Go Premium for a chance to win a PS4. Enter to Win


Configure windows auditing on windows shares

Posted on 2016-08-30
Medium Priority
Last Modified: 2016-09-28

I've got a customer that want to keep a log of their files. What user accesses them, if they made any changes, even denied attempts at access. They are a high security business and need to keep things very very secure. What would you recommend?

I know windows has the functionality of keeping audits on this but I don't know how well presented, accurate and consistent they are.

Do you know of any freeware/cheap alternatives?
Question by:unrealone1
  • 6
  • 4
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 400 total points (awarded by participants)
ID: 41776271
This is the cheapest solution:

1.Right click the file or folder you wish to track and click Properties.
2.Select the Security tab and click the Advanced button.
3.Select the Auditing tab and click Edit.
4.Click Add and choose the members of the domain you want to monitor, or enter “everyone” to track all users, and then click OK.
5.Select what you want to audit and click OK.
6.Click OK on the dialogs.

The logs are in EventViewer:

But if there are lot of users, the log could be big or quickly full
LVL 65

Assisted Solution

btan earned 1600 total points (awarded by participants)
ID: 41776555
Windows audit should suffice to meet those event you want to log. You need to
1) Enable audit of under “Object Access Audit”, the "Audit Policy"
>> Check both “Success” and “Failure”
2) Enable auditing for a specific folder (and all its sub-folders and files).
>> For only a selected places and users to minimise too "noisy" or overwhelming log events.
>> Browse to the folder, Properties > Security > Advanced/Auditing > Add user (can be Everyone as suggested by expert)
>> Check the Successful and Failed

On Win2012, the even id codes to look out for are 4656 (open object) and 4658 (close object) are created. Here is an example of Event Code 4656, see also the access done by the selected user based on the policy set earlier

A handle to an object was requested.
   Security ID:  SHELL\ahall
   Account Name:  ahall
   Account Domain:  SHELL
   Logon ID:  0x1ff76
   Object Server:  Security
   Object Type:  File
   Object Name:  C:\Finance\Accounts.xlsx
   Handle ID:  0x994678
Process Information:
   Process ID:  0xff1
   Process Name:  C:\Program Files\Microsoft Office\Office15\EXCEL.EXE
Access Request Information:
   Transaction ID:  {00000000-0000-0000-0000-000000000000}
   Accesses:  READ_CONTROL
   Access Mask:  0x120089
   Privileges Used for Access Check: -
   Restricted SID Count: 0

Author Comment

ID: 41778271
Hi Guys,

I tried that and got an error saying when selecting principle: "Error Applying Security - An error occurred while applying security information to C:\documents and settings - Failed to enumerate objects in the container. Access is denied"

I am doing this on the DC just as a test to make sure it works. Am I heading the right path or have I gone awry

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

LVL 65

Expert Comment

ID: 41779019
See if the below helps

 It was because of UAC on Server 2008.  The domain admins did have access granted to them and they were logged in as members of the Domain Admins group, but could not use the privileges because of UAC.  

The permissions were set up so domain admins ONLY had rights to the drive via privileges granted to the domain admins group (Full Control permissions to Administrators, System and Domain Admins and nothing else).  

When you have UAC turned on, and you access the drive locally, the user does not access Windows Explorer with the token that has their domain admins credentials in it, so you can't even read the ACL and get access denied errors.  It looks like only the domain admins group has this problem, because the built-in local administrator account is not stopped by this issue.
After either disabling UAC or adding List rights to the drive to the Everyone or Users group, members of domain admins could access the drive volume locally.

Author Comment

ID: 41784631
Hi btan,

I'm afraid it doesn't really. I am also unsure why it looks like I'm supposed to be assigning more permissions to the folder/folders I'm trying to setup auditing on.

Any clearance would be great appreciated.
LVL 65

Assisted Solution

btan earned 1600 total points (awarded by participants)
ID: 41784759
Indeed the privileges for such enabling of auditing to track the file/folder changes should not be over more than is required. But most of the time domain or local admin right is neede as this is specific to global policy changes which only admin has the privileges to make the changes. But specific to here, the critical part is setting up the right amount of auditing for the right security principal and for the right resources. But most of the time the file and folder of interest are delegated and owned by users themselves whom have exclusive rights e.g. to their home folders. Otherwise only members of the local (or domain) administrators group would have the ability to read or modify the contents of the folders.

For this error, it is more likely due to the fact that admin is not the owner of the content, whose permissions that we are changing about. See the suggested fixes

Alternatively to not go for full right for admin, then it is a balance risk assessment if you still want to go ahead for such in depth tracking of changes. To consider
- never using generic groups like authenticated users or domain administrators.
- never to over audit as security log can get cluttered and negate the effect of surfacing anomalous activities. Go specific and not all permission per se if the folder/file  is read only etc
- define a group – say ‘AuditedUsers’ – and put only necessary users in it with the privileges to access and it is for the purpose of audit.

Or you may want to consider this http://www.fileaccessauditing.com/

Author Comment

ID: 41787716

Thanks, but I still do not understand the way this works. I have to setup an AD group that I drop all the users into that I want their access audited. Then I apply this object (AD group) to the auditting tab?

I still do not understand why permissions are coming into play here. These users will have full access (read, write, delete, etc) to these files and folders

Thanks for the continuous comments. I haven't setup windows auditting before
LVL 65

Assisted Solution

btan earned 1600 total points (awarded by participants)
ID: 41788165
You should step thru the post and test out - I suspected the denial is due to the inherited permission which overrides / conflict the underlying group permission. The most restrictive permission will take precedence.
first click Change link for Owner in the Advanced Security Settings window. Then click Advanced option in Select User or Group window, and then click Find Now in the another window so opened. Here you need to select your user account under the Search Results so listed. Then click OK -> OK -> Apply -> OK.
Now in the Advanced Security Settings, you must check Replace owner on subcontainers and objects and Replace all child object permissions entries with inheritable permission entries from this object.

Author Comment

ID: 41791482
Hi guys,

I think I have done it and set it the way it needs to be, however I cannot see any logs under 4656 or 4658 at all. I have also made a custom view to only look for these specific codes and still nothing.

I'm afraid I don't understand the background and the backend of how this works. If you could explain it stupidly layman's, i might be able to get my head around it better.

LVL 65

Accepted Solution

btan earned 1600 total points (awarded by participants)
ID: 41791555
4656 and 4658 are controlled by the audit policy subcategory settings Handle Manipulation and File System.
8. In Windows Server R2 and later versions, You can also configure this settings through Advanced Audit Policy Configuration. go to the node Advanced Audit Policy Configuration (Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration)

9. Expand this node, go to Object Access (Audit Polices->Object Access), then change the settings
Audit Detailed File Share, Audit File System and Audit Handle Manipulation.
Refresh or update the gpo by running the command GPUpdate/Force to apply this setting in the all the File Server which are inside OU File Servers.
LVL 65

Expert Comment

ID: 41819419
As per advice given on tackling the error.

Featured Post

WatchGuard Case Study: NCR

With business operations for thousands of customers largely depending on the internal systems they support, NCR can’t afford to waste time or money on security products that are anything less than exceptional. That’s why they chose WatchGuard.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Tech spooks aren't just for those who are tech savvy, it also happens to those of us running a business. Check out the top tech spooks for business owners.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question