Anmelden
 
HomeLibraryDownloadsSupportWebcasts & EventsCommunityForenBlogs
Ressourcen für IT-Professionals >
Object Access File System Failure Not Generating Audit Failures

Answered Object Access File System Failure Not Generating Audit Failures

  • Dienstag, 9. August 2011 19:06
     
     
    Anmelden
    0

    This should be simple, right, configure auditing on the file system and set the audit policies to audit object access.  It did get a little more complecated in Windows Server 2008 but it seems straight forward enough.

    Here are my settings

    File Auditing
    Failure Everyone Full Control This folder, subfolders and files

    Object Access
    File System                             Success and Failure

    Global Object Access Auditing : File
    All Everyone Change permissions, Take ownership
    Failure Everyone Full Control  

    Local Policies/Audit Policy
    Audit object access Success, Failure

    Is there anything else I should be looking at?

    Thanks,
    Joe

    Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator In Progress: MCITP: Enterprise Administrator
     

Alle Antworten

  • Donnerstag, 11. August 2011 09:44
    Moderator
     
     Beantwortet
    Anmelden
    1

    Hi Joe,

     

    Before we go further, I would like to confirm if any users which has no permission to access the audited folder have tried to access this folder. If not, it is expected that there is no failure event.

     

    Meanwhile, if you would like to audit specific folders, you do not need to enable Global Object Access Auditing as it will create System Access Control Lists (SACL) for the entire computer, based on file and registry.

     

    Enabling file or folder auditing is a 2-step process:

     

    1. Configure "audit object access" in AD Group Policy or on the server's local GPO. This setting is located under Computer Configuration-->Windows Settings-->Security Settings-->Local Policies-->Audit Policies. Enable success/failure auditing for "Audit object access."

     

    2. Configure an audit entry on the specific folder(s) that you wish to audit. Right-click on the folder-->Properties-->Advanced. From the Auditing tab, click Add, then enter the users/groups whom you wish to audit and what actions you wish to audit - auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file.

     

    Hope this helps.

     

    Regards,

    Bruce

     
  • Donnerstag, 11. August 2011 13:52
     
     
    Anmelden
    0

    Confirmed, I had another administrator deny access to my account to a specific file and when I tried to open it, I got an access denied message. 

    I've convigured the settings described in #1 & #2, that's why I'm confused because it doesn't seem to be working.

    I would like to use Global Object Access Auditing at some point, it should keep things a lot simpler. 

    Some screen captures:




    Joseph M. Durnal MCM: Exchange 2010 MCITP: Enterprise Messaging Administrator, Exchange 2010 MCITP: Enterprise Messaging Administrator, MCITP: Enterprise Administrator
    • Bearbeitet Joseph M Durnal Donnerstag, 11. August 2011 14:14 images update
    •  
     
  • Montag, 15. August 2011 16:40
     
     
    Anmelden
    0

    can you find any failure event with Filter off? or change the keyword to failure for a test


     
  • Dienstag, 16. August 2011 10:30
    Moderator
     
     Beantwortet
    Anmelden
    0

    Hi,

     

    I have used the steps as I first reply in this thread to test the Audit Object Access policy in Windows Server 2008 R2 lab. It worked fine. The Event ID is 4656.

     

    At this point, please make sure to check the event viewer on the local computer where the test2.txt file resides. Then, filter using the event ID 4656.

     

    Regards,

    Bruce


     
  • Freitag, 7. Dezember 2012 12:07
     
     
    Anmelden
    0
    Hi Joseph, i have the same issue, did you get a working solution?
     
  • Freitag, 8. März 2013 18:05
     
     
    Anmelden
    0
    Same issue here too. :/ 
     
  • Samstag, 23. März 2013 18:21
     
     Vorgeschlagene Antwort
    Anmelden
    0

    I'm having the same problem.  I've enabled failed object access settings in advanced security policy for file system, file share and detailed file share (along with many others).  The user attempting to access the share does get blocked, but there is no audit record for it.  If I create a local policy for failed object access for the file system, it works, but stops working after the next group policy refresh.  I have disabled the setting that forces no override (Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings)).  I believe this setting should allow a local policy to survive refresh, but I may be mistaken.

    I have also enabled failure auditing on the entire drive for "everyone"

    I am at a loss here since I'm not getting the audit I need to have for compliance reporting.  I guess I'm going to make a support call to Microsoft.  This should work and it does not.



    Update:  Well it seems I might have it working but I'm not sure why.  Under the advanced security, under "Object Access" I also had to enable "Handle Manipulation" audit with the "failure" box checked.  I'm going to keep watch on it to see if it keeps working, and doesn't introduce any errant behavior.
    • Bearbeitet Protholl Samstag, 23. März 2013 19:43 Might have found something
    • Als Antwort vorgeschlagen Protholl Dienstag, 26. März 2013 00:22
    •