Sunday, 9 November 2014

Event ID 4663 - An attempt was made to access an object

Event ID 4663 is logged whenever an object accessed by user or other sources. It will be used mainly for File System Access auditing, but we can also use to monitor other object types like Registry, SAM and etc. Event 4663 logged along with the events 4656 and 4658, event 4656 contains information of what kind of access permission requested, where as the event 4658 tells when the access operation completed, but only the event 4663 contains what type of access made on the particular object. This access either be Add file, Delete file, Write file, Read file and just Access file. In this article, I am going write how to enable Audit Policy to log this event via Local Security Policy. And please mind, you have to also enable File Access Audit Security (SACL) of the corresponding File of Folder that you want to monitor the access.


Enable Event ID 4663 via Local Security Policy

Event 4663 controlled by the Audit Policy setting Audit object access. When you enable this setting you will get all the three file access audit events (4663, 4656 and 4658). If  you want to get logged only 4663 event, you can do it by enable the sub category setting Audit File System under Advanced Audit Policy Configuration (But it will be available only from Window 7/2008 R2 and later versions).

Follow the below steps to configure Audit Policy to log event 4663:

1. Open the Local Security Policy by running the command secpol.msc.

Enable Event 4663 via Local Security Policy

2. Navigate to the node Audit Policy (Security Settings/Local Policies/Audit Policy). In right-hand side, select the setting Audit object access.

3. Double-click on Audit object access, and check the Audit options Success and Failure to monitor successful file accesses and access denied file accesses and click Apply button.

Enable Event ID 4663 via Local Security Policy

Note: In Windows 7/2008 R2 and later versions, you can enable sub category level setting Audit File System under Advanced Audit Policy Configuration (Security Settings/Advanced Audit Policy Configuration/Object Access/Audit File System).

Enable Event ID 4663 via Advanced Security Policy

Steps to Configure File Access Audit Security (SACL)

System Access Control Lists (SACL) determines file access events for the particular File or Folder should generated or not. So that, you should enable SACL for the File or Folder which you want monitor or track the access events.

Follow the below steps to enable File Access Audit Security:

1. Right-click on the Folder which you want to configure audit events, and click Properties.

Steps Enable Event ID 4663

2. Select Security tab, and click Advanced button.

Steps Enable Event ID 4663

3. Navigate to the tab Audit, and click Add button.

Steps Enable Event ID 4663

4. Select the account Everyone, and check Successful and Failed Audit options which are you want to audit, click the button OK, and click Apply. 

Steps Enable Event ID 4663

Event 4663 Sample Source

The following image shows 4663 event log info for delete file access.

File Delete Audit Event - 4663

Software Developer


No comments:

Post a Comment