Pro-active and in-depth file server auditing is an essential part of maintaining a secure IT environment. Organisations need to be sure that they can keep track of who is making changes to their critical files and folders and what those changes are.

Fortunately, Microsoft Windows Server OS has some in-built file server audit features that can help to give you an insight into changes being made.

Below is a detailed description of the procedure for tracking activities on files and folders:

1. Open the ‘Run’ window, type ‘gpmc.msc’, and click OK

Run ‘gpmc.msc’ on DC or workstation where Administration Tools pack installed.

2. Right-click on a domain policy and select Edit
3. Double-click on ‘Audit object access’

Now expand as Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy and double-click ‘Audit object access’.

4. Select the check-boxes Success, Failure or both

Select the check-boxes as per your auditing needs.

  • Audit only successful attempts – Select ‘Success’ check box
  • Audit only failed attempts – Select ‘Failure’ check box
  • To audit both success and failed attempts – Select both check boxes
5. Right-click the folder and select Properties

Now in Windows Explorer:

  • Select the folder on which you want to track/audit activities
  • Right click on the folder
  • Click on properties
6. In the Properties windows, click the Security tab

In the Properties windows click the Security tab, and then click Advanced.

7 Click the Auditing tab, and click Edit

In the Advanced Security Settings for dialog box, click the Auditing tab, and click Edit.

In the new dialogue box, click Add and add Everyone to the list.

Now, in the Auditing entry for window, select Full control and click OK. Finally, close all open windows by clicking OK buttons.

8. Open ‘Event Viewer’

Go to start menu to open ‘Event Viewer’. Once ‘Event Viewer’ opens:
Expand ‘Windows Logs’ > Select ‘Security’ > Click on ‘Filter Current Log..'.

9. Enter an event ID to search for it

Enter the event ID you want to search. Here, we are entering Event ID 4656 (the event that is generated when ‘a handle to an object was requested’).

10. Double-click on any event to see its details

When all the events having ID are listed, double-click on any event to see its details.

11. Search for other relevant event IDs given below

You can also search for other relevant event IDs given above

However, most of the time, native file server auditing just doesn’t give enough level of detail. This is because it is an entirely reactive process. For more effective file server auditing, it is important to be constantly keeping an eye on changes. This is simply not possible with native methods. Fortunately, third-party auditing solutions, like LepideAuditor for File Server, can simplify this process using intuitive UIs and user-friendly features to automate what would otherwise be very time consuming tasks.

How LepideAuditor for File Server can help you better track file and folder level activity

LepideAuditor for File Server captures file/folder events in order to monitor each and every activity of users in both Windows File Servers and NetApp filers. The solution generates an “All Modifications Report” in the “Audit Reports” tab that displays detailed information about all changes (in both Grid view and Graph View) that have been made by users in file systems. Below is a screenshot with an example of the “All Modifications Report” in LepideAuditor for File Server.

The Final Note

When it comes to native auditing, ensuring a secure IT environment directly correlates to how much time you have to perform regular audits and health checks of your file servers. If you find that you simply don’t have the time for native auditing, or that the process is too complex, then you can always rely on solutions like LepideAuditor for File Server.



Download LepideAuditor for File Server

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.