How to Track Permission Changes on File Servers
Tracking File Server permission changes is important as these changes can lead to unauthorized access and ultimately data leakage. IT security in charge, therefore, must track permission changes to know who changed a permission when. You can easily do it by enabling object access auditing and configuring the particular files and folders for auditing of changes in permissions. After you have enabled permission change audit, you can view and investigate all permission changes in Event Viewer. In this article, the native way of tracking permission changes will be shown. An easy way of doing it by using LepideAuditor is also included.
Enable Global Audit Policy
Step 1: Open Local Security Policy
Go to “Administrative Tools” and open “Local security policy”.
Step 2: Enable Audit Object Access policy.
In “Local Security Policy”, click “Local Policies”, and click “Audit Policy”. List of all Local Security Policies is displayed in the right pane.
In the policy list, double click “Audit object access” to open “Properties” window.
Select “Success” and “Failure” checkboxes. Click “Apply” and “OK”.
Step 3: Track permission changes
Next, locate the folders whose permission changes have to be tracked. Right-click on it and select “Properties” from the context menu. In “Properties” window, switch to “Security Tab”.
Click “Advanced” to access the advanced settings
Step 4: Add a new auditing entry
In “Advanced Security Settings”, go to “Auditing” tab.
Click “Add” to add a new auditing entry. “Auditing entry… ” window appears on the screen.
Enter the following information in this dialog box:
Principal: Click on “Select a Principal” link to select users for auditing. You can also select “Everyone”, for that type “Everyone” in the text box and click “Check
Click “OK”. It takes you back to “Auditing Entry” window.
Type: In “Type” drop-down menu, select “Success”, “Fail” or “All” as per requirement. It is recommended to audit “All” changes.
Applies To: Select “This folder, subfolders and files” to apply this auditing to all files and folders in the selected folder.
Basic Permissions: Select the permissions that you want to audit.
Add a condition: Click “Add a condition” to narrow the scope of auditing, this ensures that you have limited events logs to search. You can add multiple conditions if you want.
Click “OK” to close the window.
Click “Apply” and “OK” to close “Advanced Security Settings…” window. Click “OK” to close folder’s “Properties”.
Step 5: View changes in Event Viewer
After you have enabled the auditing, the events will be logged in the system whenever a change in permissions of that folder is detected. To view the logs, go to Control panel → Administrative Tools → Event viewer. Now open the event logs and go to “Windows Logs”, and select “Security”. All the events in this category are displayed in the middle pane.
Step 6: View the relevant events
On the right side, select “Filter current log…” option. From this option, you can easily add filters to find specific event logs from all the logs on the file server. Search for the event ID 4670 that corresponds to permission changes on an object.
After you have found the events, double-click any event to view its properties in “Event Properties” window. Here, you find all the details related to the event.
LepideAuditor for File Server gives you an easy way to detect, monitor, and report on file server permission changes.
Just select the report from the list of pre-defined reports, specify a date range whose report you want, and click “Generate” button.
This report gives the following information.
- What – Permission that was changed.
- When – When it was changed.
- Who – Who changed the permission.
- Object Name – File or folder, whose permission was changed.
- Object Path – The location of the object.
- Operation – What was exact operation, what was changed
- Process Name – process name
- From – From which computer the permission was changed.
With Permission Changes Report, LepideAuditor comes inbuilt with Historical Permission Analysis (that shows changes in permissions of shared files and folders) and Current Permission Report (that shows current effective permissions of shared files and folders).
This article shows the way to detect permission changes in File Server using the native method. In the end, the article also shows the process to achieve the next-gen level of auditing through an even easier method that is through LepideAuditor. Such reports will not only help you in meeting compliance requirements, but will also help you in keeping your enterprise boundary secure.