Educause Security Discussion mailing list archives
NTFS file access auditing
From: Brad Judy <win-hied () BRADJUDY COM>
Date: Wed, 28 Apr 2010 13:56:15 -0400
One of our current projects is a higher security file services offering that can meet a some of the stricter regulatory compliance requirements. To that end, one of the planned features is detailed file access auditing to enable a review of who has accessed what data at what time. This is easy enough to enable with native capabilities, and we're looking at third-party tools to make audit log reviews/reports much more practical. My question is about a quirk of Windows explorer and its impact on audit logs. If I enable audit logging of file reads for items in a particular directory, but not auditing of "read" on the directory itself (aka list). Then I do a command-line directory listing of the directory, there are no resulting audit logs. This is expected because I just accessed a directory listing and not read the files themselves. If I instead open the directory in Windows explorer (at least under Windows 7), it will trigger a read audit log for all of the files in the directory. Following both of these actions in process monitor (great tool - learn it) shows that they are indeed very different and the GUI browsing does request a handle for each of the files in the directory and opens them. Presumably this is done to request detailed file information for GUI display. Unfortunately, this means the audit logs are deceiving, showing no difference between browsing into a folder and actually opening the files. Has anyone else tackled this issue? Did you do so natively, or using a third-party audit solution? Thanks, Brad Judy
Current thread:
- NTFS file access auditing Brad Judy (Apr 28)
- <Possible follow-ups>
- Re: NTFS file access auditing Mike Lococo (Apr 28)
- Re: NTFS file access auditing Brad Judy (Apr 28)
- Re: NTFS file access auditing Dexter Caldwell (Apr 28)
- Re: NTFS file access auditing Mike Lococo (Apr 28)