Configure windows auditing on windows shares

Posted on 2016-08-30
Last Modified: 2016-09-28

I've got a customer that want to keep a log of their files. What user accesses them, if they made any changes, even denied attempts at access. They are a high security business and need to keep things very very secure. What would you recommend?

I know windows has the functionality of keeping audits on this but I don't know how well presented, accurate and consistent they are.

Do you know of any freeware/cheap alternatives?
Question by:unrealone1
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 4
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 100 total points (awarded by participants)
ID: 41776271
This is the cheapest solution:

1.Right click the file or folder you wish to track and click Properties.
2.Select the Security tab and click the Advanced button.
3.Select the Auditing tab and click Edit.
4.Click Add and choose the members of the domain you want to monitor, or enter “everyone” to track all users, and then click OK.
5.Select what you want to audit and click OK.
6.Click OK on the dialogs.

The logs are in EventViewer:

But if there are lot of users, the log could be big or quickly full
LVL 64

Assisted Solution

btan earned 400 total points (awarded by participants)
ID: 41776555
Windows audit should suffice to meet those event you want to log. You need to
1) Enable audit of under “Object Access Audit”, the "Audit Policy"
>> Check both “Success” and “Failure”
2) Enable auditing for a specific folder (and all its sub-folders and files).
>> For only a selected places and users to minimise too "noisy" or overwhelming log events.
>> Browse to the folder, Properties > Security > Advanced/Auditing > Add user (can be Everyone as suggested by expert)
>> Check the Successful and Failed

On Win2012, the even id codes to look out for are 4656 (open object) and 4658 (close object) are created. Here is an example of Event Code 4656, see also the access done by the selected user based on the policy set earlier

A handle to an object was requested.
   Security ID:  SHELL\ahall
   Account Name:  ahall
   Account Domain:  SHELL
   Logon ID:  0x1ff76
   Object Server:  Security
   Object Type:  File
   Object Name:  C:\Finance\Accounts.xlsx
   Handle ID:  0x994678
Process Information:
   Process ID:  0xff1
   Process Name:  C:\Program Files\Microsoft Office\Office15\EXCEL.EXE
Access Request Information:
   Transaction ID:  {00000000-0000-0000-0000-000000000000}
   Accesses:  READ_CONTROL
   Access Mask:  0x120089
   Privileges Used for Access Check: -
   Restricted SID Count: 0

Author Comment

ID: 41778271
Hi Guys,

I tried that and got an error saying when selecting principle: "Error Applying Security - An error occurred while applying security information to C:\documents and settings - Failed to enumerate objects in the container. Access is denied"

I am doing this on the DC just as a test to make sure it works. Am I heading the right path or have I gone awry

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

LVL 64

Expert Comment

ID: 41779019
See if the below helps

 It was because of UAC on Server 2008.  The domain admins did have access granted to them and they were logged in as members of the Domain Admins group, but could not use the privileges because of UAC.  

The permissions were set up so domain admins ONLY had rights to the drive via privileges granted to the domain admins group (Full Control permissions to Administrators, System and Domain Admins and nothing else).  

When you have UAC turned on, and you access the drive locally, the user does not access Windows Explorer with the token that has their domain admins credentials in it, so you can't even read the ACL and get access denied errors.  It looks like only the domain admins group has this problem, because the built-in local administrator account is not stopped by this issue.
After either disabling UAC or adding List rights to the drive to the Everyone or Users group, members of domain admins could access the drive volume locally.

Author Comment

ID: 41784631
Hi btan,

I'm afraid it doesn't really. I am also unsure why it looks like I'm supposed to be assigning more permissions to the folder/folders I'm trying to setup auditing on.

Any clearance would be great appreciated.
LVL 64

Assisted Solution

btan earned 400 total points (awarded by participants)
ID: 41784759
Indeed the privileges for such enabling of auditing to track the file/folder changes should not be over more than is required. But most of the time domain or local admin right is neede as this is specific to global policy changes which only admin has the privileges to make the changes. But specific to here, the critical part is setting up the right amount of auditing for the right security principal and for the right resources. But most of the time the file and folder of interest are delegated and owned by users themselves whom have exclusive rights e.g. to their home folders. Otherwise only members of the local (or domain) administrators group would have the ability to read or modify the contents of the folders.

For this error, it is more likely due to the fact that admin is not the owner of the content, whose permissions that we are changing about. See the suggested fixes

Alternatively to not go for full right for admin, then it is a balance risk assessment if you still want to go ahead for such in depth tracking of changes. To consider
- never using generic groups like authenticated users or domain administrators.
- never to over audit as security log can get cluttered and negate the effect of surfacing anomalous activities. Go specific and not all permission per se if the folder/file  is read only etc
- define a group – say ‘AuditedUsers’ – and put only necessary users in it with the privileges to access and it is for the purpose of audit.

Or you may want to consider this

Author Comment

ID: 41787716

Thanks, but I still do not understand the way this works. I have to setup an AD group that I drop all the users into that I want their access audited. Then I apply this object (AD group) to the auditting tab?

I still do not understand why permissions are coming into play here. These users will have full access (read, write, delete, etc) to these files and folders

Thanks for the continuous comments. I haven't setup windows auditting before
LVL 64

Assisted Solution

btan earned 400 total points (awarded by participants)
ID: 41788165
You should step thru the post and test out - I suspected the denial is due to the inherited permission which overrides / conflict the underlying group permission. The most restrictive permission will take precedence.
first click Change link for Owner in the Advanced Security Settings window. Then click Advanced option in Select User or Group window, and then click Find Now in the another window so opened. Here you need to select your user account under the Search Results so listed. Then click OK -> OK -> Apply -> OK.
Now in the Advanced Security Settings, you must check Replace owner on subcontainers and objects and Replace all child object permissions entries with inheritable permission entries from this object.

Author Comment

ID: 41791482
Hi guys,

I think I have done it and set it the way it needs to be, however I cannot see any logs under 4656 or 4658 at all. I have also made a custom view to only look for these specific codes and still nothing.

I'm afraid I don't understand the background and the backend of how this works. If you could explain it stupidly layman's, i might be able to get my head around it better.

LVL 64

Accepted Solution

btan earned 400 total points (awarded by participants)
ID: 41791555
4656 and 4658 are controlled by the audit policy subcategory settings Handle Manipulation and File System.
8. In Windows Server R2 and later versions, You can also configure this settings through Advanced Audit Policy Configuration. go to the node Advanced Audit Policy Configuration (Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration)

9. Expand this node, go to Object Access (Audit Polices->Object Access), then change the settings
Audit Detailed File Share, Audit File System and Audit Handle Manipulation.
Refresh or update the gpo by running the command GPUpdate/Force to apply this setting in the all the File Server which are inside OU File Servers.
LVL 64

Expert Comment

ID: 41819419
As per advice given on tackling the error.

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

628 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question