Auditing Specific Events - Page 2
As you can see, you can audit quite a few actions. Because some of the actions may be a bit unclear, and because other actions aren't listed in the figure, I'll describe each action:
- Traverse Folder/Execute File--In the case of a folder, this event is triggered when a member of the group tries to pass through the folder in an attempt to reach a subfolder or parent folder. If this window were for a file, the event would be triggered if a member of the group tried to run the program.
- List Folder/Read Data--In the case of a folder, the event is triggered when a member of the group tries to view the contents of the folder. In the case of a file, the event is triggered when a member of the group tries to read data from within the file.
- Read Attributes and Read Extended Attributes--This event is triggered when a member of the group tries to display the attributes (or extended attributes) of the file or folder.
- Create Files/Write Data--This event is triggered when a member of the group tries to create files in the folder or add data to the file.
- Create Folders/Append Data--This event refers to the condition in which a member of the group either creates a subfolder within the existing folder or appends data to the end of the file without overwriting any of the file's existing data.
- Write Attributes and Write Extended Attributes--These events refer to a member of the group trying to change the file or directory's attributes or extended attributes.
- Delete Subfolders and Files--This event is triggered when a member of the group deletes a file or subdirectory within an audited directory.
- Delete--The Delete action is logged when a group member tries to delete a file or folder.
- Read Permissions--This event is logged when a group member tries to see who has permissions to a file or folder, or if the group member tries to determine the owner of the file or folder.
- Change Permissions--This event is logged when a group member tries to change who has access to a file or folder.
- Take Ownership--The Take Ownership event is triggered when a group member attempts to take ownership of a file or folder.
Remember that you can audit either successes (for example, the file was deleted) or failures (Bob tried to delete a file) or both for any event. In Part 4 of this series, I'll continue the discussion by talking about auditing Active Directory objects. //
Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the director of information systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.