| 203 |
| Monitor shared folder access for security |
| Like other Windows operating systems, Windows 2000 Professional enables users to share folders |
| with others on the network. The shared folders can be protected with share permissions and, if the |
| folder is hosted on an NTFS volume, with NTFS permissions. However, even with these security |
| mechanisms in place, in many situations it can still be important to keep track of who accesses a |
| particular folder or file. Disproportionate access to a folder by a particular account can indicate a |
| compromised user account. |
| Perhaps the most direct way to monitor share access is to enable object access auditing. This |
| enables Windows to place an event in the Security event log when someone accesses a folder or file, |
| fails at that action, or both. Monitoring successful attempts helps track who is using the folder; |
| monitoring unsuccessful attempts helps identify authorized users who are having problems |
| connecting or users who are attempting to access a share for which they aren't authorized. |
| Go to Security Settings\Local Policies\Audit Policy\Audit Object Access and enable object access |
| auditing in local or group policy. |
| To configure auditing for individual folders and files, right-click the folder or file and choose |
| Click the Security tab, and click Advanced. |
| Click the Auditing tab, click Add, add a group or user, and click OK. |
| In the resulting Auditing Entry dialog box, place checks in the Successful and/or Failed columns |
| for each event you want to monitor. |
| Click OK to close the dialog box, close the remaining dialog boxes, and close the Properties for the |
| Note: Enabling auditing on a heavily used folder or file can generate a large number of events in |
First Previous Next Last |