Forums  Register  Login  My Profile  Inbox  Address Book  My Subscription  My Forums 

Member List  Search  FAQ  Ticket List  Log Out

 

Auditing File Access in Windows 2008

  		Logged in as: Guest
Users viewing this topic: none
  Printable Version
All Forums >> [Networking & Security] >> GFI EventsManager >> Auditing File Access in Windows 2008 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Auditing File Access in Windows 2008 - 14.Sep.2009 10:54:59 AM   
alfa21

 

Posts: 5
Score: 0
Joined: 19.Aug.2009
Status: offline 		Hi,

I've installed trial version of latest GFI EventsManager to see if it fits our needs. I have few things which I can't figure out.

1. What is needed to be allowed in Firewall in Windows 2008 in order for GFI to work
2. Is there any way to know which file is deleted, apart of tracking through Handle ID
3. When a user changes password, is there a way to know which computer has been used, assuming that we have GFI configure to collect logs from computers as well.

Thank you for support.
Post #: 1
RE: Auditing File Access in Windows 2008 - 14.Sep.2009 11:05:21 AM   
DrewE

 

Posts: 1058
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		These articles should assist you:

What are the ports used by GFI EventsManager? http://kbase.gfi.com/showarticle.asp?id=KBID002770
Auditing file, folder or Registry activity: http://kbase.gfi.com/showarticle.asp?id=KBID002902

In regards to knowing what computer the password change request came from, you won't be able to see this in the Security:627 (Change Password Attempt) event, but you should get this information from the Security:642 event :

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=627
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=642

_____________________________

Drew Easley - Technical Support Representative
GFI Software - www.gfi.com

(in reply to alfa21)
Post #: 2
RE: Auditing File Access in Windows 2008 - 15.Sep.2009 8:34:20 AM   
alfa21

 

Posts: 5
Score: 0
Joined: 19.Aug.2009
Status: offline 		Thank you very much for your reply, and links. I found them very useful.

However, I still can't find a way to know which file was deleted from Object Deleted under Object access. The only way to know for me is using handle ID.
Is there another way, or this is a standard way to find?

Thank you

(in reply to DrewE)
Post #: 3
RE: Auditing File Access in Windows 2008 - 15.Sep.2009 11:29:44 AM   
DrewE

 

Posts: 1058
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		Do you see the Object Deleted events showing up in GFI EventsManager, but without the filename?

_____________________________

Drew Easley - Technical Support Representative
GFI Software - www.gfi.com

(in reply to alfa21)
Post #: 4
RE: Auditing File Access in Windows 2008 - 15.Sep.2009 2:38:40 PM   
alfa21

 

Posts: 5
Score: 0
Joined: 19.Aug.2009
Status: offline 		Yes, I do.

(in reply to DrewE)
Post #: 5
RE: Auditing File Access in Windows 2008 - 18.Sep.2009 8:26:58 AM   
DrewE

 

Posts: 1058
Score: 0
Joined: 28.Apr.2008
From: Cary, NC
Status: offline 		Can you open a support request with us online at http://support.gfi.com/Support/support.aspx?lcode=en so we can best assist you with this trouble?

_____________________________

Drew Easley - Technical Support Representative
GFI Software - www.gfi.com

(in reply to alfa21)
Post #: 6
Page:   [1]
All Forums >> [Networking & Security] >> GFI EventsManager >> Auditing File Access in Windows 2008 Page: [1]
Jump to:





New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts