How to track permission changes on File Servers

Tracking File Server permission changes is important as these changes can lead to unauthorized access and ultimately data leakage. IT security in charge, therefore, must track permission changes to know who changed a permission when. You can easily do it by enabling object access auditing and configuring the particular files and folders for auditing of changes in permissions. After you have enabled permission change audit, you can view and investigate all permission changes in Event Viewer. In this article, the native way of tracking permission changes will be shown. An easy way of doing it by using LepideAuditor is also included.


Step 1: Open Local Security Policy

Go to "Administrative Tools" and open “Local security policy”.

Figure 1: Local Security Policy
Step 2: Enable Audit Object Access policy.

In “Local Security Policy”, click “Local Policies”, and click “Audit Policy”. List of all Local Security Policies is displayed in the right pane.

Figure 2: Local Security Policies

In the policy list, double click “Audit object access” to open “Properties” window.

Figure 3: Audit Object Access Properties

Select “Success” and “Failure” checkboxes. Click “Apply” and “OK”.

Step 3: Track permission changes

Next, locate the folders whose permission changes have to be tracked. Right-click on it and select “Properties” from the context menu. In “Properties” window, switch to “Security Tab”.

Figure 4: Properties Window

Click “Advanced” to access the advanced settings

Step 4: Add a new auditing entry

In “Advanced Security Settings”, go to “Auditing” tab.

Figure 5: Add a new audit entry
 

Click “Add” to add a new auditing entry. “Auditing entry… ” window appears on the screen.

Figure 6: Add a new Audit Entry
 

Enter the following information in this dialog box:

Principal: Click on “Select a Principal” link to select users for auditing. You can also select “Everyone”, for that type “Everyone” in the text box and click “Check

Figure 7: Select user

Click “OK”. It takes you back to “Auditing Entry” window.

Figure 8: Creating auditing entry

Type: In “Type” drop-down menu, select “Success”, “Fail” or “All” as per requirement. It is recommended to audit “All” changes.

Applies To: Select “This folder, subfolders and files” to apply this auditing to all files and folders in the selected folder.

Basic Permissions: Select the permissions that you want to audit.

Add a condition: Click “Add a condition” to narrow the scope of auditing, this ensures that you have limited events logs to search. You can add multiple conditions if you want.

Click “OK” to close the window.

Click “Apply” and “OK” to close “Advanced Security Settings…” window. Click “OK” to close folder’s “Properties”.

Step 5: View changes in Event Viewer

After you have enabled the auditing, the events will be logged in the system whenever a change in permissions of that folder is detected. To view the logs, go to Control panel → Administrative Tools → Event viewer. Now open the event logs and go to “Windows Logs”, and select “Security”. All the events in this category are displayed in the middle pane.

Figure 9: Windows Event Viewer
Step 6: View the relevant events

On the right side, select “Filter current log…” option. From this option, you can easily add filters to find specific event logs from all the logs on the file server. Search for the event ID 4670 that corresponds to permission changes on an object.

After you have found the events, double-click any event to view its properties in “Event Properties” window. Here, you find all the details related to the event.

Figure 10: Event properties window

Using LepideAuditor

LepideAuditor for File Server gives you an easy way to detect, monitor, and report on file server permission changes.

Just select the report from the list of pre-defined reports, specify a date range whose report you want, and click “Generate” button.

Figure 11: LepideAuditor report

This report gives the following information.

  • What – Permission that was changed.
  • When – When it was changed.
  • Who – Who changed the permission.
  • Object Name – File or folder, whose permission was changed.
  • Object Path – The location of the object.
  • Operation – What was exact operation, what was changed
  • Process Name – process name
  • From – From which computer the permission was changed.

With Permission Changes Report, LepideAuditor comes inbuilt with Historical Permission Analysis (that shows changes in permissions of shared files and folders) and Current Permission Report (that shows current effective permissions of shared files and folders).

Conclusion:

This article shows the way to detect permission changes in File Server using the native method. In the end, the article also shows the process to achieve the next-gen level of auditing through an even easier method that is through LepideAuditor. Such reports will not only help you in meeting compliance requirements, but will also help you in keeping your enterprise boundary secure.



Download LepideAuditor for File Server

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.