Solved

Set up Auditing of file level access on a server

Posted on 2010-08-24
6
504 Views
Last Modified: 2012-05-10
Hi

We are running Windows 2003 SP2 DC's. We also have a Windows 2003 SP2 server....

People are randomly complaining that files are going missing from here, so I would like to silently turn on auditing of who is reading and deleting these files.

Do I have to change the Default Domain Policy to carry this out (or any other GPO), or can this be carried out on the server itself?

Thanks in advance!
0
Comment
Question by:kam_uk
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 33513635
You can set it on a GPO at the OU level where that server is and use security filtering to only apply to that box or even a local GPO (I would not do it on the default domain policy)
You need to configure auditing in two places

1.  Configure "audit object access"  domain or OU  linked Group Policy that applies to that server or on the server's local GPO:
Computer Configuration | Windows Settings | Security Settings | Local Policies | Audit Policies. Enable success/failure auditing for "Audit object access."

2.  Configure an audit entry on the specific folder(s) that you wish to audit. Right-click on the folder--Properties | Advanced. From the Auditing tab, click Add, then enter the users/groups whom you wish to audit and what you want to audit - auditing Full Control will create an audit entry every time anyone opens/changes/closes/deletes a file.
...and another question I helped with  http://www.experts-exchange.com/Software/Server_Software/File_Servers/Q_24637392.html


Thanks

Mike
0
 
LVL 3

Author Comment

by:kam_uk
ID: 33514631
Hi Mike

Thanks for the great advise!

Couple of questions:

1. This is on a partner site so I don't have access to their DC's/GPO's (although I can request work to be carried out). So I went to Admin Tools > Local Security Settings on the server and "Audit Object Access" already had a tick for Success/Failure. Assume there's nothing else I need to do then?

2. I want to Audit everything for everyone on that folder :) So I guess I need to add FULL CONTROL for EVERYONE? Would this about cover it?

3. Assuming I do this, where are these logs actually located?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33514710
Yeah that should be enough,  they will be in the security event logs;  monitor the logs because you are going to have a lot of events (not sure if you all are archiving or overwriting logs)

Another good link on this is here:   http://technet.microsoft.com/en-us/library/cc784387(WS.10).aspx

thanks

Mike
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 3

Author Comment

by:kam_uk
ID: 33514804
Thanks.

One question though - it's possible for someone to delete an entry/entries in the Event Log isn't it? Is there anyway to prevent this?

I heard that SCOM may have a feature that "grabs" Audit Logs as they are written, so that they are held apart from the server where other admins don't have access?
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 33514866
If they deleted/cleared entries in the log you will see that event logged....at that point you and your supervisor need to ask the person why they are deleting security event log entries.

Check with the admins on that end to see if the logs are being grabbed.  

Thanks

Mike
0
 
LVL 3

Author Comment

by:kam_uk
ID: 33515175
Ah ok - so you can set up auditing to for someone deleting security logs? DO I need to do anything to enable this or is it default?
0

Featured Post

Want Experts Exchange at your fingertips?

With Experts Exchange’s latest app release, you can now experience our most recent features, updates, and the same community interface while on-the-go. Download our latest app release at the Android or Apple stores today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question