File and Folder auditing generates to much information

[Guest Steve]

Hi,

 

I have configured object access auditing on a SBS 2003 Server. I have

followed MS articles, making sure everything is properly configured.

 

1- Activate the policy and link it to the domain controller

2- Go to the folder in question and selecting a security group (containing

only employee, no system accounts) and setting audit on read, write, etc.

The folder is on the D:\ drive.

 

The auditing seems to work, actually it's doing to much, user access to that

directory are being logged but also Administrator and SYSTEM account access

also to files (mmc.exe and store.exe for instance) that are located on the

C:\ drive? The customer wants to easily checked who did what. Sorting

through all that info doesn't interest them.

 

Also, strangely, if I look at a particular user's access, I find that the

user is making between 5-10 access per seconds to, what seems to me, random

directory, no human can click that fast! I'm pretty sure that it is not a

virus because all users are having the same kind of multiple access. We are

using TrendMicro Ent.Ed. and are up to date in virus defs and engine

versions. Handles for each access are differents? Could it be an

application, like Trend itself that is causing all of those access?

 

This is an important issue for my customer, the are asking to look for 3rd

party solutions if we cannot find a way to make this work!

 

Regards

 

Steve