Security Incidents mailing list archives
Re: Win2k Audit Logs - What happened here?
From: H C <keydet89 () yahoo com>
Date: Mon, 16 Dec 2002 13:41:32 -0800 (PST)
We turned on windows 2000 auditing for a particular user on our file server(SERVER1) and found a very interesting audit events, but we don't know what action actually trigered all the events. We noticed that a folder (Group1) and all of its subfolders has been accessed within a 3 econds. Yes just within a few seconds. We though the user(user2) might has been browsing through the folders and subfolders, but it just sound impossible to browser all the folders in less than 3 seconds !!. We also though of the user (user2) might have copy the whole folders and paste it some where... This will sound more logic to do in 3 seconds...
Have you thought of asking the user? Also, since the events you posted are all success events, it would seem that the user is performing authorized activities...so, what's the point?
So, what you guyz think? .
Honestly? You really need to put more thought into what auditing you enable. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Win2k Audit Logs - What happened here? Johnny Walker (Dec 16)
- Re: Win2k Audit Logs - What happened here? H C (Dec 16)
- <Possible follow-ups>
- RE: Win2k Audit Logs - What happened here? george . wasgatt (Dec 16)