Re: Win2k Audit Logs - What happened here?

[H C <keydet89 () yahoo com>]

> We turned on windows 2000 auditing for a particular
> user on our file server(SERVER1) and found a very
> interesting audit events, but we don't know what
> action actually trigered all the events. We noticed
> that a folder (Group1) and all of its subfolders has
> been accessed within a 3 econds. Yes just within a
> few
> seconds. We though the user(user2) might has been
> browsing through the folders and subfolders, but it
> just sound impossible to browser all the folders in
> less than 3 seconds !!. We also though of the user
> (user2) might have copy the whole folders and paste
> it
> some where... This will sound more logic to do in 3
> seconds...

Have you thought of asking the user?  Also, since the
events you posted are all success events, it would
seem that the user is performing authorized
activities...so, what's the point?  

> So, what you guyz think? .

Honestly?  You really need to put more thought into
what auditing you enable.


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com