With data volume growing exponentially, protecting digital assets is becoming increasingly more challenging for most organizations.
Unauthorized modification and relocation of data disrupt the normal business functions and can result in damage to reputation, legal penalties and financial losses. Proactive monitoring of changes made to files and folders helps to reduce cases of theft and accidental exposure of sensitive information.
In this article, we will discuss two methods by which you can detect changes made to any file in a shared folder. One is using the native method, and the other is using Lepide File Server Auditor.
Steps to Track Changes Made to Files in a Shared Folder with Native Auditing
Below are the steps to enable auditing and track events in event logs
Step 1: Configuring the policies
- Type “GPMC.msc” in the “Command Prompt” or “Run” dialogue box to open “Group Policy Management” console.
- Navigate to “Forest” ➔ “Domains” ➔ “www.domain.com”
- Right-click default domain policy or customized policy under “Domain Controllers” node
Note: We recommend you to create a new Group Policy Object (GPO), link it to the domain and then edit.
- To access “Group Policy Management Editor”, click “Edit” in the context menu.
- Go to “Computer Configuration” ➔ “Policies” ➔ “Windows Settings” ➔ “Security Settings” ➔ “Local policies” ➔ “Audit policy” ➔ “Audit object access” policy
- Double-click “Audit object access” policy to open “Properties” window.
- Click “Define these policy settings”.
- Select “Success” and “Failure” checkboxes. Click “Apply” and “Ok”.
- Navigate to “Advanced Audit Policy Configuration” ➔ “Audit Policies” ➔ “Object access”.
- Configure “Audit File System” policy and “Audit Handle Manipulation” policy.
- Open their respective “Properties” window and define the settings for both “Success” and “Failure” events.
- Click “Apply” and “Ok” after enabling both audit policies.
- To apply policy on the domain, execute the following command in “Command Prompt”:
Step 2: Configure auditing on the file/folder you want to track
You have to perform the following steps at the file or folder. If you perform them on a folder, these settings can be selected to be applied to its sub-folders and files.
- Open “Windows Explorer” and navigate to file share that you want to audit.
- Right-click the file and click “Properties” in the context menu.
- Switch to “Security” tab and click “Advanced” button to open “Advanced Security Settings”
- Switch to “Auditing” tab which displays already existing auditing entries.
- Click “Add” to create a new auditing entry. The “Auditing Entry” window opens up on the screen.
- Now click “Select a Principal” to choose the users whose activities you want to track. For tracking the activities of all the users, enter “Everyone” in “Enter the object name” box.
- Click “Ok” after finalizing your selection.
- Select “All” option from “Type” drop-down menu.
- In the Permissions section, click “Show advanced permission” and select the following:
- Create files/ write data
- Create folders/ append data
- Write attributes
- Write extended attributes
- Click “Ok” to close the “Auditing entry” window. It takes you back to “Auditing” tab of “Advanced Security settings” window.
- Click “Apply” and “Ok” and close file “Properties”.
Step 3: Tracking events in the “Event Viewer”
- Let us have a look at the steps to track events:
- Open “Event Viewer”.
- Expand “Windows Logs” and select “Security”.
- Click “Filter current log”.
- Event ID 4656 is generated whenever an application attempts to access an object (as per the set audit policy) but does not necessarily mean that any permissions were exercised.
- Event ID 4658 determines the duration for which an object was open.
- Event ID 4663 indicates if permissions like read, write, delete or rename have been exercised.
- The type of permission accessed is indicated by “Accesses” in the event details.
How Lepide File Server Auditor Tracks File Changes in Shared Folders
Lepide File Server Auditor (part of Lepide Data Security Platform) empowers you with the ability to detect critical changes in your business enterprise without having to put in any manual effort. Granular reporting and real time alerts are just a few of the features that help you automate otherwise time-consuming tasks.
The following is a screenshot of “All modifications in Shared file and folder” report generated by Lepide’s File Server Auditor.
You can see here how easy it is to dive into all changes being made to shared files and folders. Why don’t you download the free trial of Lepide’s File Server auditing solution today and try it out for yourself?