File access auditing fills security log too fast

TheMSsForum.com: The Microsoft Software Forum

I am attempting to enable file and application auditing to meet HIPAA
compliance. The issue I am having is the security log fills up way to fast,
eventually locking out all but administrators from logging on. I know I can
disable this, but I would rather just audit when the file or app was accessed
and by whom. I have been experimenting with the auditing settings, but no
matter what I do, even opening one folder creates 10 security items in the
event log. Does anyone have any tips on how to narrow down what is entered
into the event log?
Top

Re: File access auditing fills security log too fast by Roger

Roger
Fri Mar 18 09:14:15 CST 2005

There are two things you can do to assist you in this.
1. increase the max size and the on-full behaviors of the
security event log
2. tune the SACLs that control what actions are logged
and on what objects. Use the Advanced dialog in the
audit NTFS security settings dialog so that you do not
trigger audit messages for actions of no interest

--
Roger Abell
Microsoft MVP (Windows Security)
MCSE (W2k3,W2k,Nt4) MCDBA
"ParamusAdmin" <ParamusAdmin@discussions.microsoft.com> wrote in message
news:8839A676-F174-4B92-B388-7403204BD453@microsoft.com...
> I am attempting to enable file and application auditing to meet HIPAA
> compliance. The issue I am having is the security log fills up way to
fast,
> eventually locking out all but administrators from logging on. I know I
can
> disable this, but I would rather just audit when the file or app was
accessed
> and by whom. I have been experimenting with the auditing settings, but no
> matter what I do, even opening one folder creates 10 security items in the
> event log. Does anyone have any tips on how to narrow down what is
entered
> into the event log?


Top

Re: File access auditing fills security log too fast by Steven

Steven
Fri Mar 18 11:56:10 CST 2005

To add to what Roger suggested, check the security policy on your computer
for the security option for audit the access of global objects to make sure
that it is disabled which it is by default. That will not interfere with
normal auditing if disabled. -- Steve


"ParamusAdmin" <ParamusAdmin@discussions.microsoft.com> wrote in message
news:8839A676-F174-4B92-B388-7403204BD453@microsoft.com...
>I am attempting to enable file and application auditing to meet HIPAA
> compliance. The issue I am having is the security log fills up way to
> fast,
> eventually locking out all but administrators from logging on. I know I
> can
> disable this, but I would rather just audit when the file or app was
> accessed
> and by whom. I have been experimenting with the auditing settings, but no
> matter what I do, even opening one folder creates 10 security items in the
> event log. Does anyone have any tips on how to narrow down what is
> entered
> into the event log?


Top

Re: File access auditing fills security log too fast by Karl

Karl
Sat Mar 19 10:28:50 CST 2005

I agree with the other two posts. You should probably not be auditing
successful file accesses for all files, especially if you have no plans to
ever look at those logs. Some sane recommendations are given in the Win2K
security guides at www.nsa.gov/snac and in the windows 2003 security guide
at www.microsoft.com/technet/security Some guides like DISA and possibly
NIST tell you to enable way too much auditing.

I would also suggest you make your auditing log somewhat larger, and
consider changing the event log to overwrite events as necessary, and/or
don't forbid users from logging in when the logs fill up. Those are old
recommendations that are no longer advisable. System availability is a part
of computer security, and so good security settings should not interfere so
severely with availability. The latest MS windows 2003 security guide above
gives the latest guidance, and NSA approves the MS guidance.

If you are really bound to preserve all of these events [I hope you are
not], then you could consider using something like NTSYSLOG or a Host-based
IDS like ISS or better yet Enterasys Dragon to spit all of those log entries
to a central syslog server using encrypted and authenticated channels like
via IPsec and PKI machine certificates. However, if these things fill up
your logs, then logging all of these events on the network would also impact
your network bandwidth. Most people do filtering of events so that not
every event gets transmitted, like HIDS typically do.


"ParamusAdmin" <ParamusAdmin@discussions.microsoft.com> wrote in message
news:8839A676-F174-4B92-B388-7403204BD453@microsoft.com...
> I am attempting to enable file and application auditing to meet HIPAA
> compliance. The issue I am having is the security log fills up way to
fast,
> eventually locking out all but administrators from logging on. I know I
can
> disable this, but I would rather just audit when the file or app was
accessed
> and by whom. I have been experimenting with the auditing settings, but no
> matter what I do, even opening one folder creates 10 security items in the
> event log. Does anyone have any tips on how to narrow down what is
entered
> into the event log?


Top

Re: File access auditing fills security log too fast by ParamusAdmin

ParamusAdmin
Sat Mar 19 18:15:02 CST 2005

Unfortuantly, by HIPAA regulation, we do have to log all successful and
unsuccessful access of folders and apps that contain patient health
information, and review all logs on a regular basis. In addition, we have to
audit all log ons and log offs, successful or not, which also goes into the
security log. It's unclear wether we have to store the logs, or for how
long, I'm still researching that at this time. Anyone else with any
information who happens to be working on HIPAA compliance, please feel free
to weigh in. I have increased the log size to 32Mb, which should give me
around 40k to 50k entries, should be fine for workstations. What I'm worried
about is our file server, which is accessed daily by around 100 employees.
I'm not looking forward to reviewing those logs.


Top

Re: File access auditing fills security log too fast by Frank

Frank
Sat Mar 19 18:45:31 CST 2005

"ParamusAdmin" <ParamusAdmin@discussions.microsoft.com> wrote in message
news:09069C9A-D615-4CFC-A5FB-D48BFA45C9AA@microsoft.com
> Unfortuantly, by HIPAA regulation, we do have to log all successful and
> unsuccessful access of folders and apps that contain patient health
> information, and review all logs on a regular basis. In addition, we have
> to
> audit all log ons and log offs, successful or not, which also goes into
> the
> security log. It's unclear wether we have to store the logs, or for how
> long, I'm still researching that at this time. Anyone else with any
> information who happens to be working on HIPAA compliance, please feel
> free
> to weigh in. I have increased the log size to 32Mb, which should give me
> around 40k to 50k entries, should be fine for workstations. What I'm
> worried
> about is our file server, which is accessed daily by around 100 employees.
> I'm not looking forward to reviewing those logs.

How about printing it out once a day and emptying the log?

--
Frank Saunders, MS-MVP, IE/OE
Please respond in Newsgroup only. Do not send email
http://www.fjsmjs.com
Protect your PC
http://www.microsoft.com./athome/security/protect/default.aspx
http://defendingyourmachine.blogspot.com/


Top

Re: File access auditing fills security log too fast by gorgeadmin

gorgeadmin
Thu Mar 24 13:07:38 CST 2005


I'm also in the same boat as you. Have about 100 users that I'm
monitoring and the auditing log is filling up way to fast. The mer
though of going through all these logs puts me to sleep. Let me know
if you find out anything regarding log retention (ie how long to keep
logs on record). Feel free to email me directly if you want to chat
about HIPPA compliance issues. gorgewindjunkie@yahoo.com.
kevin -
ParamusAdmin wrote:
> *I am attempting to enable file and application auditing to meet
> HIPAA
> compliance. The issue I am having is the security log fills up way
> to fast,
> eventually locking out all but administrators from logging on. I
> know I can
> disable this, but I would rather just audit when the file or app was
> accessed
> and by whom. I have been experimenting with the auditing settings,
> but no
> matter what I do, even opening one folder creates 10 security items
> in the
> event log. Does anyone have any tips on how to narrow down what is
> entered
> into the event log? *



--
gorgeadmin
------------------------------------------------------------------------
Posted via http://www.webservertalk.com
------------------------------------------------------------------------
View this thread: http://www.webservertalk.com/message961322.html

Top