Configure windows auditing on windows shares


I've got a customer that want to keep a log of their files. What user accesses them, if they made any changes, even denied attempts at access. They are a high security business and need to keep things very very secure. What would you recommend?

I know windows has the functionality of keeping audits on this but I don't know how well presented, accurate and consistent they are.

Do you know of any freeware/cheap alternatives?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

btanConnect With a Mentor Exec ConsultantCommented:
4656 and 4658 are controlled by the audit policy subcategory settings Handle Manipulation and File System.
8. In Windows Server R2 and later versions, You can also configure this settings through Advanced Audit Policy Configuration. go to the node Advanced Audit Policy Configuration (Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration)

9. Expand this node, go to Object Access (Audit Polices->Object Access), then change the settings
Audit Detailed File Share, Audit File System and Audit Handle Manipulation.
Refresh or update the gpo by running the command GPUpdate/Force to apply this setting in the all the File Server which are inside OU File Servers.
Benjamin VoglarConnect With a Mentor IT ProCommented:
This is the cheapest solution:

1.Right click the file or folder you wish to track and click Properties.
2.Select the Security tab and click the Advanced button.
3.Select the Auditing tab and click Edit.
4.Click Add and choose the members of the domain you want to monitor, or enter “everyone” to track all users, and then click OK.
5.Select what you want to audit and click OK.
6.Click OK on the dialogs.

The logs are in EventViewer:

But if there are lot of users, the log could be big or quickly full
btanConnect With a Mentor Exec ConsultantCommented:
Windows audit should suffice to meet those event you want to log. You need to
1) Enable audit of under “Object Access Audit”, the "Audit Policy"
>> Check both “Success” and “Failure”
2) Enable auditing for a specific folder (and all its sub-folders and files).
>> For only a selected places and users to minimise too "noisy" or overwhelming log events.
>> Browse to the folder, Properties > Security > Advanced/Auditing > Add user (can be Everyone as suggested by expert)
>> Check the Successful and Failed

On Win2012, the even id codes to look out for are 4656 (open object) and 4658 (close object) are created. Here is an example of Event Code 4656, see also the access done by the selected user based on the policy set earlier

A handle to an object was requested.
   Security ID:  SHELL\ahall
   Account Name:  ahall
   Account Domain:  SHELL
   Logon ID:  0x1ff76
   Object Server:  Security
   Object Type:  File
   Object Name:  C:\Finance\Accounts.xlsx
   Handle ID:  0x994678
Process Information:
   Process ID:  0xff1
   Process Name:  C:\Program Files\Microsoft Office\Office15\EXCEL.EXE
Access Request Information:
   Transaction ID:  {00000000-0000-0000-0000-000000000000}
   Accesses:  READ_CONTROL
   Access Mask:  0x120089
   Privileges Used for Access Check: -
   Restricted SID Count: 0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

unrealone1Author Commented:
Hi Guys,

I tried that and got an error saying when selecting principle: "Error Applying Security - An error occurred while applying security information to C:\documents and settings - Failed to enumerate objects in the container. Access is denied"

I am doing this on the DC just as a test to make sure it works. Am I heading the right path or have I gone awry

btanExec ConsultantCommented:
See if the below helps

 It was because of UAC on Server 2008.  The domain admins did have access granted to them and they were logged in as members of the Domain Admins group, but could not use the privileges because of UAC.  

The permissions were set up so domain admins ONLY had rights to the drive via privileges granted to the domain admins group (Full Control permissions to Administrators, System and Domain Admins and nothing else).  

When you have UAC turned on, and you access the drive locally, the user does not access Windows Explorer with the token that has their domain admins credentials in it, so you can't even read the ACL and get access denied errors.  It looks like only the domain admins group has this problem, because the built-in local administrator account is not stopped by this issue.
After either disabling UAC or adding List rights to the drive to the Everyone or Users group, members of domain admins could access the drive volume locally.
unrealone1Author Commented:
Hi btan,

I'm afraid it doesn't really. I am also unsure why it looks like I'm supposed to be assigning more permissions to the folder/folders I'm trying to setup auditing on.

Any clearance would be great appreciated.
btanConnect With a Mentor Exec ConsultantCommented:
Indeed the privileges for such enabling of auditing to track the file/folder changes should not be over more than is required. But most of the time domain or local admin right is neede as this is specific to global policy changes which only admin has the privileges to make the changes. But specific to here, the critical part is setting up the right amount of auditing for the right security principal and for the right resources. But most of the time the file and folder of interest are delegated and owned by users themselves whom have exclusive rights e.g. to their home folders. Otherwise only members of the local (or domain) administrators group would have the ability to read or modify the contents of the folders.

For this error, it is more likely due to the fact that admin is not the owner of the content, whose permissions that we are changing about. See the suggested fixes

Alternatively to not go for full right for admin, then it is a balance risk assessment if you still want to go ahead for such in depth tracking of changes. To consider
- never using generic groups like authenticated users or domain administrators.
- never to over audit as security log can get cluttered and negate the effect of surfacing anomalous activities. Go specific and not all permission per se if the folder/file  is read only etc
- define a group – say ‘AuditedUsers’ – and put only necessary users in it with the privileges to access and it is for the purpose of audit.

Or you may want to consider this
unrealone1Author Commented:

Thanks, but I still do not understand the way this works. I have to setup an AD group that I drop all the users into that I want their access audited. Then I apply this object (AD group) to the auditting tab?

I still do not understand why permissions are coming into play here. These users will have full access (read, write, delete, etc) to these files and folders

Thanks for the continuous comments. I haven't setup windows auditting before
btanConnect With a Mentor Exec ConsultantCommented:
You should step thru the post and test out - I suspected the denial is due to the inherited permission which overrides / conflict the underlying group permission. The most restrictive permission will take precedence.
first click Change link for Owner in the Advanced Security Settings window. Then click Advanced option in Select User or Group window, and then click Find Now in the another window so opened. Here you need to select your user account under the Search Results so listed. Then click OK -> OK -> Apply -> OK.
Now in the Advanced Security Settings, you must check Replace owner on subcontainers and objects and Replace all child object permissions entries with inheritable permission entries from this object.
unrealone1Author Commented:
Hi guys,

I think I have done it and set it the way it needs to be, however I cannot see any logs under 4656 or 4658 at all. I have also made a custom view to only look for these specific codes and still nothing.

I'm afraid I don't understand the background and the backend of how this works. If you could explain it stupidly layman's, i might be able to get my head around it better.

btanExec ConsultantCommented:
As per advice given on tackling the error.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.