8/11/2019 Enable File Access Auditing in Windows

1/7

1

Enable File Access Auditing in Windows

In this article I am going to explain about File System Access Auditing and how to enableFile System Access Auditing in Windows environment. Here, in some places we will refer FileAccess Auditingas File Server Access Auditing, File System Change Auditingand FileShare Change Auditing, all the terms are equally interchangeable.

Summary:

1. File System/File Server Access Auditing Introduction2. File System Access Audit Event IDs3. Steps to Enable File Access Auditing Event IDs via new Group Policy4. Enable File Access Auditing to Specific File Servers5. Steps to Enable File Access Security Audit

6. Steps to Enable File Access Auditing using Auditpol command line tool

File Access/File Share Access Auditing Introduction:

In an every Organisation, sharing files and documents to their users through NetworkEnvironment is inevitable. For the security purpose we should give permission to access somekind of files and folders only to the specific set of users. However we can't give perfectpermission to perfect users, in that case auditing file or folder access is inevitable for anyorganisation. the possible accesses are File Create/Add, File Delete, File Open, File Copy,File Rename, File Move, File Access, and File Permission change, and File Accessfailures. We can easily track these accesses by File Share Audit Event IDs which are controlledby the Audit Policyand File Security Audit. So to get these event logs you need to EnableObject Access Audit Policyand File Access Security Audit.

File Access Audit Event IDs:

File Access Auditing is controlled by the following event IDs

4656: This is the first event logged when an user attempts to access the file, this event givesinformation about what type of access was requested by the user and it will not give info aboutwhat type access actually made by user (which is given by the Event ID 4663), 4656iscontrolled by the audit policy subcategory settings Handle Manipulationand File System.

4663: This event gives the info of what type actual operation is done by user on a file.

4658: This event get logged when user close the file, it helps to determine how long the filewas open correlating this Event ID with earlier Event ID 4656with the same handle ID.

4660: This event logged when an user delete the file or folder

4990: This event logged when an user opens a file .

4670: This event logged when user changes the permission of the file (security control list).The event contains the information, who changed the permissions, old and new permissions.

5145: This is a Advanced Detailed File Shareevent which is available only from Windows7/ Windows Server 2008 R2and later versions, 5145is equivalent event id of 4656, itcontains extra information like user's client machine (source machine) address and share path(network path) of accessed file.

Steps to Enable File System Change Audit Event IDs via new Group Policy:

Follow the below steps to configure File Share Access Auditing Events:

Note: You should also configure File Access Audit Security settingson the Folder which you are

8/11/2019 Enable File Access Auditing in Windows

2/7

2

going to audit accesses.

1. Open Group Policy Management Console by running the command gpmc.msc.

2. Expand the domain node, select and right-click on the OU which contains all the file servers(here I have selected OU File Servers), then click Create a GPO in this domain, and link ithere...

3. Type the new GPO name and click OK (Ex: File System Audit Policy).

4. Right-clickon the newly created GPO, then click Edit.

5. Expand the Computer Configuration, and go to the node Audit Policy(ComputerConfiguration->Polices->Windows Settings->Security Settings->Local Polices->Audit Policy).

6. In the left side pane, select Object Access, then double-click on this Setting.

8/11/2019 Enable File Access Auditing in Windows

3/7

3

7. In the opened window, check the values Success and Failure, the click Apply.

8. In Windows Server R2and later versions, You can also configure this settings throughAdvanced Audit Policy Configuration. go to the node Advanced Audit Policy Configuration(Computer Configuration->Polices->Windows Settings->Security Settings->Advanced AuditPolicy Configuration)

9. Expand this node, go to Object Access (Audit Polices->Object Access), then change thesettingsAudit Detailed File Share, Audit File Systemand Audit Handle Manipulation.

Note: The Audit Handle Manipulation setting controls the event ID 4656, it may be thenoisy event for you. so if you don't want event 4656, leave the setting Audit HandleManipulationas Not Configured.

8/11/2019 Enable File Access Auditing in Windows

4/7

4

10. Refresh or update the gpo by running the command GPUpdate/Force to apply thissetting in the all the File Server which are inside OU File Servers.

Apply File Access Audit Policy to Specific File Servers:

By the above steps, we have configured file access audit events for all the File Serverswhichare under OU File Servers, but in some cases, we may want to configure policy only for set offile servers. You can achieve this by Security Filteringof Group Policy.

1. Go to the tab scope, in Security Filteringsection, select the entry Authenticated Users,and click Remove.

2. Click the Addbutton, click Object Types.. then check Computers, and select the

8/11/2019 Enable File Access Auditing in Windows

5/7

5

computers (File Server Computer) which you want apply file system audit policy settings, andclick OK to apply.

4. Refresh or update the gpo by running the command GPUpdate/Force to apply this settingin the all the selected File Servers.

Steps to Enable File Access Security Audit:

1. Right-clickon the Folder which you want to configure audit events, and click Properties.

2. Select Securitytab, and click Advancedbutton.

3. Navigate to the tab Audit, and click Addbutton.

8/11/2019 Enable File Access Auditing in Windows

6/7

6

4. Select the account Everyone, and check Successful and Failed Audit options which are youwant to audit, click the button OK, and click Apply.

Steps to Enable File Access Auditing using Auditpol command line tool:

Auditpol.exeis the command line utility tool to change Audit Security settings as categoryand sub-category level. It is available by default Windows 2008 R2and laterversions/Windows 7and later versions. By using Auditpol, we can get/set Audit Securitysettings per user level and computer level.

Note: You should run Auditpol command with elevated privilege (Run As Administrator);

You can enable file access audit success events (Event ID 5145, 4663,4660,4656,4658) byusing following commands

Auditpol /set /subcategory:"Detailed File Share" /success:enableAuditpol /set /subcategory:"File System" /success:enable

8/11/2019 Enable File Access Auditing in Windows

7/7

7

You can enable file access audit failure events (Event ID 5145, 4663,4660,4656,4658) byusing following commands

Auditpol /set /subcategory:"Detailed File Share" /failure:enableAuditpol /set /subcategory:"File System" /failure:enable

Note: to get event id 4656 you can also enable Handle Manipulation setting

Auditpol /set /subcategory:"Handle Manipulation" /success:enable

Note : This article is applies to Windows Server 2003, Windows Server 2008,Windows Server2008 R2, Windows Server 2012, Windows 7 and Windows 8.

Thanks,MorganSoftware Developer