Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 323
  • Last Modified:

Logging file events in windows

Hi I have a windows 2003 file server and I need to log when users move / delete / create files. General files like word and excel files not specifically system files.

Thanks in advance
1 Solution
You'll need to enable auditing of object access on the folders you're concerned about.  You can't specify audting by file type, so you'll have to decide which folders you want to audit.  To do so you'll need to:

I.  Enable auditing on the specific folder(s)
 1) In Explorer.exe browse to the file or folder you want to audit
 2) Click the 'Security' menu
 3) Click the 'Advanced' button
 4) Select the 'Auditing' tab and click the 'Add' button
 5) Add the 'Everyone' group and click 'OK'
 6) The resulting "Auditing Entry for " dialog box appears
 7) In the "Apply onto" drop menu, select "This folder, subfolders and files"
 8) Choose the actions you want to audit for...
  For example, if attributes are being changed or files are being deleted
  Place check marks under the following:
  'Write Attributes' Successful
  'Write Extended Attributes' Successful
  'Delete Subfolders and Files' Successful
  'Delete' Successful
  'Change Permissions' Successful
 9) Click OK
 10) Clear the checkbox on "Allow inheritable auditing entries from parent to propagate to this object"
 11) Click OK then OK again to exit

II.  Enable audit policy (either locally or via Group Policy Object)
 To set up the local policy to Audit Object access:
 1) Click Start then Run then type
  "gpedit.msc" (without the quotes)
 2) This will execute the Group Policy Object
 3) Expand the following:
  +Computer Configuration
  +Windows Settings
  +Security Settings
  +Local Policies
  +Audit Policy
 4) Under 'Audit Policy' doubleclick 'Audit Object Access'
 5) Under 'Audit these attempts" place a check on
  - Success

Reference:  http://msexchangetips.blogspot.com/2006/08/windows-audit-changes-made-to-file.html
Ned RamsayCommented:
You have to create a policy on the server. See http://technet.microsoft.com/en-us/library/cc787413.aspx
Be warned that in folders with high read/writes you will start to notice a slow down on your system. Also it writes it into the event viewer so can be a pain to find the correct entries.
Hope this helps.
mathew1010Author Commented:
Fantastic, thanks

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now