You guys were real helpful last time…can you follow it up with another stellar performance? I sure hope so!
So I’ve inherited my company’s OVOW administration and I’m trying to set up some alerts for failed object access attempts across our network.
In a test OU I configured a GPO which audits and records failed object access attempts to the security log on the box where the object resides. This works great and as expected for local object access events (whenever someone is either terminaled into the box or sitting at the console and trying to access the object); however, when accessing files in shared folders across the network no failed object access event is logged, even when the user receives an access denied message…the only logged event is ID 538 (account logon event) and these show up as SUCCESSES in Event Viewer (even though they are clearly failing).
So…does anyone know of any way to audit attempted network object access to shared folders? None of the M$ stuff is being very helpful.
Help is genuinely appreciated…I need to start buying you guys beer or something.
hey man… sorry i didn’t respond… no cut and dry answer really… as far as event tracking, i’ve used good old text based logs… but a good program is called Event Comber, which will query logs for given events… you can search by event id, by keyword, by user… ect.ect.
MOM will also trigger events based on event ID’s… but i’ve never used it for something like you’re asking for…
from what i’m reading, you want something that returns the attempted connection to network shares? no events are logged when failed attempts are made??? i suppose you could setup ntfs auditing on the share if it’s something specific… just watch your disk space… tons of people dump logs and run out of free space on the volumes…
sorry, just read it. Sonny pretty much summed it up. We had a situation where an employee was coming through and deleting random files. Turning on security logging helped us figure out who it was, but I think this would be even easier if you just ran MOM to report on the eventid. its pretty cake to do, it will take you no more then 15 minutes to make it do exactly what you need.
Thanks guys…I figured out the problem, as with 99% of IT issues it was PLBCAK. Hey, I never claimed to not be a dumbass.
I’d initially configured NTFS auditing on the folders I wanted to audit, but never forced propagation down to the file level…hence why network access to specific files was not showing up. I forced the audit settings to propagate to all child containers and bam, my events showed up.
It’s working now, setup like this:
-A GPO enables auditing for the machines in question
-Object auditing is configured for the shared folders and forced to propagate to all child objects
-An OpenView policy is deployed to and reads the security logs on the audited machines
-When a failure event 560 is generated the OpenView policy sends me an email telling me who is trying to access what
I sure hope so!