- Windows File Server Auditing Software Free
- Linux Windows File Server
- Windows File Access Auditing
- Windows File Server Auditing Software
- Windows File Server Auditing Software
Right-click the file and select Properties - On the tab Security, click on Advanced button - Switch to the Auditing tab and hit the Edit button - Click Add to choose users and groups for monitoring. The common practice is to add Authenticated Users group. Select checkboxes on required events for both Success and Failure in Auditing Entry. For an explicit audit, select all checkboxes. Performing Windows file auditing helps detect leaks and unauthorized modifications of sensitive data. Netwrix Auditor for Windows File Servers automates file server auditing and reporting, thereby mitigating the risk of compliance failures and problems with the integrity, availability and confidentiality of data. We can configure file access auditing in Windows Server 2016 so that events are logged every time a specified user or group successfully accesses or attempts and fails to access a specified file or folder. This post will show you how to configure file access auditing in Windows Server 2016. Before Windows will log file system events, you need to enable auditing in policy and configure system access control lists (SACLs) on the file/folders that you want to audit.
Since Windows doesn’t keep network logon sessions active if no files are held open, you will tend to see this event frequently if you enable the “File Share” audit subcategory. There is no way to configure Windows to produce just the share change events and not this access event as well. For Windows File Server Auditing Before you start creating a monitoring plan to audit your Windows file servers, plan for the account that will be used for data collection – it should meet the requirements listed below.
Learning has never been so easy!
Windows Server 2008 and 2008 R2 have been one of the most widely deployed servers in the project setups where they are used for supporting collaborative work environments. However, because of the very nature of these kinds of setup where multiple resources have access to the same objects, assigning responsibility for user actions become utmost important.
This can be ensured by auditing all User actions related to file and folder access. In this guide, we are going to see how we can enable auditing on Windows Server 2008 and 2008R2.
On Windows Server 2008 and 2008 R2, auditing file and folder accesses consists of two parts.
This can be ensured by auditing all User actions related to file and folder access. In this guide, we are going to see how we can enable auditing on Windows Server 2008 and 2008R2.
On Windows Server 2008 and 2008 R2, auditing file and folder accesses consists of two parts.
3 Steps total
Step 1: Enable File and Folder auditing
Enabling File and Folder auditing
It can be done in two ways :
a) Through Group Policy (for Domains, Sites and Organizational Units)
b) Local Security policy (for single Servers)
a) Through Group Policy (for Domains, Sites and Organizational Units)
b) Local Security policy (for single Servers)
Step 2: Enable auditing for object access
To enable auditing for object access on a MS Windows Server 2008, follow these steps :
A) Open Group Policy Management Console.
B) Go to the concerned domain and expand the node against it
C) Go to the Group Policy Objects and right - click on it
D) Select New from the popup menu
E) In the New GPO dialog box, enter the name of the new GPO and click ‘Ok'
F) Right-click on the newly created GPO and select ‘Edit’ from the pop-up menu
G) The Group Policy Management Editor window opens up
H) Go to Computer Configuration ► Policies ► Windows Settings ► Security Settings ► Local Policies ► Audit Policies
I) In the right-pane, the list of all policies is displayed
B) Go to the concerned domain and expand the node against it
C) Go to the Group Policy Objects and right - click on it
D) Select New from the popup menu
E) In the New GPO dialog box, enter the name of the new GPO and click ‘Ok'
F) Right-click on the newly created GPO and select ‘Edit’ from the pop-up menu
G) The Group Policy Management Editor window opens up
H) Go to Computer Configuration ► Policies ► Windows Settings ► Security Settings ► Local Policies ► Audit Policies
I) In the right-pane, the list of all policies is displayed
(i) Audit Account Logon Events
(ii) Audit Account Management
(iii) Audit Directory Service Access
(iv) Audit Logon Events
(v) Audit Object Access
(vi) Audit Policy Change
(vii) Audit Privilege Use
(viii) Audit Process Tracking
(ix) Audit system Events
(ii) Audit Account Management
(iii) Audit Directory Service Access
(iv) Audit Logon Events
(v) Audit Object Access
(vi) Audit Policy Change
(vii) Audit Privilege Use
(viii) Audit Process Tracking
(ix) Audit system Events
J) Go to the policy for which you want to define settings. If you define settings for all policies, a lot of logs will be generated
K) Double-click on the policy for which you want to define the settings
L) In the Properties dialog box that opens up, select Success/Failure or both
M) Click on ‘Ok’ to close the window
N) Next, you need to apply this policy on the DC. Go to RUN command and type: gpupdate/force/boot/logoff and click ‘Ok’
O) Gpupdate command prompt opens up and a message is displayed: “Updating Policy ...”
K) Double-click on the policy for which you want to define the settings
L) In the Properties dialog box that opens up, select Success/Failure or both
M) Click on ‘Ok’ to close the window
N) Next, you need to apply this policy on the DC. Go to RUN command and type: gpupdate/force/boot/logoff and click ‘Ok’
O) Gpupdate command prompt opens up and a message is displayed: “Updating Policy ...”
Step 3: Select specific Folder and define Users
After the policy has been applied, the next thing is to select Files and Folders and which Users’ actions are to be audited
To select specific Folder and define Users, follow these steps :
a) Go to Windows Explorer
b) Right-click on it and select Properties
c) In the Properties dialog box, select the Security tab and click on ‘Advanced’
d) In the Advanced Security Settings dialog box, select the Auditing tab
e) Click on the ‘Add...’ button.
f) In the Select User or Group dialog, enter names of Users whose accesses are to be audited
g) Select ‘Everyone’ to audit access attempts by all Users. Click on ‘OK’
h) Auditing Entry for Accounts dialog box opens up
I) Select the type of accesses to be audited. Successful access/Failed access or both can
be selected
j) Click ‘Ok’ and ‘Apply’ to save the settings
b) Right-click on it and select Properties
c) In the Properties dialog box, select the Security tab and click on ‘Advanced’
d) In the Advanced Security Settings dialog box, select the Auditing tab
e) Click on the ‘Add...’ button.
f) In the Select User or Group dialog, enter names of Users whose accesses are to be audited
g) Select ‘Everyone’ to audit access attempts by all Users. Click on ‘OK’
h) Auditing Entry for Accounts dialog box opens up
I) Select the type of accesses to be audited. Successful access/Failed access or both can
be selected
j) Click ‘Ok’ and ‘Apply’ to save the settings
From this point onwards, all the access attempts to this particular folder by all Users would be recorded on the DC. To view these event logs use Windows event viewer.
References
- enable File and Folder Access Auditing
- LepideAuditor for File Server
4 Comments
- SerranoJMO64 Sep 30, 2015 at 11:40pmOne thing to mention here:If you enable the older, standard Audit Policy items (older 9 item list), it enables some logging items that are high-volume and may fill up the security logs, such as Audit Filtering Platform Connection and Audit Filtering Platform Packet Drop.For those that just want to enable File Auditing, and not a bunch of peripheral, high volume logs, the best way is to leverage Server 2008's Advanced Audit Policy Configuration settings which give you more granular control over what you want the system to log.https://technet.microsoft.com/en-us/library/dd772712(v=ws.10).aspx
- Jalapenofunkihunter Jul 25, 2016 at 04:56pmWhich of the 9 covers files/folders? Or would I have to do that through the granular level that JMO64 mentioned? EDIT: Granular level on 'File Share'
- CayenneChris (IS Decisions) Oct 5, 2016 at 08:51amIf you want to go further than manual auditing take a look at the solution FileAudit. FileAudit offers real-time monitoring and alerts on all access and access attempts to files and folders across a Windows Server.Filtering capabilities exclude irrelevant data and scan options allow certain access events to be excluded from the audit. It also has functions such as ‘mass access and alteration alerts’ which help highlight possible breaches. It can track IP address information from all remote data access and takes just a few minutes to set up . Agentless and non-intrusive it’s super easy to manage and can even be delegated to non IT execs. http://www.isdecisions.com/products/fileaudit/
- AnaheimScott Pon Jan 25, 2018 at 08:25pmWhere in the event logs is this? I have followed your steps and I can't find where these audit log entries are found. I've looked (and haven't found any entries):
Windows Logs ->Security
Applications and services logs -> microsoft->Windows->Secuirty Audit Configuration Clientso I'm lost where to look.EDIT; Never mind. There was another GPO setting for 'Advance Audit Policy Configuration' and there was another setting under Windows Settings,->Security Settings->Local Policies->Security Options, called 'Audit force audit policy subcategory settings' so I had two audit policies fighting each other and the Advance Audit policy was winning. once I decided whcih way to go (advanced...) everything started working. and appears in the security log.
In any enterprise using file servers to store and share data, auditing is important to ensure data security. You can monitor multiple file servers in your domain. In this article, you will see how to track who accesses files on Windows File Servers in your organization, using Windows Server’s built-in auditing. At the end of the article, you will also see how to do it effortlessly through LepideAuditor.
Here are the steps to track who read a file on Windows File Server.
Step 1: Set “Audit Object Access” audit policy
Follow these steps one by one to enable “Audit object access” audit policy:
- Launch “Group Policy Management” console. For that, on the primary “Domain Controller”, or on the system where “Administration Tools” is installed, type “gpmc.msc” in the “Run” dialog box, and click “OK”.
- After you have opened the “Group Policy Management” window, you will have to create a new GPO, or edit an existing one.
- To edit an existing GPO, in the left-pane, right-click on the default or a user-created GPO, and click “Edit” on the context menu. This action opens the Editor window of Group Policy Management Editor.Note: If you want to track multiple folders, you will have to configure audit for every folder individually.
- Navigate to “Security” tab.Note: It is suggested to create a new GPO, link it to the domain, and edit it.
- In the “Group Policy Management Editor” window, you have to set the appropriate audit policy.
- To audit file accesses, you have to set “Audit object access” policy. For that, navigate to “Computer Configuration” → “Windows Settings” → “Security Settings” → “Local Policies” → “Audit Policy”. All the available policies under “Audit Policy” are displayed in the right panel.
- Double-click ”Audit object access” policy to open its “Properties”.
- On this window, click “Define these policy settings” checkbox. Then, you get two options to audit – “Success” and “Failure”. The former lets you audit successful attempts made to access the objects, whereas the latter lets you audit failed attempts.
- Select any one or both the options as per requirement. It is recommended to select both options. In our case, we have selected both the options because we want to audit both the successful and the failed attempts.
- Click “Apply” and “OK” to close the window.
- To immediately update the Group Policy instead of waiting for it to auto update, run the following command in the “Command Prompt”:Gpupdate /force
Step 2: Set auditing on the files that you want to track
After configuring GPO, you have to set auditing on each file individually, or on folders that contain the files. Here are the steps:
- Open “Windows Explorer” and navigate to the file or folder that you want to audit.
- Right-click the file and select “Properties” from the context menu. The file’s properties window appears on the screen.Note: If you want to track multiple files, put them into one, two or more folders to enable their auditing easily. Doing this saves you from repeating these steps for each file.
- By default, “General” tab of “Properties” window appears on the screen. Go to “Security” tab.
- On “Security” tab, click “Advanced” to access “Advanced Security Settings for ” window appears on the screen.
- In “Advanced Security Settings for ” window, go to “Auditing” tab.
- On this tab, you have to create a new audit entry. For that, click “Add”. The “Auditing Entry for ” window appears on the screen.
- In “Auditing Entry for ” window, at first, select users whose actions you want to audit. Click “Select a Principal”, to open “Select User, Computer, Service Account, or Group” dialog box.
- Here, choose users to audit. If you want to audit all users’ activities, enter “Everyone” in the “Enter the object name to select” field, and click “Check Names”. In our case, we enter “Everyone”.
- Click “OK” to close the dialog box.
- Three options are available in the “Type” picklist: “Success”,” Fail”, and “All”. We select “All” option because we want to audit both successful and failed attempts.
- In “Permissions” section, you can select all activities that you want to audit. In the case to audit file read, select “Traverse Folder/Execute File”, “List Folder/Read data”, “Read attributes”, and “Read extended attributes” permissions.NOTE: If you want to audit all the activities, select the “Full Control” checkbox.
- Click “OK” to close “Auditing Entry for File Access auditing” window.
- Back in the “Advanced security settings” window, now you see the new audit entry.
- Click “Apply” and “OK” to close the window.
- Click “Apply” and “OK” to close file properties.
Step 3: Track who reads the file in Windows Event Viewer
To see who reads the file, open “Windows Event Viewer”, and navigate to “Windows Logs” → “Security”. There is a “Filter Current Log” option in the right pane to find the relevant events.
Windows File Server Auditing Software Free
If anyone opens the file, event ID 4656 and 4663 will be logged. For example, in our case, someone opened the file (File access auditing.txt), and as shown in the following image, a file access event (ID 4663) was logged. You can see who accessed the file in “Account Name” field and access time in “Logged” field.
In the below image, you can see file’s name (C:UsersAdministratorDocumentsNew Text Document.txt), which is visible after you scroll down the side bar, under the “Object Name” field.
In the next section, you will see how LepideAuditor for File Server can make the file auditing even more quick and straightforward.
Linux Windows File Server
Using LepideAuditor for File Server to track file read events
Windows File Access Auditing
You can use LepideAuditor for File Server to track the file-read events on your Windows File Servers much easily. The following image shows “Read successful” report. The complete audit information about a file access is shown in a single line record.
Windows File Server Auditing Software
In the above image, you can see the same file read report (C:UsersAdministratorDocumentsNew Text Document.txt) in LepideAuditor for File Server. The event is highlighted, and all the audit information like who accessed the file, when and from which system is available in a single line record.
Conclusion
Windows File Server Auditing Software
This article covers the way to track file read events in Windows File Servers. You also saw how to do it far more easily with LepideAuditor for File Server which makes the entire process more quick and upfront. Thus, with our solution, you can easily track who reads files on your Windows File Servers.