« 上一篇下一篇 »

6-3 Auditing File System Access

Lesson 3 Auditing File System Access 6-31 Lesson 3: Auditing File System Access
Many organizations elect to audit file system access to provide insight into resource utilization and potential security vulnerabilities. Windows Server 2003 supports granular auditing based on user or group accounts and the specific actions performed by those accounts. To configure auditing, you must complete three steps: specify auditing settings, enable audit policy, and evaluate events in the security log. This lesson will explore these three processes and provide guidance to effective auditing, so that you can leverage auditing to meet business requirements without being drowned in logged events. After this lesson, you will be able to ■ Configure audit settings on a file or folder ■ Enable auditing on a standalone server or for a collection of servers ■ Examine audited events in the Security log Estimated lesson time: 20 minutes
Configuring Audit Settings
To specify the actions you wish to monitor and track, you must configure audit settings in the file’s or folder’s Advanced Security Settings dialog box. The Auditing tab, shown in Figure 6-12, looks strikingly similar to the Permissions tab before it. Instead of adding permissions entries, however, you add auditing entries. Figure 6-12 Auditing tab of the Advanced Security Settings dialog box Click Add to select the user, group, or computer to audit. Then, in the Auditing Entry dialog box, as shown in Figure 6-13, indicate the permission uses to audit.
6-32 Chapter 6 Files and Folders Figure 6-13 Auditing Entry dialog box You are able to audit for successes, failures, or both as the account attempts to access the resource using each of the granular permissions assigned to the object.
Successes can be used to audit the following:
■ To log resource access for reporting and billing.
■ To monitor for access that would indicate that users are performing actions greater than what you had planned, indicating permissions are too generous.
■ To identify access that is out of character for a particular account, which might be a sign that a user account has been breached by a hacker.
Auditing for failed access allows you:
■ To monitor for malicious attempts to access a resource to which access has been denied.
■ To identify failed attempts to access a file or folder to which a user does require access. This would indicate that permissions are not sufficient to achieve a business task.
Audit settings, like permissions, follow rules of inheritance. Inheritable auditing settings are applied to objects that allow inheritance. Note Audit logs have the tendency to get quite large, quite rapidly, so a golden rule for auditing is to configure the bare minimum required to achieve the business task. Specifying to audit successes and failures on an active data folder for the Everyone group using Full Control (all permissions) would generate enormous audit logs that could affect the performance of the server and would make locating a specific audited event all but impossible.
Lesson 3 Auditing File System Access 6-33 Enabling Auditing
Configuring auditing entries in the security descriptor of a file or folder does not, in itself, enable auditing. Auditing must be enabled through policy. Once auditing is enabled, the security subsystem begins to pay attention to the audit settings, and to log access as directed by those settings.
Audit policy may be enabled on a stand-alone server using the Local Security Policy console, and on a domain controller using the Domain Controller Security Policy con-sole. Select the Audit Policy node under the Local Policies node and double-click the policy, Audit Object Access. Select Define These Policy Settings and then select whether to enable auditing for successes, failures, or both. Note Remember that the access that is audited and logged is the combination of the audit entries on specific files and folders, and the settings in Audit Policy. If you have configured audit entries to log failures, but the policy enables only logging for successes, your audit logs will remain empty. You may also enable auditing for one or more computers using Active Directory Group Policy Objects (GPOs). The Audit Policy node is located under Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy. Like all group policies, the computers that are affected by the policy will be those contained within the scope of the policy. If you link a policy to the Servers OU and enable auditing, all computers objects in the Servers OU will begin to audit resource access according to audit entries on files and folders on those systems.
Examining the Security Log
Once audit entries have been configured on files or folders, and auditing object access has been enabled through local or group policy, the system will begin to log access according to the audit entries. You can view and examine the results using Event Viewer and selecting the Security log, as shown in Figure 6-14.
As you can see, the Security log can be quite busy, depending on the types of auditing being performed on the machine. You can sort the events to help you identify object access events by clicking the Category column header and locating the Object Access events.
6-34 Chapter 6 Files and Folders Figure 6-14 The Security log in Event Viewer Sorting will, however, provide little assistance as you dig through the logged events. You will often be better served by filtering the event log, which can be done by choosing the Filter command from the View menu, or alternatively by selecting the Security log, then Properties from the Action or shortcut menus, and then clicking the Filter tab. The Filter tab enables you to specify criteria including the event type, category, source, date range, user, and computer. Figure 6-15 illustrates an example of a filter applied to identify object access audit events on a specific date. Figure 6-15 The Filter tab Finally, you have the option to export the Security log by selecting the Save Log File As command from the log’s context menu. The native event log file format takes a .evt extension. You can open that file with Event Viewer on another system. Alternatively, you can save the log to tab- or comma-delimited file formats, which can be read by a
Lesson 3 Auditing File System Access 6-35 number of analysis tools including Microsoft Excel. In Excel, you can of course apply filters as well to search for more specific information, such as the contents of the event’s Description field.

  还没注册Payoneer的朋友可免费申请一个,现在申请Payoneer可获得25美元奖励并且直接享受1.2%全包的优惠:不仅入账免费,全币种提现只收1.2%的费用,无汇损,当你累积收款100美元时将一次性获得25美元奖励。需要注意的是,如果你直接打开Payoneer官网进行注册,是没有上述优惠的,请务必打开【野猪尖的推荐链接】进行注册。Payoneer注册咨询QQ:2822129880

Payoneer

野猪尖的推荐链接https://www.payoneer.com/zh/znp (此地址要完整地复制,建议直接点击)

【Payoneer申请教程:个人账户企业账户订购Payoneer实体卡(P卡)

Payoneer注册与使用指南(包括P卡申请、Payoneer官方、手续费、收款、提现和消费):
注册-收款工具那么多,为何选择Payoneer? | 为何申请Payoneer万事达预付卡+欧美日收款银行账号
   Payoneer有卡账户和无卡账户的区别Payoneer个人账户注册申请教程P卡公司帐户注册教程
   Payoneer欧元帐户虚拟卡) | Payoneer英镑帐户Payoneer日元帐户订购实体卡(P卡
   Payoneer卡年费啥时候扣? | Payoneer卡休眠和激活P卡到期后如何更换? | 如何注销P卡

官方-Payoneer秉承公正、公开、透明服务Payoneer官方最新政策汇总官方客服联系方式
   Payoneer官方费用表如何减少Payoneer的手续费?点此免除入账费点此降低提现费
   跨境收款服务商拷问篇——PayoneerPayoneer客户答疑手册(FAQ)Payoneer手机App

收款-跨境电商/外贸收款方式对比Payoneer可以错名收款吗
   Amazon亚马逊卖家设置Payoneer卡收款教程Payoneer可提供亚马逊KYC审核所需银行账单
   Amazon亚马逊收款方式对比(Payoneer,World First,PingPong,美国/香港银行卡)
   CJ联盟设置Payoneer卡收款ClickBank联盟设置Payoneer收款Amazon联盟设置P卡收款
   Payoneer如何从东南亚电商平台Lazada收款如何在Lazada开店
   Payoneer如何从拉美电商平台Linio收款? | Payoneer绑定非洲电商平台Jumia收款
   Payoneer支持从美国电商平台Newegg收款
   Payoneer如何从跨境移动电商Wish收款? | Wish模式正在改变电商格局
   Payoneer支持从法国乐天Priceminister收款法国电商平台CDiscount对接Payoneer收款
   如何使用Payoneer请求付款?关于Payoneer卡充值
   从PayPal提现到Payoneer卡教程及手续费用PayPal无法绑定并转账到Payoneer卡

提现-从Payoneer卡提现到国内银行账户Payoneer无法从Dating联盟收款并限制提现方式
   用P卡在中国银行ATM机取款4000元用Payoneer卡在中国建设银行ATM机取款500元

消费-Payoneer为卖家提供更便捷的VAT缴费方案用Payoneer卡在GoDaddy买域名主机教程


人在做天在看,转载请以链接的形式注明本文地址
本文地址:http://www.zhaoniupai.com/blog/archives/221.html