Auditing ?

G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

All,

I am configuring an audit policy for my network. Security is pretty tight
here and they are requreing me to audit the entire C: drive for object
access. I am currently auditing the user group 'Authenticated Users' for
Success/Failure on the following:

Create Files / Write Data
Create Folders / Append Data
Delete

Now this works as expected, but its also producing object access events with
the username of 'System'.

I do NOT want to audit system events. Is the system part of the
authenticated users group, and if so , what group should i be auditing (on my
domain).

I have disable the GPO object to audit system events. Computer
Configurations | Windows Settings | Security Settings | Local Policies |
Audit Policy | Audit System Events is set to "No Auditing". I am doing this
a the domain root and im only a single domain. No connection to any other
domains at all. But im still getting events for object access by the 'system'
account. This is obviusly filling up my security logs rather quickly, and I
dont care what the system is doing.

Anyone know what im doing wrong on this ? How do i get rid of the object
access from the system?

TIA

Drum on .. ... . . .
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Authenticated Users contains all accounts, of people and machines, that
use an authentication method to establish a logged on session.
System is the local name for the machine's account.
You should determine what it is you are being asked to audit,
If it is all access, then you should use Everyone.
If it is all access by our people, then you could consider Domain Users
and Administrators (which will exclude local accounts and machines).

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"Drumgod" <Drumgod@discussions.microsoft.com> wrote in message
news:E42DFDBA-DFB2-4CDD-B558-154BDF131499@microsoft.com...
> All,
>
> I am configuring an audit policy for my network. Security is pretty tight
> here and they are requreing me to audit the entire C: drive for object
> access. I am currently auditing the user group 'Authenticated Users' for
> Success/Failure on the following:
>
> Create Files / Write Data
> Create Folders / Append Data
> Delete
>
> Now this works as expected, but its also producing object access events
with
> the username of 'System'.
>
> I do NOT want to audit system events. Is the system part of the
> authenticated users group, and if so , what group should i be auditing (on
my
> domain).
>
> I have disable the GPO object to audit system events. Computer
> Configurations | Windows Settings | Security Settings | Local Policies |
> Audit Policy | Audit System Events is set to "No Auditing". I am doing
this
> a the domain root and im only a single domain. No connection to any other
> domains at all. But im still getting events for object access by the
'system'
> account. This is obviusly filling up my security logs rather quickly, and
I
> dont care what the system is doing.
>
> Anyone know what im doing wrong on this ? How do i get rid of the object
> access from the system?
>
> TIA
>
> Drum on .. ... . . .