Solved

Configure windows auditing on windows shares

Posted on 2016-08-30
11
33 Views
Last Modified: 2016-09-28
Experts,

I've got a customer that want to keep a log of their files. What user accesses them, if they made any changes, even denied attempts at access. They are a high security business and need to keep things very very secure. What would you recommend?

I know windows has the functionality of keeping audits on this but I don't know how well presented, accurate and consistent they are.

Do you know of any freeware/cheap alternatives?
0
Comment
Question by:unrealone1
  • 6
  • 4
11 Comments
 
LVL 12

Assisted Solution

by:Benjamin Voglar
Benjamin Voglar earned 100 total points (awarded by participants)
Comment Utility
This is the cheapest solution:

1.Right click the file or folder you wish to track and click Properties.
2.Select the Security tab and click the Advanced button.
3.Select the Auditing tab and click Edit.
4.Click Add and choose the members of the domain you want to monitor, or enter “everyone” to track all users, and then click OK.
5.Select what you want to audit and click OK.
6.Click OK on the dialogs.

The logs are in EventViewer:

But if there are lot of users, the log could be big or quickly full
0
 
LVL 61

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
Comment Utility
Windows audit should suffice to meet those event you want to log. You need to
1) Enable audit of under “Object Access Audit”, the "Audit Policy"
>> Check both “Success” and “Failure”
2) Enable auditing for a specific folder (and all its sub-folders and files).
>> For only a selected places and users to minimise too "noisy" or overwhelming log events.
>> Browse to the folder, Properties > Security > Advanced/Auditing > Add user (can be Everyone as suggested by expert)
>> Check the Successful and Failed

On Win2012, the even id codes to look out for are 4656 (open object) and 4658 (close object) are created. Here is an example of Event Code 4656, see also the access done by the selected user based on the policy set earlier

A handle to an object was requested.
Subject:
   Security ID:  SHELL\ahall
   Account Name:  ahall
   Account Domain:  SHELL
   Logon ID:  0x1ff76
Object:
   Object Server:  Security
   Object Type:  File
   Object Name:  C:\Finance\Accounts.xlsx
   Handle ID:  0x994678
Process Information:
   Process ID:  0xff1
   Process Name:  C:\Program Files\Microsoft Office\Office15\EXCEL.EXE
Access Request Information:
   Transaction ID:  {00000000-0000-0000-0000-000000000000}
   Accesses:  READ_CONTROL
     SYNCHRONIZE
     ReadData
     ReadEA
     ReadAttributes  
   Access Mask:  0x120089
   Privileges Used for Access Check: -
   Restricted SID Count: 0
http://blogs.splunk.com/2013/07/08/audit-file-access-and-change-in-windows/
0
 
LVL 1

Author Comment

by:unrealone1
Comment Utility
Hi Guys,

I tried that and got an error saying when selecting principle: "Error Applying Security - An error occurred while applying security information to C:\documents and settings - Failed to enumerate objects in the container. Access is denied"

I am doing this on the DC just as a test to make sure it works. Am I heading the right path or have I gone awry

Thanks
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
See if the below helps

 It was because of UAC on Server 2008.  The domain admins did have access granted to them and they were logged in as members of the Domain Admins group, but could not use the privileges because of UAC.  

The permissions were set up so domain admins ONLY had rights to the drive via privileges granted to the domain admins group (Full Control permissions to Administrators, System and Domain Admins and nothing else).  

When you have UAC turned on, and you access the drive locally, the user does not access Windows Explorer with the token that has their domain admins credentials in it, so you can't even read the ACL and get access denied errors.  It looks like only the domain admins group has this problem, because the built-in local administrator account is not stopped by this issue.
After either disabling UAC or adding List rights to the drive to the Everyone or Users group, members of domain admins could access the drive volume locally.
https://social.technet.microsoft.com/Forums/windowsserver/en-US/4ab37bcf-60f6-4d2d-82c3-496f9d32b09b/domain-admins-denied-access-to-view-volume-even-when-granted-full-control-ntfs?forum=winserverDS
0
 
LVL 1

Author Comment

by:unrealone1
Comment Utility
Hi btan,

I'm afraid it doesn't really. I am also unsure why it looks like I'm supposed to be assigning more permissions to the folder/folders I'm trying to setup auditing on.

Any clearance would be great appreciated.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 61

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
Comment Utility
Indeed the privileges for such enabling of auditing to track the file/folder changes should not be over more than is required. But most of the time domain or local admin right is neede as this is specific to global policy changes which only admin has the privileges to make the changes. But specific to here, the critical part is setting up the right amount of auditing for the right security principal and for the right resources. But most of the time the file and folder of interest are delegated and owned by users themselves whom have exclusive rights e.g. to their home folders. Otherwise only members of the local (or domain) administrators group would have the ability to read or modify the contents of the folders.

For this error, it is more likely due to the fact that admin is not the owner of the content, whose permissions that we are changing about. See the suggested fixes
http://www.thewindowsclub.com/fix-failed-to-enumerate-objects-in-the-container

Alternatively to not go for full right for admin, then it is a balance risk assessment if you still want to go ahead for such in depth tracking of changes. To consider
- never using generic groups like authenticated users or domain administrators.
- never to over audit as security log can get cluttered and negate the effect of surfacing anomalous activities. Go specific and not all permission per se if the folder/file  is read only etc
- define a group – say ‘AuditedUsers’ – and put only necessary users in it with the privileges to access and it is for the purpose of audit.

Or you may want to consider this http://www.fileaccessauditing.com/
0
 
LVL 1

Author Comment

by:unrealone1
Comment Utility
Hi,

Thanks, but I still do not understand the way this works. I have to setup an AD group that I drop all the users into that I want their access audited. Then I apply this object (AD group) to the auditting tab?

I still do not understand why permissions are coming into play here. These users will have full access (read, write, delete, etc) to these files and folders

Thanks for the continuous comments. I haven't setup windows auditting before
0
 
LVL 61

Assisted Solution

by:btan
btan earned 400 total points (awarded by participants)
Comment Utility
You should step thru the post and test out - I suspected the denial is due to the inherited permission which overrides / conflict the underlying group permission. The most restrictive permission will take precedence.
first click Change link for Owner in the Advanced Security Settings window. Then click Advanced option in Select User or Group window, and then click Find Now in the another window so opened. Here you need to select your user account under the Search Results so listed. Then click OK -> OK -> Apply -> OK.
Now in the Advanced Security Settings, you must check Replace owner on subcontainers and objects and Replace all child object permissions entries with inheritable permission entries from this object.
http://www.thewindowsclub.com/fix-failed-to-enumerate-objects-in-the-container
0
 
LVL 1

Author Comment

by:unrealone1
Comment Utility
Hi guys,

I think I have done it and set it the way it needs to be, however I cannot see any logs under 4656 or 4658 at all. I have also made a custom view to only look for these specific codes and still nothing.

I'm afraid I don't understand the background and the backend of how this works. If you could explain it stupidly layman's, i might be able to get my head around it better.

Thanks
0
 
LVL 61

Accepted Solution

by:
btan earned 400 total points (awarded by participants)
Comment Utility
4656 and 4658 are controlled by the audit policy subcategory settings Handle Manipulation and File System.
8. In Windows Server R2 and later versions, You can also configure this settings through Advanced Audit Policy Configuration. go to the node Advanced Audit Policy Configuration (Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration)

9. Expand this node, go to Object Access (Audit Polices->Object Access), then change the settings
Audit Detailed File Share, Audit File System and Audit Handle Manipulation.
Refresh or update the gpo by running the command GPUpdate/Force to apply this setting in the all the File Server which are inside OU File Servers.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
As per advice given on tackling the error.
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now