How to keep track of file/folder access, modification and location

Amritesh Singh by   05.13.2016   Auditing


All organizations should be able to immediately see what’s happening to their files/folders and when it is happening. With security breaches becoming more common, and compliance mandates becoming more prevalent, the requirement to ensure you have adequate auditing on your file/folders is more important than ever before.
In this article we will show you how to audit your file/folder level access using native tools in three steps:

A). Enabling the auditing

Go to Active Directory Users and Computers, right-click the container holding the DC and click properties. In the Group Policy tab, edit the Default Domain Policy. Open the Group Policy window, go to Computer Configuration, and go to Windows Setting -> Security Settings -> Local Policies and select audit policy. Double-click on the Object Access to enable auditing for files and folders access. The Group Policy Management Editor windows is shown in the image below.

Windows, by default, stores the event logs for Windows XP and earlier versions in %SystemRoot%\System32\Config directory

For later versions logs are stored in %SystemRoot%\System32\winevt\logs directory.

The files have .evt and .evtx extension and are inter-convertible.

Enabling Native Auditing

B). Selecting files and folders for auditing

To select what you want to be audited, open Windows Explorer and find the relevant files or folders. Right-click on the file or folder, click Properties and click on the Security tab. Go to Advanced -> Auditing tab to select which user or group to audit. Click on Add button and in the name field enter the user or group you want to audit. In the auditing entry dialog box, select the access types that you want to audit and also specify whether you want to audit successful or failed attempts or both. The below image shows the auditing dialog box.

Auditing Dialog Box

C). Log analysis and reporting

After auditing has been enabled and the audit settings have been chosen, you’re ready to start log analysis. Open the start menu on the file server in question, type eventvwr.msc and press enter. This will open the event viewer window. In the left pane select the category of the events, and in the middle pane all the events in that category will get listed. You can filter these event logs or find a specific event ID using the options available in the ‘Actions’ pane on the right. To know more about an event, you can click on it and a new window will open up in which further information will be shown.

Event Viewer window

Comparing Native Auditing to LepideAuditor for File Servers :

As demonstrated above, you can audit file/folder level access using native tools alone but the process can be time consuming and requires multiple steps. IT teams that are looking for a faster and more automated approach may benefit from utilizing third-party solutions like LepideAuditor for File Server.


Conclusion :

Natively auditing file/folder level access can be broken down into three steps. But, as shown above, these steps are lengthy, time consuming and don’t give the level of detail that many IT teams require. In order to see more comprehensively who is accessing your files and folders at any specific moment you may find the benefit of looking at a third-party solution like LepideAuditor for File Servers.

LepideAuditor has over 270 pre-defined reports to help with systems management, security and compliance. Organizations that require a more pro-active approach to auditing will benefit from being able to set automatic custom alerts and reports. Ultimately, whichever method you choose, make sure that your file/folder level access auditing is continuous and proactive so that you reduce the risk of an incident.

Lepide® is a Registered Trademarks of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All Trademarks Acknowledged.