Windows audit feature

S

swamp2k

ADSM.ORG Member
Joined
Jul 18, 2007
Messages
8
Reaction score
0
Points
0
Hi,
I have a windows server on which the owner would like to activate windows file auditing, however, when he does it also trigger a new full backup. So apparently some file and folder attributes change.
Anyone know if there is a way around this? Im afraid I don't quite know which attributes change in the file.

I'd like to let him use the audit feature, but triggering a full backup is a rather nasty side effect.
 
The Spectrum Protect client looks at several things to see if a file has changed or not.

Changes include any of the following:
  • File size
  • Date or time of last modification
  • Extended Attributes
  • Access Control List
  • Sparse, reparse point or encrypted file attributes.
  • NTFS file security descriptors. These are the Owner Security Identifier (SID), Group SID, Discretionary Access Control List (ACL), and System ACL.
source: https://www.ibm.com/support/knowled...0/com.ibm.itsm.client.doc/c_bac_fullpart.html

The Auditing falls under the System ACL.
upload_2017-7-17_10-33-17.png



So if this changes, the file is backed up because those attributes are part of the file, not separate from the file. Because it changed, the whole file is backed up so that if you ever have to restore those files, they will be restored with their current SACL.
 
That's very interresting! Thanks.
I'll have a look right away and see where that leaves me :)
 
Very nice. So I guess the big question is, what - if anything - can I do about it?
Since the ACL is an integral part of the file, maybe there isn't much to do. Or is there an option I haven't found that ignores that part of file checking?
 
There is, but in 99.9% of cases, not recommended. You could use the client option "Skipntpermissions yes"

However, if you use that option, file permissions are NOT backed up. Therefore if you restore the filesystem, all files and directories will be restored WITHOUT permissions and you or someone will have to manually go and set file permissions on the entire directory structure.

If you already enabled auditing, it's best to just bite the bullet and let it backup all files that have auditing enabled.

If you have not enabled auditing yet, maybe consider doing it for more critical directories instead of the entire filesystem.
 
You must log in or register to reply here.

Data Privacy Impact Assessment

Compliance Assurance in Every Byte: Discover the Impact of Our DPIA Services.

Sponsor ADSM.ORG

If you are reading this, so are your potential customer. Advertise at ADSM.ORG right now.

Navigation Menu

Forums
   IBM TSM
   EMC Backup and Recovery
   Symantec NetBackup  
   SAN  
   NAS
   Platforms / OS
Mailing List Archives
   ADSM-L
User Groups

NordVPN 3 Months FREE

Help Support ADSM.ORG and Get NordVPN with 64% Off and 3 Months FREE.

NordVPN with 64% off + 3 months FREE

Forum statistics

Threads
31,968
Messages
135,434
Members
21,947
Latest member
dylbrawn
Back
Top