Hello, > I was wondering if there are any other file access/modification audit trails > generated apart from the ones which can be set through the security/auditing > tab for a folder's properties.
On a NTFS filesystem, every file has a MAC time (Modified/Accessed/Created). You should be careful not to modify the "last accessed" time while investigating an incident (hint: mount the partition as r/o inside a Linux system). You can also enable file audit on a file-by-file basis, but be careful that the system-wide "objet access" audit must be enabled also. > I want to know if there is any kind of logging done by default when a 2003 > box is uhh, fresh out of the box. Audit policy is disabled by default, sorry. If your server has already been compromised, it is too late. > Also, how can logs be sent to another machine for storage? As others pointed out : NTSysLog. Regards, - Nicolas RUFF --------------------------------------------------------------------------- ---------------------------------------------------------------------------
