In any enterprise using file servers to store and share data, auditing is important to ensure data security. You can monitor multiple file servers in your domain. In this article, you will see how to track who accesses files on Windows File Servers in your organization, using Windows Server’s built-in auditing. At the end of the article, you will also see how to do it effortlessly through LepideAuditor.

Here are the steps to track who read a file on Windows File Server.

Step 1: Set “Audit Object Access” audit policy

Follow these steps one by one to enable “Audit object access” audit policy:

1. Launch “Group Policy Management” console. For that, on the primary “Domain Controller”, or on the system where “Administration Tools” is installed, type “gpmc.msc” in the “Run” dialog box, and click “OK”.

2. After you have opened the “Group Policy Management” window, you will have to create a new GPO, or edit an existing one.

3. To edit an existing GPO, in the left-pane, right-click on the default or a user-created GPO, and click “Edit” on the context menu. This action opens the Editor window of Group Policy Management Editor.

Note: If you want to track multiple folders, you will have to configure audit for every folder individually.

3. Navigate to “Security” tab.

Note: It is suggested to create a new GPO, link it to the domain, and edit it.

4. In the “Group Policy Management Editor” window, you have to set the appropriate audit policy.

5. To audit file accesses, you have to set “Audit object access” policy. For that, navigate to “Computer Configuration” → “Windows Settings” → “Security Settings” → “Local Policies” → “Audit Policy”. All the available policies under “Audit Policy” are displayed in the right panel.

Figure 1: “Audit Object Access” policy

6. Double-click ”Audit object access” policy to open its “Properties”.

Figure 2: Properties of Audit Object Access Policy

7. On this window, click “Define these policy settings” checkbox. Then, you get two options to audit – “Success” and “Failure”. The former lets you audit successful attempts made to access the objects, whereas the latter lets you audit failed attempts.

8. Select any one or both the options as per requirement. It is recommended to select both options. In our case, we have selected both the options because we want to audit both the successful and the failed attempts.

9. Click “Apply” and “OK” to close the window.

10. To immediately update the Group Policy instead of waiting for it to auto update, run the following command in the “Command Prompt”:
Gpupdate /force

Step 2: Set auditing on the files that you want to track

After configuring GPO, you have to set auditing on each file individually, or on folders that contain the files.

Here are the steps:

1. Open “Windows Explorer” and navigate to the file or folder that you want to audit.

2. Right-click the file and select “Properties” from the context menu. The file’s properties window appears on the screen.

Note: If you want to track multiple files, put them into one, two or more folders to enable their auditing easily. Doing this saves you from repeating these steps for each file.

3. By default, “General” tab of “Properties” window appears on the screen. Go to “Security” tab.

Figure 3: Security tab of File Properties

4. On “Security” tab, click “Advanced” to access “Advanced Security Settings for ” window appears on the screen.

5. In “Advanced Security Settings for ” window, go to “Auditing” tab.

Figure 4: Auditing tab of “Advanced Security Settings”

6. On this tab, you have to create a new audit entry. For that, click “Add”. The “Auditing Entry for ” window appears on the screen.

7. In “Auditing Entry for ” window, at first, select users whose actions you want to audit. Click “Select a Principal”, to open “Select User, Computer, Service Account, or Group” dialog box.

Figure 5: Select User, Computer, Service Account, or Group

8. Here, choose users to audit. If you want to audit all users’ activities, enter “Everyone” in the “Enter the object name to select” field, and click “Check Names”. In our case, we enter “Everyone”.

9. Click “OK” to close the dialog box.

10. Three options are available in the “Type” picklist: “Success”,” Fail”, and “All”. We select “All” option because we want to audit both successful and failed attempts.

11. In “Permissions” section, you can select all activities that you want to audit. In the case to audit file read, select “Traverse Folder/Execute File”, “List Folder/Read data”, “Read attributes”, and “Read extended attributes” permissions.

NOTE: If you want to audit all the activities, select the “Full Control” checkbox.

12. Click “OK” to close “Auditing Entry for File Access auditing” window.

Figure 6: “Auditing Entry” window of the file

13. Back in the “Advanced security settings” window, now you see the new audit entry.

14. Click “Apply” and “OK” to close the window.

15. Click “Apply” and “OK” to close file properties.

Step 3: Track who reads the file in Windows Event Viewer

To see who reads the file, open “Windows Event Viewer”, and navigate to “Windows Logs” → “Security”. There is a “Filter Current Log” option in the right pane to find the relevant events.

If anyone opens the file, event ID 4656 and 4663 will be logged. For example, in our case, someone opened the file (File access auditing.txt), and as shown in the following image, a file access event (ID 4663) was logged. You can see who accessed the file in “Account Name” field and access time in “Logged” field.

Figure 7: The file access event

In the below image, you can see file’s name (C:\Users\Administrator\Documents\New Text Document.txt), which is visible after you scroll down the side bar, under the “Object Name” field.

Figure 8: Name of the file in the Event 4663

In the next section, you will see how LepideAuditor for File Server can make the file auditing even more quick and straightforward.

Using LepideAuditor for File Server to track file read events

You can use LepideAuditor for File Server to track the file-read events on your Windows File Servers much easily. The following image shows “Read successful” report. The complete audit information about a file access is shown in a single line record.

Figure 9: “Read Successful” report

In the above image, you can see the same file read report (C:\Users\Administrator\Documents\New Text Document.txt) in LepideAuditor for File Server. The event is highlighted, and all the audit information like who accessed the file, when and from which system is available in a single line record.

Conclusion

This article covers the way to track file read events in Windows File Servers. You also saw how to do it far more easily with LepideAuditor for File Server which makes the entire process more quick and upfront. Thus, with our solution, you can easily track who reads files on your Windows File Servers.



Download LepideAuditor for File Server

Lepide® is a registered trademark of Lepide Software Private Limited. © Copyright 2018 Lepide Software Private Limited. All trademarks acknowledged.