As per Spiceworks Virtualization Trends for 2016, Windows Server 2012 has been one of the most widely deployed servers around the globe for supporting collaborative work environments. Because of the intrinsic nature of these kinds of environments, where multiple users have access to the same resources, fixing responsibility for user actions becomes very important.

Thus, it is important to audit all user actions concerning files and folders access. In this article, the process of enabling files and folders auditing on Windows Server 2012 has been explained.

On Windows Server 2012, auditing file and folder accesses consists of two parts:

1. Enable File and Folder auditing which can be done in two ways:

  • a) Through Group Policy (for Domains, Sites and Organizational Units)
  • b) Local Security policy (for single Servers)

2. Configure audit settings for File and Folders

This article will cover the process of enabling auditing for object access on a Windows Server 2012 through Group Policy.

1 Enable Auditing through Group Policy

To enable auditing through GPO, follow these steps:

  • 1. Go to “Start” ➔ “Control Panel”. In this window, double-click “Administrative Tools”, and then double-click “Group Policy Management” console to open it.
  • 2. Go to the concerned domain and expand it as shown in the following figure.
Figure 1: Go to concerned domain and expand the node

3. Right-click “Group Policy Objects, and click “New”.

Figure 2: Select New from the context menu

4. In “New GPO” dialog box, enter the name of new GPO and click “OK”.

Figure 3: Enter new GPO's name

5. Right-click the newly created GPO and click “Edit” to open “Group Policy Management Editor” window.

Figure 4: GPO management editor

6. In “Group Policy Management Editor”, go to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Local Policies”.

7. Select “Audit Policies” to view all of its policies in the right panel.

Figure 5: Audit policies

8. Double-click “Audit Object Access” to access its properties

9. Click “Define these Policy Settings” to check its box.

10. Check both “Success” and “Failure” boxes.

Figure 6: Configure Audit object access

11. Click “Apply” and “OK”.

12. Execute the following command at “Run” or “Command Prompt” to apply this policy on the domain controller. gpupdate /force

After the policy has been applied, you can configure audit settings for File and Folders.

2. Enable Auditing of Specific Folder

To select specific folders and define users, follow these steps.

  • 1. Select the folder that you want to audit.
  • 2. Right-click and click “Properties” to access its properties.
  • 3. Go to “Security” tab, and click “Advanced”.
Figure 7: Property sheet of the folder

4. In “Advanced Security Settings…” dialog box, select “Auditing” tab.

Figure 8: Click the Auditing tab

5. Click “Add”. “Auditing Entry for…” window appears on the screen.

Figure 9: Auditing Entry for Documents dialog box

6. Click “Select a principal” link. It shows “Select User…” dialog box.

7. Type the name of that user, of which access you want to monitor. Click “Check Names” button to validate its entry. You can repeat this step to provide the names of all users, whose access to the selected folder have to monitored. Alternatively, you can type “Everyone” to monitor every users’ accesses to this folder.

Figure 10: Select User for auditing

8. Click “OK” once you have made your selection of users. It takes you back to “Auditing Entry” window.

Figure 11: Auditing Entry for Documents settings

9. Select “Both” in “Type” drop-down menu to monitor both “Success” and “Fail” accesses made to the folder.

10. In “Applies to” drop-down menu, select “This folder, subfolders, and files”.

11. Select “Full Control” or the appropriate permissions for auditing. It is advised to click “Show Advanced Permissions” and select all permissions.

12. You can use “Add a condition” link at the bottom to limit the scope of this auditing entry. You can add multiple conditions, if required. This way the auditing will generate limited logs.

13. Click “OK” to save the settings and close “Auditing Entry for …” window.

14. Click “Apply” and “OK” to close “Advanced Security Settings for” window.

15. Click “OK” to close the folder properties.

View the Record in Event Viewer

After auditing has been enabled, the logged events can be viewed in Event Viewer. The following image shows the logged event for a file access.

Figure 12: File access event in event viewer
LepideAuditor for file and folder access auditing

The following image shows a file read report in LepideAuditor.

Figure 13: LepideAuditor file access report

Conclusion:

In this article, the process of configuring files and folders auditing through native means has been discussed. A better option of doing the same thing with LepideAuditor for File Server has also been shown. Given the importance of security and compliance, it is not a difficult to decide that a specialized solution like LepideAuditor should be given preference over other options.



Download LepideAuditor for File Server

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.