Audit File Accesses, Read Events on Windows File Servers

Download Lepide File Server Auditor
x
Or Deploy With Our Virtual Appliance
In This Article

In any enterprise using file servers to store and share data, auditing is important to ensure data security. You can monitor multiple file servers in your domain. In this article, you will see how to track who accesses files on Windows File Servers in your organization, using Windows Server’s built-in auditing. At the end of the article, you will also see how to do it effortlessly through Lepide File Server Auditor (part of Lepide Data Security Platform).

Here are the steps to track who read a file on Windows File Server.

  • Step 1 – Set ‘Audit Object Access’ audit policy
  • Step 2 – Set auditing on the files that you want to track
  • Step 3 – Track who reads the file in Windows Event Viewer

Step 1 – Set ‘Audit Object Access’ audit policy

Follow these steps one by one to enable the “Audit object access” audit policy:

  1. Launch “Group Policy Management” console. For that, on the primary “Domain Controller”, or on the system where “Administration Tools” is installed, type “gpmc.msc” in the “Run” dialog box, and click “OK”.
  2. After you have opened the “Group Policy Management” window, you will have to create a new GPO, or edit an existing one.
  3. To edit an existing GPO, in the left pane, right-click on the default or a user-created GPO, and click “Edit” on the context menu. This action opens the Editor window of Group Policy Management Editor.

    Note: If you want to track multiple folders, you will have to configure audit for every folder individually.

  4. Navigate to “Security” tab.

    Note: It is suggested to create a new GPO, link it to the domain, and edit it.

  5. In the “Group Policy Management Editor” window, you have to set the appropriate audit policy.
  6. To audit file accesses, you have to set the “Audit object access” policy. For that, navigate to “Computer Configuration” → “Windows Settings” → “Security Settings” → “Local Policies” → “Audit Policy”. All the available policies under “Audit Policy” are displayed in the right panel.
    Figure 1: “Audit Object Access” policy
  7. Double-click the “Audit object access” policy to open its “Properties”.
    Figure 2: Properties of Audit Object Access Policy
  8. On this window, click the “Define these policy settings” checkbox. Then, you get two options to audit – “Success” and “Failure”. The former lets you audit successful attempts made to access the objects, whereas the latter lets you audit failed attempts.
  9. Select any one or both the options as per requirement. It is recommended to select both options. In our case, we have selected both options because we want to audit both the successful and the failed attempts.
  10. Click “Apply” and “OK” to close the window.
  11. To immediately update the Group Policy instead of waiting for it to auto-update, run the following command in the “Command Prompt”:

    Gpupdate /force

Step 2 – Set auditing on the files that you want to track

After configuring GPO, you have to set auditing on each file individually, or on folders that contain the files. Here are the steps:

  1. Open “Windows Explorer” and navigate to the file or folder that you want to audit.
  2. Right-click the file and select “Properties” from the context menu. The file’s properties window appears on the screen.

    Note: If you want to track multiple files, put them into one, two or more folders to enable their auditing easily. Doing this saves you from repeating these steps for each file.

  3. By default, the “General” tab of the “Properties” window appears on the screen. Go to the “Security” tab.
    Figure 3 Auditing tab of “Advanced Security Settings”
  4. On the “Security” tab, click “Advanced” to access the “Advanced Security Settings for” window that appears on the screen.
  5. In the “Advanced Security Settings for” window, go to the “Auditing” tab.
    Figure 4: Select User, Computer, Service Account, or Group

  6. On this tab, you have to create a new audit entry. For that, click “Add”. The “Auditing Entry for” window appears on the screen.
  7. In the “Auditing Entry for” window, at first, select users whose actions you want to audit. Click “Select a Principal”, to open the “Select User, Computer, Service Account, or Group” dialog box.
  8. Here, choose users to audit. If you want to audit all users’ activities, enter “Everyone” in the “Enter the object name to select” field, and click “Check Names”. In our case, we enter “Everyone”.
    Figure 5: “Auditing Entry” window of the file
  9. Click “OK” to close the dialog box.
  10. Three options are available in the “Type” picklist: “Success”,” Fail”, and “All”. We select the “All” option because we want to audit both successful and failed attempts.
  11. In the “Permissions” section, you can select all activities that you want to audit. In the case to audit file read, select “Traverse Folder/Execute File”, “List Folder/Read data”, “Read attributes”, and “Read extended attributes” permissions.

    NOTE: If you want to audit all the activities, select the “Full Control” checkbox.

  12. Click “OK” to close the “Auditing Entry for File Access auditing” window.
    Figure 6: The file access event
  13. Back in the “Advanced security settings” window, now you see the new audit entry.
  14. Click “Apply” and “OK” to close the window.
  15. Click “Apply” and “OK” to close file properties.

Step 3 – Track who reads the file in Windows Event Viewer

To see who reads the file, open “Windows Event Viewer”, and navigate to “Windows Logs” → “Security”. There is a “Filter Current Log” option in the right pane to find the relevant events.

If anyone opens the file, event ID 4656 and 4663 will be logged. For example, in our case, someone opened the file (File access auditing.txt), and as shown in the following image, a file access event (ID 4663) was logged. You can see who accessed the file in the “Account Name” field and access time in the “Logged” field.

In the below image, you can see the file’s name (C:\Users\Administrator\Documents\New Text Document.txt), which is visible after you scroll down the sidebar, under the “Object Name” field.

Figure 7: Name of the file in the Event 4663

In the next section, you will see how Lepide File Server Auditor can make the file auditing even quicker and straightforward.

How to Use Lepide File Server Auditor to Track File Read/Access Events

At Lepide, we understand the role that File Server auditing plays in keeping your sensitive, unstructured data secure. Tracking and auditing file-read events on Windows File Servers and other changes occurring to sensitive data on File Server couldn’t be easier with Lepide File Server Auditor. The below image shows our “Read Successful” report, just one of the hundreds of File Server audit reports available in the platform. The answers to critical audit questions regarding file access are displayed in a single pane of glass.

Figure 8: “Read Successful” report

In the above image, you can see the same file read the report (C:\Users\Administrator\Documents\New Text Document.txt) in Lepide File Server Auditor. The event is highlighted, and all the audit information like who accessed the file, when, and from which system is available in a single line record.

File Server Auditing Made Simple, With Lepide

In this article, we’ve covered the native method of tracking file read events in Windows File Servers using event logs. We’ve also shown you how much easier the process is made by using Lepide. In addition to providing detailed audit information on file-read events, Lepide can also track and audit numerous other critical File Server security changes/interactions. Using Lepide File Server Auditor, you can:

  • Locate and classify files containing sensitive data.
  • Track files being copied, moved, modified, and deleted.
  • Analyze user behavior and spot anomalies
  • Spot users with excessive permissions and implement zero trust by changing permissions

Download Lepide File Server Auditor

x
Or Deploy With Our Virtual Appliance