Best practice for auditing and monitoring file/folder level activity

Russell Smith by   04.06.2016   Auditing

file-delete

Discovering that sensitive data has been compromised or deleted often happens by chance. But the longer an incident goes undetected, the more potential there is for damaging fallout.

In a perfect world, the best way to prevent unwanted change, whether by authorized users or hackers, is to follow security best practices, such as managing privileged access, user permissions, restricting the use of domain admin accounts, and implementing a change control process. But as legacy servers continue to run line-of-business applications and new technology is added at a rapid pace, IT systems are becoming more difficult to manage because of their complex and distributed nature.

But despite the effectiveness of the best practices mentioned above, they don’t mitigate the need for a proper monitoring solution. Windows Server can be configured to monitor files and folders for changes, and then log that information. And while Windows Server offers some useful features for managing event logs, such as the ability to ship logs to a central location, set up alerts and create views to filter out unwanted information, there are also plenty of shortcomings that are likely to hinder your ability to discover unwanted changes in a timely manner.

Windows Server auditing limitations

Windows doesn’t offer real-time monitoring and has some other caveats that can generate a significant amount of log data, making it harder to identify significant changes. For example, it’s not possible to control which file shares are monitored when System Access Control Lists (SACLs) are enabled for the entire computer using Global Object Access Auditing. And there are no user-level exclusions for members of the local Administrators group, which can be a problem when backup, or other software, runs in the context of a local administrator account because of the extra noise generated in the event logs. It’s also worth remembering that while Windows Server auditing can log that a change to a file has occurred, it doesn’t detail the before and after state.

Identify, log, alert, and act

Identifying what should be monitored and then ensuring that you’re quickly alerted is key to being able to identify unwanted changes and potential malicious activity in your environment. But as you’ve probably guessed, it’s a challenge to configure Windows Server to monitor what’s most important. And once an auditing baseline has been established, ensuring that the right information can be extracted from the logs and acted on quickly is no easy task. This is where a third-party monitoring and auditing solution can help.

While gathering information from file servers isn’t necessarily a difficult undertaking, even with the native tools, collecting valuable data and configuring alerts and reports that IT staff can act on quickly is best suited to a third-party solution in large complex environments.

About author: Russell Smith – Windows Server Expert and IT Consultant (Guest Blogger for Lepide)


Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.