Enable File Access Auditing in Windows
In this article I am going to explain about File System Access Auditing and how to enable File System Access Auditing in Windows environment. Here, in some places we will refer File Access Auditing as File Server Access Auditing, File System Change Auditing and File Share Change Auditing, all the terms are equally interchangeable.
Summary:
File System/File Server Access Auditing Introduction
File System Access Audit Event IDs
Steps to Enable File Access Auditing Event IDs via new Group Policy
Enable File Access Auditing to Specific File Servers
Steps to Enable File Access Security Audit
Steps to Enable File Access Auditing using Auditpol command line tool
File Access/File Share Access Auditing Introduction:
In an every Organisation, sharing files and documents to their users through Network Environment is inevitable. For the security purpose we should give permission to access some kind of files and folders only to the specific set of users. However we can't give perfect permission to perfect users, in that case auditing file or folder access is inevitable for any organisation. the possible accesses are File Create/Add, File Delete, File Open, File Copy, File Rename, File Move, File Access, and File Permission change, and File Access failures. We can easily track these accesses by File Share Audit Event IDs which are controlled by the Audit Policy and File Security Audit. So to get these event logs you need to Enable Object Access Audit Policy and File Access Security Audit.
File Access Audit Event IDs:
File Access Auditing is controlled by the following event IDs
4656: This is the first event logged when an user attempts to access the file, this event gives information about what type of access was requested by the user and it will not give info about what type access actually made by user (which is given by the Event ID 4663), 4656 is controlled by the audit policy subcategory settings Handle Manipulation and File System.
4663: This event gives the info of what type actual operation is done by user on a file.
4658: This event get logged when user close the file, it helps to determine how long the file was open correlating this Event ID with earlier Event ID 4656 with the same handle ID.
4660: This event logged when an user delete the file or folder
4990: This event logged when an user opens a file .
4670: This event logged when user changes the permission of the file (security control list). The event contains the information, who changed the permissions, old and new permissions.
5145: This is a Advanced Detailed File Share event which is available only from Windows 7/ Windows Server 2008 R2 and later versions, 5145 is equivalent event id of 4656, it contains extra information like user's client machine (source machine) address and share path (network path) of accessed file.
Steps to Enable File System Change Audit Event IDs via new Group Policy:
Follow the below steps to configure File Share Access Auditing Events:
Note: You should also configure File Access Audit Security settings on the Folder which you are going to audit accesses.
1. Open Group Policy Management Console by running the command gpmc.msc.
2. Expand the domain node, select and right-click on the OU which contains all the file servers (here I have selected OU File Servers), then click Create a GPO in this domain, and link it here…
3. Type the new GPO name and click OK (Ex: File System Audit Policy).
4. Right-click on the newly created GPO, then click Edit.
5. Expand the Computer Configuration, and go to the node Audit Policy(Computer Configuration->Polices->Windows Settings->Security Settings->Local Polices->Audit Policy).
6. In the left side pane, select Object Access, then double-click on this Setting.
7. In the opened window, check the values Success and Failure, the click Apply.
8. In Windows Server R2 and later versions, You can also configure this settings through Advanced Audit Policy Configuration. go to the node Advanced Audit Policy Configuration (Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration)
9. Expand this node, go to Object Access (Audit Polices->Object Access), then change the settings
Audit Detailed File Share, Audit File System and Audit Handle Manipulation.
Note: The Audit Handle Manipulation setting controls the event ID 4656, it may be the noisy event for you. so if you don't want event 4656, leave the setting Audit Handle Manipulation as Not Configured.
10. Refresh or update the gpo by running the command GPUpdate/Force to apply this setting in the all the File Server which are inside OU File Servers.
Apply File Access Audit Policy to Specific File Servers:
By the above steps, we have configured file access audit events for all the File Servers which are under OU File Servers, but in some cases, we may want to configure policy only for set of file servers. You can achieve this by Security Filtering of Group Policy.
1. Go to the tab scope, in Security Filtering section, select the entry Authenticated Users, and click Remove.
2. Click the Add button, click Object Types.. then check Computers, and select the computers (File Server Computer) which you want apply file system audit policy settings, and click OK to apply.
4. Refresh or update the gpo by running the command GPUpdate/Force to apply this setting in the all the selected File Servers.
Steps to Enable File Access Security Audit:
1. Right-click on the Folder which you want to configure audit events, and click Properties.
2. Select Security tab, and click Advanced button.
3. Navigate to the tab Audit, and click Add button.
4. Select the account Everyone, and check Successful and Failed Audit options which are you want to audit, click the button OK, and click Apply.
Steps to Enable File Access Auditing using Auditpol command line tool:
Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.
Note: You should run Auditpol command with elevated privilege (Run As Administrator);
You can enable file access audit success events (Event ID 5145, 4663,4660,4656,4658) by using following commands
Auditpol /set /subcategory:"Detailed File Share" /success:enable
Auditpol /set /subcategory:"File System" /success:enable
You can enable file access audit failure events (Event ID 5145, 4663,4660,4656,4658) by using following commands
Auditpol /set /subcategory:"Detailed File Share" /failure:enable
Auditpol /set /subcategory:"File System" /failure:enable
Note: to get event id 4656 you can also enable Handle Manipulation setting
Auditpol /set /subcategory:"Handle Manipulation" /success:enable
Note: This article is applies to Windows Server 2003, Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.
The original link for this article can be found here