I can't get my head round a sensible way to deal with security breaches of ntfs folders, here is the scenario:
Auditing is turned on and checking for security failures on files or folders, event log captures these security failures. Lets assume for the moment that they are genuine attempts to access something the user shouldn't
How do you act on that information? Do you ask to the user why they tried to access folder x? Surely the response will be, it was an accident or they will just lie about the situation?
Now if it goes a step further and somehow they manage to access data they shouldn't. how will you ever know about it becuase you cannot spend all day looking at success audits?
To add to the problem I find that the auditing is pretty bad at being accurate, especially if the user has read only access to an office file a security failure often generates, I guess this is windows working out what it can and cannot do?
I'm sure other people on here must have to audit this sort of stuff, I need to come up with a way of auditing and identifying security breaches so they can be acted on but I keep going round in circles
Auditing is turned on and checking for security failures on files or folders, event log captures these security failures. Lets assume for the moment that they are genuine attempts to access something the user shouldn't
How do you act on that information? Do you ask to the user why they tried to access folder x? Surely the response will be, it was an accident or they will just lie about the situation?
Now if it goes a step further and somehow they manage to access data they shouldn't. how will you ever know about it becuase you cannot spend all day looking at success audits?
To add to the problem I find that the auditing is pretty bad at being accurate, especially if the user has read only access to an office file a security failure often generates, I guess this is windows working out what it can and cannot do?
I'm sure other people on here must have to audit this sort of stuff, I need to come up with a way of auditing and identifying security breaches so they can be acted on but I keep going round in circles