Auditing Servers

You'll need to enable auditing for successful object access events on the servers on which the folders reside, and you'll need to enable auditing on the folders you want to monitor. To enable auditing for inventory network computers, you can either use an existing Group Policy Object (GPO) that's applied to your file servers or, if you don't already control auditing through Group Policy, you can enable it in each server's Local Computer Policy. Either way, set the Audit object access policy under Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy (in Group Policy Editor-GPE) to a Security Setting of Success.

How To Audit a Folder

To enable auditing on a folder, open the folder's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. Be careful which permissions you enable for auditing because you can easily fill up your log with access events. In your case, you want to monitor only for successful uses of the permission that lets a user change an object's ACL-the Change permissions permission. Figure 1 shows that I've enabled auditing of network inventory utility on the DeptFiles folder. I've also specified Everyone as the name of the audit entry because I want to audit everyone.

How To Audit a Folder

To enable auditing on a folder, open the folder's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. Be careful which permissions you enable for auditing because you can easily fill up your log with access events. In your case, you want to monitor only for successful uses of the permission that lets a user change an object's ACL-the Change permissions permission. Figure 1 shows that I've enabled auditing of network inventory script on the DeptFiles folder. I've also specified Everyone as the name of the audit entry because I want to audit everyone.

Important Event IDs under Windows Server 2003

If your server is running Windows Server 2003, you'll also see event ID 567 (Object Access Attempt) in between event IDs 560 and 562. Event ID 567 is part of Windows 2003's new operation-based auditing. network inventory audit software lets you identify permissions that a user actually exercises as opposed to permissions that a user has but doesn't use. For instance, a program might open a file for read and write access (triggering an event ID 560 that shows both read and write access) but never actually write any data to the file. Windows 2003 logs event ID 567 the first time an application actually uses each permission while the file is open. A permission change operation is atomic (i.e., the object isn't opened for delete and then deleted-it's just deleted), so there's no need to look for event ID 567-it should always be there.

Mobile Users Security

I'm going to assume that you've already chosen your hardware, so I'll focus on the most crucial factors in establishing reasonable network safety: securing mobile users, staying aware of potential security flaws, and managing usernames and passwords. First, mobile users are a major source of potential security problems. Be certain that all mobile systems are running personal firewalls to protect against viruses and worms. Also, define security policies that apply to all mobile users and make sure that the users are aware of these policies. I suggest you read the Web-exclusive article open source network inventory, and apply this information to mobile users and their systems.