Taiwan CSS Platform Team

Your Potential, Our Passion.

Windows Svr Std 2003 ZH,How to audit File share ?

Windows Svr Std 2003 ZH,How to audit File share ?

  • Comments 1
  • Likes

Problem:
======
You would like to know how audit file and folders access

Solution:
======
Step 1: To enable local Windows security auditing
1. Log on to server with an account that has Administrator rights.
2. Click Start, point to Run, and then type "gpedit.msc".
3. Expand Computer Configuration->Windows Settings->Local Policies, and then double-click Audit Policy.
4. In the right pane, double-click the policy "Audit object access".
5. Click the Success (An audited security access attempt that succeeds).
Note: If there server is a domain controller, please open "Domain Controller Security Policy" to do the above settings.

Step 2: To audit the folder objects
1. Open explorer, right click folder/file and choose properties.
2. Click Security tab.
3. Click Advanced button.
4. In the Access Control Settings window, click Auditing Tab.
5. Click Add button to add the users you want to audit and choose to below audit entries.
For example: you want to know who deletes this folder or subfolder and files, then you audit everyone for "Delete" and "Delete Subfolders and Files" events.
6. Close the all windows

Step 3: Check the information in the Event Viewer.
1. Open event viewer.
2. Check the events under security logs. For a permission change, there will event 560 logged.
Tips: First filter the security log to only view the events with ID 560.
Then type the file or folder name if the descript of the find window to locate the exact events. Below is a sample event.

Event Type: Success Audit
Event Source: Security
Event Category: Object
Event ID: 560
User: AAA\Administrator
Computer: AAA
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: E:\1\New Text Document.txt
Handle ID: 1260
Operation ID: {0,198287}
Process ID: 360
Image File Name: C:\WINDOWS\explorer.exe Primary User Name: Administrator Primary Domain: AAA Primary Logon ID: (0x0,0x12C8C) Client User Name: - Client Domain: - Client Logon ID: -
Accesses: DELETE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x10080

Reference:
=========
How To Enable and Apply Security Auditing in Windows 2000 http://support.microsoft.com/kb/300549/en-us

Comments
  • Great article, it provides the steps to audit file share and folder on your computer by setting the permission type to record successful or failed access attempts. I tried automated tool from http://www.lepide.com/file-server-audit/ that enables to audit file/folder and provides facilitate complete information on all changes made to file servers and every file server access activities . This tool generates real-time alerts on all the critical changes made in file servers’ files, folder structures, shares, permissions and other related items.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment