Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2050
  • Last Modified:

Auditing Folder Ownership Changes on Windows Server 2008

How can I find the cause of a folder's Ownership changing from a particular user, say "Joe", to the Administrators Group. The folder, called Test, is on a Windows Server 2008 r2 server and the path looks like the following:

C:\inetpub\wwwroot\Test

Note: Inheritable permissions is unchecked on Test, so only explicit permissions apply on this folder.

When auditing, will default logging be able to find the cause or do I have to turn on special logging to enable this kind of auditing?
0
Created
Asked:
Created
1 Solution
 
Michael PfisterCommented:
Turn on auditing http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access

Select the Administrator group and audit "Take ownership" "Success"

HTH
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
What's New in Windows Security Auditing

There are a number of auditing enhancements in Windows Server® 2008 R2 and Windows® 7 that increase the level of detail in security auditing logs and simplify the deployment and management of auditing policies. These enhancements include:
Global Object Access Auditing
"Reason for access" reporting
Advanced audit policy settings

In order to track file and folder access on Windows Server 2008 R2

- Rancy
0
 
btanExec ConsultantCommented:
To audit files and directories on a particular server, the File and Object Access audit event option must be enabled in the Audit Policy for that server. I believe the event that you should be looking for are below. It should be configured in Global Object Access Auditing Group Policy setting. Pls see this  @ http://support.microsoft.com/kb/2520212

http://eventlogs.blogspot.sg/2007/06/auditing-changes-to-permissions-event.html
http://eventlogs.blogspot.sg/2007/05/auditing-changes-to-your-auditing-event.html

Excerpt

>>  EventID 4670 - Permissions on an object were changed.
- Logged when anyone changes the DACL (Discretionary Access Control List) on a file, folder, or securable object.
>>  EventID 4907 - Auditing settings on object were changed.
-  Logged every time an administrator or program changes the SACL (System Access Control List) on an object, typically a file or folder.

For info, every securable object (e.g. file, folder, registry key, etc) in Windows has a Security Descriptor assigned to it. The security descriptor, among other things, specifies:

1.) the user owner of the object
2.) the group of the object (used by Unix apps that run under POSIX)
3.) the DACL (Discretionary Access Control List), and
4.) the SACL (System Access Control List)
0
 
CreatedAuthor Commented:
Sorry, I messed up and didn't distribute the points. I wanted to give points to assisted solutions even though the right person was the accepted solution. Will have to be a little more aware next time.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now