• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 509
  • Last Modified:

Set up Auditing of file level access on a server

Hi

We are running Windows 2003 SP2 DC's. We also have a Windows 2003 SP2 server....

People are randomly complaining that files are going missing from here, so I would like to silently turn on auditing of who is reading and deleting these files.

Do I have to change the Default Domain Policy to carry this out (or any other GPO), or can this be carried out on the server itself?

Thanks in advance!
0
kam_uk
Asked:
kam_uk
  • 3
  • 3
1 Solution
 
Mike KlineCommented:
You can set it on a GPO at the OU level where that server is and use security filtering to only apply to that box or even a local GPO (I would not do it on the default domain policy)
You need to configure auditing in two places

1.  Configure "audit object access"  domain or OU  linked Group Policy that applies to that server or on the server's local GPO:
Computer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policies. Enable success/failure auditing for "Audit object access."

2.  Configure an audit entry on the specific folder(s) that you wish to audit. Right-click on the folder--Properties | Advanced. From the Auditing tab, click Add, then enter the users/groups whom you wish to audit and what you want to audit - auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file.
...and another question I helped with  http://www.experts-exchange.com/Software/Server_Software/File_Servers/Q_24637392.html


Thanks

Mike
0
 
kam_ukAuthor Commented:
Hi Mike

Thanks for the great advise!

Couple of questions:

1. This is on a partner site so I don't have access to their DC's/GPO's (although I can request work to be carried out). So I went to Admin Tools > Local Security Settings on the server and "Audit Object Access" already had a tick for Success/Failure. Assume there's nothing else I need to do then?

2. I want to Audit everything for everyone on that folder :) So I guess I need to add FULL CONTROL for EVERYONE? Would this about cover it?

3. Assuming I do this, where are these logs actually located?
0
 
Mike KlineCommented:
Yeah that should be enough,  they will be in the security event logs;  monitor the logs because you are going to have a lot of events (not sure if you all are archiving or overwriting logs)

Another good link on this is here:   http://technet.microsoft.com/en-us/library/cc784387(WS.10).aspx

thanks

Mike
0
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

 
kam_ukAuthor Commented:
Thanks.

One question though - it's possible for someone to delete an entry/entries in the Event Log isn't it? Is there anyway to prevent this?

I heard that SCOM may have a feature that "grabs" Audit Logs as they are written, so that they are held apart from the server where other admins don't have access?
0
 
Mike KlineCommented:
If they deleted/cleared entries in the log you will see that event logged....at that point you and your supervisor need to ask the person why they are deleting security event log entries.

Check with the admins on that end to see if the logs are being grabbed.  

Thanks

Mike
0
 
kam_ukAuthor Commented:
Ah ok - so you can set up auditing to for someone deleting security logs? DO I need to do anything to enable this or is it default?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now