locked
Auditing on file server RRS feed

  • Question

  • Hi

    I want to do auditing on file server win 2008 r2. I want to find logs for file/folder creation,deletion,create share,delete share...etc.

    Please suggest how to achieve this.

    thanks

    Thursday, January 27, 2011 5:09 AM

Answers

  • Hi,

     

    You may simply enable and apply a GPO security setting to audit the object access, and then make the GPO link to the container which contains the file server that you want to audit.


    The configuration node of GPO:

     

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access

     

    You may enable auditing both success and failure attempts on the setting for the security consideration.

     

    For enabling the audit settings on a stand-alone server, please refer to:

     

    How to audit user access of files, folders, and printers in Windows XP

    http://support.microsoft.com/kb/310399

     

    (This should be also applied to Windows server system)

     

     

    Configuring Audit Policies

    http://technet.microsoft.com/en-us/library/dd277403.aspx

     

     

    How To Set, View, Change, or Remove Auditing for a File or Folder in Windows 2000

    http://support.microsoft.com/kb/301640

     

     

     

    Apply or modify auditing policy settings for a local file or folder

    http://technet.microsoft.com/en-us/library/cc784387.aspx

     

    Hope this can be helpful.

    Scorprio


    TechNet Software Assurance Managed Newsgroup MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin | System Architect
    • Proposed as answer by David Shen Thursday, January 27, 2011 7:32 AM
    • Marked as answer by Brent Hu Tuesday, February 1, 2011 4:08 AM
    Thursday, January 27, 2011 6:29 AM
  • Hi,

    If you want to see who's trying to access a folder of sensitive files on your file server, you can enable the Audit Object Access audit policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy in the appropriate GPO. Then use the ACL editor on the Security tab of the folder's properties sheet and specify which groups of users you want to audit accessing the folder.

    If you want to detect unauthorized attempts at accessing the files, enable Failure auditing in the policy and audit Read permissions in the ACL.

    If you want to see who is accessing the files and modifying them, enable Success auditing in the policy and audit Write and Append permissions in the ACL.

    Auditing Windows Server 2008 File and Folder Access
    http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access

    Brent
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Brent Hu Tuesday, February 1, 2011 4:08 AM
    Thursday, January 27, 2011 6:30 AM

All replies

  • Hi,

     

    You may simply enable and apply a GPO security setting to audit the object access, and then make the GPO link to the container which contains the file server that you want to audit.


    The configuration node of GPO:

     

    Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access

     

    You may enable auditing both success and failure attempts on the setting for the security consideration.

     

    For enabling the audit settings on a stand-alone server, please refer to:

     

    How to audit user access of files, folders, and printers in Windows XP

    http://support.microsoft.com/kb/310399

     

    (This should be also applied to Windows server system)

     

     

    Configuring Audit Policies

    http://technet.microsoft.com/en-us/library/dd277403.aspx

     

     

    How To Set, View, Change, or Remove Auditing for a File or Folder in Windows 2000

    http://support.microsoft.com/kb/301640

     

     

     

    Apply or modify auditing policy settings for a local file or folder

    http://technet.microsoft.com/en-us/library/cc784387.aspx

     

    Hope this can be helpful.

    Scorprio


    TechNet Software Assurance Managed Newsgroup MCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin | System Architect
    • Proposed as answer by David Shen Thursday, January 27, 2011 7:32 AM
    • Marked as answer by Brent Hu Tuesday, February 1, 2011 4:08 AM
    Thursday, January 27, 2011 6:29 AM
  • Hi,

    If you want to see who's trying to access a folder of sensitive files on your file server, you can enable the Audit Object Access audit policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy in the appropriate GPO. Then use the ACL editor on the Security tab of the folder's properties sheet and specify which groups of users you want to audit accessing the folder.

    If you want to detect unauthorized attempts at accessing the files, enable Failure auditing in the policy and audit Read permissions in the ACL.

    If you want to see who is accessing the files and modifying them, enable Success auditing in the policy and audit Write and Append permissions in the ACL.

    Auditing Windows Server 2008 File and Folder Access
    http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access

    Brent
    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. ”
    • Marked as answer by Brent Hu Tuesday, February 1, 2011 4:08 AM
    Thursday, January 27, 2011 6:30 AM
  • You might want to give a look to FileAudit.

    FileAudit monitors, archives and reports on accesses (or access attempts) to sensitive data stored on Microsoft Windows systems.

    With a right click in Windows explorer or from the console, FileAudit instantly gives a comprehensive list of:

    - read/write accesses

    - appropriation attempts (accepted or denied)

    - permission modification attempts (accepted or denied)

    each record detailing:

    - the user

    - the domain

    - the date and time of connection and disconnection

    for:

    - a file

    - a selection of files

    - a folder and subfolders

    - a selection of folders and subfolders


    François Amigorena | President & CEO | IS Decisions | www.ISDecisions.com
    Wednesday, December 21, 2011 7:24 AM
  • We use system center to track Security ID 4663 (object access action) but be mindful on getting FLOODED on ID 4633 READS. If one of your users decide to Advance search the entire audited directories for a word withing a document this will trigger READ attribute event. OMG

    Thx, Joe

    Wednesday, March 13, 2013 4:12 PM