I am looking for a way with server 2003 to audit access by a particular user to all files they have opened while they were at work. I know this is done with Group Policy but the details of how this would be setup elude me.
Could anyone either explain in detail how this might work or point me to reference material that would show me how?
Any help is greatly appreciated, thanks!
Hmm, nobody at all? Was it something I said? :dubious:
Ah well…so much for the $15 per month here.
eh…per year
I’ll take outright guesses at this point…
What about this page…
http://searchwindowssecurity.techtarget.com/tip/1,289483,sid45_gci1033853,00.html
I don’t know about WS 2003, but in NT, I’m not sure you can limit auditing to a particular user. What you can do is audit particular events (e.g. logon, logoff, file open) and then filter on the user. BTW it’s often important to log failures as well as successes.
I take it you think he’s playing Captain Hacker?
You can audit access by particular user/users/groups to any object (file, folder, printer, registry key, etc) in Server 2003.
Go to Administrative Tools–>Local Security Policy–>Local Policies–>Audit Object Access, and check “Success” and “Failure”. This will turn on auditing for any object with a SACL (System Access Control List) defined.
So, how do you define a SACL for a file? Simple…just right click on a file (or folder, or whatever) and go to Properties–>Security–>Advanced–>Auditing. Then click “Add”, then “Advanced”, then “Find Now”, and choose the User(s) or Group(s) to which you want to apply this SACL. Click OK
Then you’ll get a list of all of the auditing events you can enable. These include “Execute File”, “Delete”, “Read Attributes”, “Create Files / Write Data”, and others. Selecting “Full Control” enables them all. For each attribute you can audit either success or failure.
After you’ve enabled these things, the audit logs show up in Event Viewer under the “Security” section. Sometimes there’s a delay before it shows up in the log, even if you refresh it.
You’ll want to play with this a little bit, because it isn’t always clear from the logs exactly what’s going on. Turn on auditing for yourself first, and then watch your own logs to make sure you understand how it works.
Auditing attributes can be inherited from parent objects if you choose, and I believe domain settings override local settings.