Windows Server

Ryan · Guest

I have configured file auditing on a server to audit object access for
a specific folder and all subfolders (root folder is called EPHI).
HIPPA requires that I provide montly access reports to my manager for
this folder and all subfolders. The problem I've run up against seems
to be a typical problem anytime you dig into security logs; noise. For
testing purposes I've temporarily configured auditing as follows:

Object Access Success/Failure (all other auditing has been
temporarily disabled)

Audit the Access of global system objects: Disabled

I've gone and set the auditing prosperities on the file through the
file properties -> security -> advanced -> auditing.

Although I am logging the actions I need (create, delete, change etc.),
I'm also getting a lot of noise...which brings me here.
The security event log is filling up with:

Event ID: 562
Source: System
Category: Object Access
Type: Success A
Description:
Handle Closed
Object Server: Microsoft Exchange
Image File Name: C:\Program Files\Exchsrvr\bin\store.exe

I have double checked the file auditing properties for C:\Program
Files\Exchsrvr\bin\store.exe and nothing is set to audit. I've dug
around on the web and haven't found any help, does anybody have any
insight on this?

Thank you for your help!
~J~

Steven L Umbach · Guest

That is the nature of auditing object access. If you have to audit all
permissions you will have a ton of events. If you can specify auditing only
for some permissions then you can reduce the number of events recorded.
Auditing read and list permissions will generate the most events. Instead
of auditing everyone/users if you can specify a group of users [global or
local] that may also cut down on the events recorded. --- Steve

Steven L Umbach · Guest

Hi Ryan.

I don't know a definitive answer to that question. My guess is those are
files that are related to accessing the files that are being audited. For
instance when I enable auditing of a file I often see handle closed events
for explorer.exe. I hope that Microsoft has plans to someday make auditing
of folders/files a bit more productive or configurable such as "only record
events that contain names of files in the folder being audited". --- Steve

Ryan · Guest

I understand that much, but the question I really have is why am I
getting handle closed audits for a file in a folder I am not auditing?
Is there some universal audit for Exchange, or something I am unaware
of?

Thanks again for any help.

Ryan

Ryan · Guest

Does anyone else have any other insight or suggestions on this matter?
Otherwise, I have to call MS to figure it out. Auditing is not super
well documented...

Thanks in advance,
Ryan

Truffle · Joined: 07 Dec 2005 Posts: 1

I'm experiencing the same exact problem. I have only been able to stop it by disabling Auditing in Group Policy Management. This is not an acceptable solution, but it's a band-aid to prevent my Security log from being un-usable until I can find a proper fix.

Group Policy Management:
_Forest: Domain.local
__Domains
___Domain.local
____Domain Controllers
_____Default Domain Controller

On the right you'll see "Computer Configuration"

Right click on that heading and select Edit, which will open the Group Policy Object Editor, then drill down AGAIN:

Computer Configuration
-Windows Settings
--Security Settings
---Local Policies
---Audit Policy

There, edit the policy "Audit object access" to set:
[checked] Defined these polict settings
-Audit these attempts:
--[unchecked] Success
--[unchecked] Failure

I've found unchecking "Define these policy settings" does NOTHING, but let me know if you find different.

A bit obtuse, but lacking better advice, I'll take it.

	Windows Server Forum Index -> Security	All times are GMT
Page 1 of 1