It is very unfortunate that most of the people don’t know that, by default windows logs only application events. Auditing provides a way for an administrator to detect an attack that has already occurred or is in progress. In addition, auditing can help a developer to sort out security-related problems.
This video is about auditing a specified object (file / folder / subfolder) for events like List, Read, Write, Delete, and change permissions etc… of the object
By default Auditing for Object Access events on windows are disabled.
To enable Audit for “Object Access”
Go to START, RUN and type “gpedit.msc”
Go to left hand side tab, navigate to Local Computer Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy
Select "Audit Object Access " on right hand side tab by double clicking on it.
Select both “Success” and “Failure” boxes and click “Ok”.
Note: To log only successful object access attempts select only “Success” box. / To log only failure access attempts select “Failure” box.
Be warned: This policy can really flood your server if you enable it on too many objects.
When you enable the Audit object access events policy for a given computer, Windows doesn’t immediately begin auditing all access events for all objects because the system would immediately pulverize to a close down.
Enabling object access auditing is a two-step process:
- 1. Enable the Audit object access events policy on the system that contains the objects you want to monitor.
- 2. Select specific objects and define the types of access you want to monitor.
In this video we consider cycops.txt file as an object for audit the accessed logs.
To enable the “Object Access” event, right click on the object: Go to security tab select Advanced on right hand corner and click on Auditing tab.
Click on the add button and select the users you pan to audit the object for. It is preferred to select everyone user so that event for any user will be triggered.
Let’s select Audit for List the file.
To cross check with the event logs, go to Manage by right clicking on my computer, Select Event Viewer > SECURITY.
We can see few logs on security events.
From this log we can construct the following things:
Date of listing of file Audited
Time of the listing of the file Audited
Username used for listing of the file and also identify weather it is a Successful attempt or Failure attempt.
Conclusion:
Logging events can help you monitor your computer or network and prevent a successful attack and can also prove very useful in determining how and when an attack occurred if you use the logs as forensic evidence.http://cycops.co.in
1 comment:
Excellent Post.
I expect More articles soon
Thanks & Regards,
V.U.M.Sastry Sagi
Post a Comment