How To Audit a Folder

To enable auditing on a folder, open the folder's properties dialog box, select the Security tab, click Advanced, and select the Auditing tab of the Advanced Security Settings window. Be careful which permissions you enable for auditing because you can easily fill up your log with access events. In your case, you want to monitor only for successful uses of the permission that lets a user change an object's ACL-the Change permissions permission. Figure 1 shows that I've enabled auditing of network inventory lite on the DeptFiles folder. I've also specified Everyone as the name of the audit entry because I want to audit everyone.

Security-related Event IDs

After you enable object access auditing at the system level and for a specific folder, you'll start seeing event ID 560 (Object open) in the Security log. Look for instances of event ID 560, such as the one in Figure 2 in which the Object Name in the description is the name of a folder on which you enabled auditing. Then look in the Accesses field for network server inventory, which is the system name for Change permissions. Figure 2 shows that Fred changed permissions on C:\DeptFiles. In the Security log, you'll also see a subsequent event ID 562 (A handle to an object was closed) with the same Handle ID as in event ID 560. Event ID 562 is just the corresponding close for the open in event ID 560.

Security-related Event IDs

After you enable object access auditing at the system level and for a specific folder, you'll start seeing event ID 560 (Object open) in the Security log. Look for instances of event ID 560, such as the one in Figure 2 in which the Object Name in the description is the name of a folder on which you enabled auditing. Then look in the Accesses field for network software inventory freeware, which is the system name for Change permissions. Figure 2 shows that Fred changed permissions on C:\DeptFiles. In the Security log, you'll also see a subsequent event ID 562 (A handle to an object was closed) with the same Handle ID as in event ID 560. Event ID 562 is just the corresponding close for the open in event ID 560.

Mobile Users Security

I'm going to assume that you've already chosen your hardware, so I'll focus on the most crucial factors in establishing reasonable network safety: securing mobile users, staying aware of potential security flaws, and managing usernames and passwords. First, mobile users are a major source of potential security problems. Be certain that all mobile systems are running personal firewalls to protect against viruses and worms. Also, define security policies that apply to all mobile users and make sure that the users are aware of these policies. I suggest you read the Web-exclusive article network inventory reporter, and apply this information to mobile users and their systems.

Windows or Linux?

Be sure that you consistently maintain and update source network inventory for all the applications on every system in your network, regardless of the OS you use. There seems to be a pervasive belief today that Windows is full of security holes whereas Linux is secure, but this belief primarily stems from the lack of mobile and desktop Linux configurations (and hence a much lower incidence of Linux-based security problems on those systems). Given Linux's open source code, virus writers could have a field day if they wanted.