Link to home
Start Free TrialLog in
Avatar of iNetSystem
iNetSystemFlag for United States of America

asked on

Auditing Access on Windows 2008 File Servers

Is there any graceful way to enable auditing on WIndows 2008 servers to show when someone accesses or tries to access a folder or file and then report it?
Avatar of David Johnson, CD
David Johnson, CD
Flag of Canada image

It is easy to enable auditing.. but reporting is another issue
http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access
With windows 2008 you can configure publishing/subscription to aggregate the event logs in a central location and the use splunk to generate reports.
http://technet.microsoft.com/en-us/library/cc748890.aspx
http://www.splunk.com/view/operational-intelligence/SP-CAAAFVM

You could alternatively use power shell or other scripting tool to crunch through event log data and insert entries of interest into a database and then run/generate reports based on the information.

Other ways is you could SNMP to send traps based on preconfigured events evntwin.
Your snmptrapd server would then perform what you need it to.
Avatar of btan
btan

Windows itself already provide that capability, just that it is best to drill in to specific interested folder so as not to have overwhelming log generated. You may want to check out this, specifically on the second part to target access attempts on the selected file or folder by the specified users and groups of the types specified. Eventually those activities will be recorded in the server's security logs which may be accessed using the Events Viewer.

http://www.techotopia.com/index.php/Auditing_Windows_Server_2008_File_and_Folder_Access

Also there is an Auditpol.exe command (not policy) could let you manage audit policies at a more detailed level by using audit policy subcategories for Local Policies or Security options--Audit. E.g

a) KB921469 @ http://support.microsoft.com/kb/921469
b) Some baseline security for Windows 2K8 e.g. on file share
http://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008
ASKER CERTIFIED SOLUTION
Avatar of JustMy2Cents
JustMy2Cents
Flag of France image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial