Tech Tip: Monitor shared folder access/Remove ISAPI filters

Windows 2000 Professional: Monitor shared folder access

Like other Windows operating systems, Windows 2000 Professional enables users to share folders with others on the network. The shared folders can be protected with share permissions and, if the folder is hosted on an NTFS volume, with NTFS permissions. However, even with these security mechanisms in place, in many situations it can still be important to keep track of who accesses a particular folder or file. Disproportionate access to a folder by a particular account can indicate a compromised user account.

Perhaps the most direct way to monitor share access is to enable object access auditing. This enables Windows to place an event in the Security event log when someone accesses a folder or file, fails at that action, or both. Monitoring successful attempts helps track who is using the folder; monitoring unsuccessful attempts helps identify authorized users who are having problems connecting or users who are attempting to access a share for which they aren't authorized.

  1. Go to Security Settings\Local Policies\Audit Policy\Audit Object Access and enable object access auditing in local or group policy.
  2. To configure auditing for individual folders and files, right-click the folder or file and choose Properties.
  3. Click the Security tab, and click Advanced.
  4. Click the Auditing tab, click Add, add a group or user, and click OK.
  5. In the resulting Auditing Entry dialog box, place checks in the Successful and/or Failed columns for each event you want to monitor.
  6. Click OK to close the dialog box, close the remaining dialog boxes, and close the Properties for the folder.

Note: Enabling auditing on a heavily used folder or file can generate a large number of events in the Security log.

Windows 2000 Server: Remove ISAPI filters

Internet Information Server (IIS) uses Internet Server API (ISAPI) filters to implement features that aren't included in the core IIS features. For example, IIS uses ISAPI filters to support SSL (sspifilt.dll), compression (compfilt.dll), digest authentication (md5filt.dll), and FrontPage Server Extensions (fpexedll.dll).

A given ISAPI filter is needed only if you use the feature it supports. For example, if you don't host FrontPage Webs on your server, you can remove its filter. Likewise, if you don't use SSL, you can remove that filter. Removing ISAPI filters reduces IIS' overhead and can avoid potential bugs or security risks introduced by a particular filter.

IIS loads some global filters, and others can be loaded by each Web site. Therefore, you need to look for ISAPI filters in two places:

  • In the properties for the server.
  • In the properties for each Web site.

To remove global filters, follow these instructions:

  1. Open the IIS console, right-click the server, and choose Properties.
  2. On the Internet Information Services tab, click Edit in the Master Properties group, and click the ISAPI Filters tab.
  3. The ISAPI Filters tab lists all global filters loaded for the server. Select a filter and click Remove, or click Disable to leave the filter in the list but prevent it from being loaded.

To configure ISAPI filters for a particular site, right-click the site in the IIS console, choose Properties, and click the ISAPI Filters tab. Remove or disable filters as needed.

Editor's Picks

Free Newsletters, In your Inbox