an answer (all said, enable file-sharing auditing, but there is no file share auditing).
    Anyone has an idea?

  2. #2
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,941
    http://www.microsoft.com/resources/d...le_folder.mspx

    Is that what you are wanting to do?

  3. #3
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    that seems to point, but I am not that completely sure it is a good thing in a file server. We have easily 30 share folders is not more. The event log will be full after a couple of days.
    I think in part it was that, and I have to enable something else from the Local security (or group policies) to enable auditing of objects. I am interested in seeing unauthorized access to a folder, and changes to permissions. I remember doing a test in a server for auditing, and I found I have to be very carefully what I select, because the event log can become full quite fast (a event log full, won't record more events)
    I am sure I have seen MS recommendations for different types of server, like for Domain Controllers, Application servers, Files Servers, with what was recommended for each.
    On a note: that should be quite an important article for anyone who has to manage an Active Directory environment. I was quite surprised it is difficult to find

  4. #4
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    First you need to enable auditing of object access -->Whichever Top Level Policy-->Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->Audit Policy-->Audit Object Access - you can enable success and failure.
    Now a quick secedit /refreshpolicy machine_policy (or gpupdate).
    Finally go to your folder rclick it choose properties, Security, Advanced, Auditing tab, click add - fill your boots.

  5. #5
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    Wasn't completely sure if it was Audit Object. THKS Curio. I have a little problem with the rest of the department at work, where they change the access to share folders so they can stop a support call, but change the access to EVERYONE FULL ACCESS I spent 2 days arranging the mess of access to those folders back in June, and they are a mess again I want at least be able to point fingers in a report, and see if that changes anything

  6. #6
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    You can always deny them the right to change access permissions. I'm sure you are aware that object access should be granted to a local group set up for that purpose and users allowed access to it via membership of a global group for a user type. It sounds complicated but once it is set up it really does simplify administration, you just add an accountant to the accountants global group which is a member of the accounts local group and hey presto he gets access to everything the accountants need access to.

  7. #7
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    The problem is that the people changing accesss are from my same department, and they all have accounts with Domain Admin rights.
    What I want is scold people for changing permitions thinking just in the quick solution of problems. I am trying to make the network more secure, but it is like a never ending job here, and the main problem is inside my department itself. I think that as long as I can pint point the people changing the rights (I already know who they are) I can go and say..."I am watching you. I did not get notification of this change. Next time please let me know, or I will have to disable the admin account"
    In order to avoid this problems I got rid of the Domain Administrators "Administrator" account. I lock the password in the fire safe, and nobody has the password. The fire safe is in another building, so ever since then, it got a bit easier to manage.
    I have also seen misuse of accounts, where some users give themselved local admin rights.
    Curio, do you work as a Net admin?

  8. #8
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    I do network administration, set up, security as well as builds, repairs and all the other stuff. I am an independant technician and work between many sites usually for small to medium sized businesses but also occasionally for home users.
    You want to audit 'Change Permissions' on the folder in question but if your other admins know that you are doing it and they have equal access rights they could easily disable it. If there is company policy about access permissions (usually ntk) you should inform them of this and audit 'Change Permissions' on the folders to catch the culprit/s.
    Don't audit too many things or your server will grind to a halt.

  9. #9
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    I know it causes more load in the server, that is why I am making sure what exactly I need to enable, and not just enable for enable. I am the only administrator. Other people have domain admin rights, but they are programmers. If something goes wrong, I will be the one blamed, and I am on charge of the servers. The main problem is that everyone is spoiled from the time there was no Net Admin ( 9 months) and from the NT time (NT was a lot easier to administer, but because it lacks so many feqatures from AD ) I have so many things that I would like to get done since the switch to 2003 (6 months) and so little time. I think I am spending most of my time lately just trying to fix everything again, and it gets like a never ending cycle. I have programmers all the time logging phisically on the server directly, opening programs and just leaving the servers logged on with program and everything. Just trying to avoid having any more problems with the servers, and manage them the best possible

  10. #10
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    I enabled Object access (it was already enabled) and I set the auditing for Domain users (so any authenticated user) and Change permitions. But I did a test and it is not recording. Is there something wrong??

  11. #11
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    If you check RSOP does it show that the policy is effective or not
    http://support.microsoft.com/default...b;en-us;323276
    and - is any auditing working?

  12. #12
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    sorry it took me a while to answer.
    The server is a Dell Server, with Windows 2000, but it is a weird version. It looks like a stripped down version of 2000 advanced server. At this very moment, I am hating Dell for what they did. I can't install Veritas because it requires a higher license, I can't do Resultant Set of Policies from my computer because it requires Windows 2000 and up (wait, didn't I say it is Windows 2000? )
    Localy I can run RSoP because it is not there. I really hate that server.
    Complains aside. It does object auditing.
    In the security log I can see events like 562/564 for object access.
    It is also auting every logon/logoff so I have lots of entries (it is a file/printer server), but I haven't had an entry since 2/17.......
    (give me a minute....) OK
    I cleared the log, and now messages are entering.
    Silly me Anyhow, the messages that appear when I do access change are 560 and 562, but they aren't very usefull since they are codded in all that jumbo mambo numbers and IDs. It coult take me days to read it. Plus it creates a message by file modified. I want to easily view if anybody has changed permitions to the folders, who, when, and which permitions changed. This doesn't seem so useful since not only it would take me a while to figure it out, but, also it seems to generate a lot of data having object access enable, and it fills up quickly the event log

  13. #13
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    560 has the user in it doesn't it. If the permissions to the folder are changed there will be a load of enties with WRITE_DAC one for each file in the folder. But yes it is very time consuming.
    I'm using Windows 7 - you got a problem with that?

  14. #14
    Succeded in braking Windo TZ Veteran Dehcbad25's Avatar
    Join Date
    Apr 2002
    Location
    DE - USA
    Posts
    2,406
    Curio, I am back into this (again)
    First, the Windows version is Windows 2000 Terminal (finally found it)
    I did see the entry 560 (all object access are 560) and I saw too the WRITE_DAC , but It doens't really give me information.
    I could easily see it, because I cleared the log just before changing a permition for test (and it is Sunday, so there is almost no activity at the server), but if I need to search for a change there is no way I can tell about it. Is there an easier way to audit the permition changes? maybe with a thirth party program even?

  15. #15
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    After someone changes the permissions then there will be a flurry of activity and every file in the folder will have the dac re-written. On a busy folder then it's hard to filter out loads of accesses because so many events are recorded. I'm not sure if auditing privilege use might also catch it - does changing folder permissions come under privilege use? It would certainly generate fewer log entries. Your situation where other people have the same rights as you makes it more difficult.

    Maybe you should think like a hacker here and combine tools, you could set a script which runs cacls.exe against a file in the folder every minute and writes the output to another file. Then looking through the file should tell you in which minute the change was made. Cross reference that to the event log and you will only need to search a small timeframe for accesses. Worth a try.

    You should only be auditing 'Change Permissions' for 'success' and maybe even on only one special file which no one would access in the folder to limit the number of event log entries.
    I'm using Windows 7 - you got a problem with that?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •