Wednesday, 13 November 2013

Enable File Access Auditing in Windows

In this article I am going to explain about File System Access Auditing and how to enable File System Access Auditing in Windows environment. Here, in some places we will refer File Access Auditing as File Server Access AuditingFile System Change Auditing and File Share Change Auditing, all the terms are equally interchangeable.

Summary:

  1. File System/File Server Access Auditing Introduction
  2. File System Access Audit Event IDs 
  3. Steps to Enable File Access Auditing Event IDs via new Group Policy
  4. Enable File Access Auditing to Specific File Servers
  5. Steps to Enable File Access Security Audit
  6. Steps to Enable File Access Auditing using Auditpol command line tool

File Access/File Share Access Auditing Introduction:

  In an every Organisation, sharing files and documents to their users through Network Environment is inevitable. For the security purpose we should give permission to access some kind of files and folders only to the specific set of users. However we can't give perfect permission to perfect users, in that case auditing file or folder access is inevitable for any organisation. the possible accesses are File Create/Add, File Delete, File Open, File Copy, File Rename, File Move, File Access, and File Permission change, and File Access failures. We can easily track these accesses by File Share Audit Event IDs which are controlled by the Audit Policy and File Security Audit. So to get these event logs you need to Enable Object Access Audit Policy and File Access Security Audit.

File Access Audit Event IDs:

File Access Auditing is controlled by the following event IDs

4656: This is the first event logged when an user attempts to access the file, this event gives information about what type of access was requested by the user and it will not give info about what type access actually made by user (which is given by the Event ID 4663), 4656 is controlled by the audit policy subcategory settings Handle Manipulation and File System.

4663: This event gives the info of what type actual operation is done by user on a file.

4658: This event get logged when user close the file, it helps to determine how long the file was open correlating this Event ID with earlier Event ID 4656 with the same handle ID.

4660: This event logged when an user delete the file or folder

4990: This event logged when an user opens a file .

4670: This event logged when user changes the permission of the file (security control list).  The event contains the information, who changed the permissions, old and new permissions.

5145: This is a Advanced Detailed File Share event which is available only from Windows 7/ Windows Server 2008 R2 and later versions,  5145 is equivalent event id of 4656, it contains extra information like user's client machine (source machine) address and share path (network path) of accessed file.

Steps to Enable File System Change Audit Event IDs  via new Group Policy:

Follow the below steps to configure File Share Access Auditing Events:

     Note: You should also configure File Access Audit Security settings on the Folder which you are going to audit accesses.

1. Open Group Policy Management Console by running the command gpmc.msc.

2. Expand the domain node, select and right-click on the OU which contains all the file servers (here I have selected OU File Servers), then click Create a GPO in this domain, and link it here...


Enable File System Change Auditing Event IDs

3. Type the new GPO name and click OK (Ex: File System Audit Policy).

How to Enable File System Access Audit Event IDs

4. Right-click on the newly created GPO, then click Edit.

How to Enable File System Change Audit Event IDs

5. Expand the Computer Configuration, and go to the node Audit Policy(Computer Configuration->Polices->Windows Settings->Security Settings->Local Polices->Audit Policy).

6. In the left side pane, select Object Access, then double-click on this Setting.

Enable File System Change Auditing Event IDs

7. In the opened window, check the values Success and Failure, the click Apply.

How to Enable File System Access Audit Event IDs

8. In Windows Server R2 and later versions, You can also configure this settings through Advanced Audit Policy Configuration. go to the node Advanced Audit Policy Configuration (Computer Configuration->Polices->Windows Settings->Security Settings->Advanced Audit Policy Configuration)

9. Expand this node, go to Object Access (Audit Polices->Object Access), then change the settings
Audit Detailed File Share, Audit File System and Audit Handle Manipulation.

Note: The Audit Handle Manipulation setting controls the event ID 4656, it may be the noisy event for you. so if you don't want event 4656, leave the setting Audit Handle Manipulation as Not Configured.

How to Enable File System Access Audit Event IDs

10. Refresh or update the gpo by running the command GPUpdate/Force to apply this setting in the all the File Server which are inside OU File Servers.


Apply File Access Audit Policy to Specific File Servers:

    By the above steps, we have configured file access audit events for all the File Servers which are under OU File Servers, but in some cases, we may want to configure policy only for set of file servers. You can achieve this by Security Filtering of Group Policy.

1. Go to the tab scope, in Security Filtering section, select the entry Authenticated Users, and click Remove.

How to Enable File System Access Audit Event IDs

2. Click the Add button, click Object Types.. then check Computers, and select the computers (File Server Computer) which you want apply file system audit policy settings, and click OK to apply.

How to Enable File System Access Auditing Event IDs

4. Refresh or update the gpo by running the command GPUpdate/Force to apply this setting in the all the selected File Servers.

Steps to Enable File Access Security Audit:

1. Right-click on the Folder which you want to configure audit events, and click Properties.

Steps to Enable File System Change Auditing Event IDs

2. Select Security tab, and click Advanced button.

Steps to Enable File System Access Auditing Event IDs

3. Navigate to the tab Audit, and click Add button.

Steps to Enable File Access Auditing Event IDs

4. Select the account Everyone, and check Successful and Failed Audit options which are you want to audit, click the button OK, and click Apply. 

Steps to Enable File System Access Auditing Event IDs


Steps to Enable File Access Auditing using Auditpol command line tool:

    Auditpol.exe is the command line utility tool to change Audit Security settings as category and sub-category level. It is available by default Windows 2008 R2 and later versions/Windows 7 and later versions. By using Auditpol, we can get/set Audit Security settings per user level and computer level.

   Note: You should run Auditpol command with elevated privilege (Run As Administrator);

You can enable file access audit success events (Event ID 5145, 4663,4660,4656,4658) by using following commands
Auditpol /set /subcategory:"Detailed File Share" /success:enable
Auditpol /set /subcategory:"File System" /success:enable
You can enable file access audit failure events (Event ID 5145, 4663,4660,4656,4658) by using following commands
Auditpol /set /subcategory:"Detailed File Share" /failure:enable
Auditpol /set /subcategory:"File System" /failure:enable
Note: to get event id 4656 you can also enable Handle Manipulation setting
Auditpol /set /subcategory:"Handle Manipulation" /success:enable
Note : This article is applies to Windows Server 2003, Windows Server 2008,Windows Server 2008 R2, Windows Server 2012, Windows 7 and Windows 8.

Thanks,
Morgan
Software Developer

Advertisements
Advertisements

12 comments:

  1. great points altogether, you just won a new reader.

    What would you recommend in regards to your put up that you just made a
    few days ago? Any sure?

    Here is my homepage: Asian Massage in London, ,

    ReplyDelete
  2. Hi there,
    I have read your guide and this one http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx.
    I have on local level a working solution, but when files arrive from over the network nothing happens.
    Do you have a clue why this could be?

    ReplyDelete
    Replies
    1. Do you configured Security Audit Policy on the network folder?

      Delete
    2. Hi,
      Thanks for answering, I use the same "shared" folder.
      So I thought that auditing enabled for everyone on succes and failure did the trick.
      Is there a special auditing setting for files coming from another pc?
      Kind Regards
      Guy

      Delete
    3. Hi, there is no special auditing setting for files coming from another pc?...if you want to know source machine name(other pc name), you can get this information from advanced file share audit event. check this article: http://www.morgantechspace.com/2013/10/Event-ID-5145-Detailed-File-Share-Auditing.html

      Delete
    4. Hi Morgan,
      Indeed this setting revealed to me that a file is placed in the shared folder.
      Maybe I can work with that.
      Can you think of a reason why localy 4663 shows but not comming from a network?
      I find it even more puzzeling because on another server, which is of the same brand and number and even configuration it works.
      somewhere ahidden setting must exist :-)

      Delete
    5. As I know, there is no hidden setting....the event 4663 is the sub category event of local file system audit. so it doesn't care about network...but the event 5145 is detailed file share event which contains network information...do you have any problem with 5145?

      Delete
  3. If someone attempts to access a file that they did not have permission too, would it generate an audit failure 4663? If not, is there an event ID that is generated when a failed attempt to access/modify a file or folder. Handle manipulation was no help.

    ReplyDelete
    Replies
    1. U will get only the failure event 4656 in this case.

      Delete
    2. Thanks for the quick reply. There were thousands of 4656 instances while handle manipulation was turned on. Do you have any recommendations on how to cut those down or other audit tactics that could track failures to modify files?

      Delete
    3. yes, you will get lot of 4656 events while handle manipulation turned on for both success and failure audit. but for your case, u need only failure event, so, enable only failure audit in handle manipulation..this will stop the 4656 success events and you will get only actual file access failures

      Delete