Auditing File Access on File Servers

Auditing File Access on File Servers

  • Comments 4
  • Likes

This article was contributed by Liju Varghese, a Senior Premier Field Engineer from Canada, based on a recent engagement.

Recently, I helped a customer achieve two objectives:

  1. Audit access to sensitive content on the file servers and ensure the information is captured
  2. Generate reports on a regular basis that would show WHO did WHAT to WHICH content and WHEN this was done.

I thought I would share this in case you found yourself wanting to do something similar.

A word of caution, though: Due to the wide scope of what can be audited and to the degree in which the information can be logged, it is very important that you first establish the audit objectives for your company as a whole and your department in particular. These objectives will also be influenced by the country you are in and any industry affiliation. Decisions will also have to be made regarding the retention policies of your audit logs.

Environment Overview

My lab setup consists of two domain controllers and a file server, all running Windows Server 2008 R2 and a Windows 7 workstation.

The Audit policy is configured within a Group Policy Object and linked to the Organizational Unit that contains the computer object of RootMS01.

The file server hosts the file shares, folders and files I will be setting up the Audit System Access Control List (SACL) on.

clip_image001

A few caveats:

  1. Auditing has to be enabled in the system’s security policy and in the Access Control List of a resource to successfully log events
  2. Audit policy can be enabled either through group policy or the local security policy
  3. If this is a Windows Server 2008 R2 or later operating system I recommend using the Advanced Audit Policy Configuration (Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\) as opposed to the older Audit Policy (Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\)
  4. Do not mix use of both Advanced Audit Policy Configuration and the older Audit Policy: If you enable audit policy through Advanced Audit Policy Configuration either through group policy or the local security policy, I recommend using the Advanced Audit Policy Configuration at every level (local policy, site, domain and OU-linked group policy)

Enable Audit Policy

1. Create a Group Policy Object and name it something to the effect of File Server Audit Policy

2. Edit the GPO, browse to Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\ and define the following Audit Policy settings

The settings below are from the WS2008R2SP1 Member Server Security Compliance baseline of the Security Compliance Manager (SCM) - http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx with the exception of Object Access: File System which I enabled for Success

AUDIT POLICY

VALUE

Account Logon: Credential Validation

Success and Failure

Account Logon: Kerberos Authentication Service

No Auditing

Account Logon: Kerberos Service Ticket Operations

No Auditing

Account Logon: Other Account Logon Events

No Auditing

Account Management: Application Group Management

No Auditing

Account Management: Computer Account Management

Success

Account Management: Distribution Group Management

No Auditing

Account Management: Other Account Management Events

Success and Failure

Account Management: Security Group Management

Success and Failure

Account Management: User Account Management

Success and Failure

Detailed Tracking: DPAPI Activity

No Auditing

Detailed Tracking: Process Creation

Success

Detailed Tracking: Process Termination

No Auditing

Detailed Tracking: RPC Events

No Auditing

DS Access: Detailed Directory Service Replication

No Auditing

DS Access: Directory Service Access

No Auditing

DS Access: Directory Service Changes

No Auditing

DS Access: Directory Service Replication

No Auditing

Logon-Logoff: Account Lockout

No Auditing

Logon-Logoff: IPsec Extended Mode

No Auditing

Logon-Logoff: IPsec Main Mode

No Auditing

Logon-Logoff: IPsec Quick Mode

No Auditing

Logon-Logoff: Logoff

Success

Logon-Logoff: Logon

Success and Failure

Logon-Logoff: Network Policy Server

No Auditing

Logon-Logoff: Other Logon/Logoff Events

No Auditing

Logon-Logoff: Special Logon

Success

Object Access: Application Generated

No Auditing

Object Access: Certification Services

No Auditing

Object Access: Detailed File Share

No Auditing

Object Access: File Share

No Auditing

Object Access: File System

Success

Object Access: Filtering Platform Connection

No Auditing

Object Access: Filtering Platform Packet Drop

No Auditing

Object Access: Handle Manipulation

No Auditing

Object Access: Kernel Object

No Auditing

Object Access: Other Object Access Events

No Auditing

Object Access: Registry

No Auditing

Object Access: SAM

No Auditing

Policy Change: Audit Policy Change

Success and Failure

Policy Change: Authentication Policy Change

Success

Policy Change: Authorization Policy Change

No Auditing

Policy Change: Filtering Platform Policy Change

No Auditing

Policy Change: MPSSVC Rule-Level Policy Change

No Auditing

Policy Change: Other Policy Change Events

No Auditing

Privilege Use: Non Sensitive Privilege Use

No Auditing

Privilege Use: Other Privilege Use Events

No Auditing

Privilege Use: Sensitive Privilege Use

Success and Failure

System: IPsec Driver

Success and Failure

System: Other System Events

No Auditing

System: Security State Change

Success and Failure

System: Security System Extension

Success and Failure

System: System Integrity

Success and Failure

3. Also remember to set the following settings as well under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options -

a. Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings to Enabled

b. Audit: Shut down system immediately if unable to log security audits to Disabled

Event Log Size

You may need to increase the size of the Security event log to accommodate the new events generated configure the following group policy settings. This can be done with the policy setting Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security - Maximum Log Size (KB). For maximum supported sizes see http://support.microsoft.com/kb/957662

Note: if you wish to archive old events, set Retain old events to Enabled and Backup log automatically when full to Enabled. By doing so, the event log file is automatically closed and renamed when it is full and a new file is then started. If you do not wish to retain old events, set Retain old events to Disabled.

Set up Audit System Access Control List (SACL)

The critical part is setting up the right amount of auditing for the right security principal and for the right resources. The image below shows the folder structure for which I will be setting up the audit entries:

clip_image002

I created an entry for UserHomeFolder that applies to the folder, subfolders and files, for the Builtin Administrators group for all accesses.

clip_image003

The rationale behind this is that since the users have exclusive rights to their home folders, besides them, only members of the local administrators group would have the ability to read or modify the contents of the folders.

Sample events

Here’s a selection of some of the types of events you can expect to see with auditing enabled:

Security Event Cleared

Log Name:      Security
Source:        Microsoft-Windows-Eventlog
Date:          8/14/2013 7:59:09 AM
Event ID:      1102
Task Category: Log clear
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      RootMS01.Reskit.com
Description:
The audit log was cleared.
Subject:
        Security ID:   RESKIT\BWayne
        Account Name:  BWayne
        Domain Name:   RESKIT
        Logon ID:      0x871de

Ownership of File Taken

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/14/2013 1:39:46 AM
Event ID:      4663
Task Category: File System
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      RootMS01.Reskit.com
Description:
An attempt was made to access an object.
Subject:
        Security ID:           RESKIT\pparker
        Account Name:          pparker
        Account Domain:               RESKIT
        Logon ID:              0x1119f6
Object:
        Object Server: Security
        Object Type:   File
        Object Name:   C:\Shares\UserHomeFolder\BWayne\BusinessProposal.txt
        Handle ID:     0x290
Process Information:
        Process ID:    0x7cc
        Process Name:  C:\Windows\System32\dllhost.exe
Access Request Information:
        Accesses:      WRITE_OWNER
        Access Mask:   0x80000

Security ACL on File Modified

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/14/2013 1:41:39 AM
Event ID:      4663
Task Category: File System
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      RootMS01.Reskit.com
Description:
An attempt was made to access an object.
Subject:
        Security ID:           RESKIT\pparker
        Account Name:          pparker
        Account Domain:               RESKIT
        Logon ID:              0x1119f6
Object:
        Object Server: Security
        Object Type:   File
        Object Name:   C:\Shares\UserHomeFolder\BWayne\BusinessProposal.txt
        Handle ID:     0x360
Process Information:
        Process ID:    0x730
        Process Name:  C:\Windows\System32\dllhost.exe
Access Request Information:
        Accesses:      WRITE_DAC
        Access Mask:   0x40000

Generic File Read

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/14/2013 1:51:48 AM
Event ID:      4663
Task Category: File System
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      RootMS01.Reskit.com
Description:
An attempt was made to access an object.
Subject:
        Security ID:           RESKIT\pparker
        Account Name:          pparker
        Account Domain:               RESKIT
        Logon ID:              0x17235b
Object:
        Object Server: Security
        Object Type:   File
        Object Name:   C:\Shares\UserHomeFolder\BWayne\BusinessProposal.txt
        Handle ID:     0x1b4
Process Information:
        Process ID:    0x2f8
        Process Name:  C:\Windows\System32\dllhost.exe
Access Request Information:
        Accesses:      READ_CONTROL
        Access Mask:   0x20000

Run scripts to report on 4663 events

The PowerShell script below queries the Security event log on one or more servers for events with id 4663. This event documents actual operations performed against files and other objects for which auditing is enabled in the Security tab. The script also lists the name of the object and the bitwise equivalent of the permissions were actually exercised.

Save the code below to a file with the .ps1 extension. On the first line, replace machine names with the names of your fileservers. And on the last line, replace the output file and folder name.

$server = "RootMS01","RootDC01"
$out = New-Object System.Text.StringBuilder
$out.AppendLine("ServerName,EventID,TimeCreated,UserName,File_or_Folder,AccessMask")
$ns = @{e = "http://schemas.microsoft.com/win/2004/08/events/event"}
foreach ($svr in $server)
    {    $evts = Get-WinEvent -computer $svr -FilterHashtable @{logname="security";id="4663"} -oldest

    foreach($evt in $evts)
        {
        $xml = [xml]$evt.ToXml()

        $SubjectUserName = Select-Xml -Xml $xml -Namespace $ns -XPath "//e:Data[@Name='SubjectUserName']/text()" | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty Value

        $ObjectName = Select-Xml -Xml $xml -Namespace $ns -XPath "//e:Data[@Name='ObjectName']/text()" | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty Value

        $AccessMask = Select-Xml -Xml $xml -Namespace $ns -XPath "//e:Data[@Name='AccessMask']/text()" | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty Value

        $out.AppendLine("$($svr),$($evt.id),$($evt.TimeCreated),$SubjectUserName,$ObjectName,$AccessMask")

        Write-Host $svr
        Write-Host $evt.id,$evt.TimeCreated,$SubjectUserName,$ObjectName,$AccessMask

        }
    }
$out.ToString() | out-file -filepath C:\Temp\4663Events.csv

Here’s some typical output:

ServerName

EventID

TimeCreated

UserName

File_or_Folder

AccessMask

RootMS01

4663

08/14/2013 08:01:09

BWayne

C:\Shares\UserHomeFolder\LSkywalker\Projects.txt

0x20000

RootMS01

4663

08/14/2013 08:01:16

BWayne

C:\Shares\UserHomeFolder\LSkywalker\Projects.txt

0x80

RootMS01

4663

08/14/2013 08:01:16

BWayne

C:\Shares\UserHomeFolder\LSkywalker\Projects.txt

0x20000

RootMS01

4663

08/14/2013 08:01:19

BWayne

C:\Shares\UserHomeFolder\LSkywalker\Projects.txt

0x80

RootMS01

4663

08/14/2013 08:01:19

BWayne

C:\Shares\UserHomeFolder\LSkywalker\Projects.txt

0x20000

RootMS01

4663

08/16/2013 11:39:37

Administrator

C:\Shares\UserHomeFolder\BWayne

0x20000

RootMS01

4663

08/16/2013 11:39:55

Administrator

C:\Shares\UserHomeFolder\BWayne\New Text Document.txt

0x20000

RootMS01

4663

08/16/2013 11:40:05

Administrator

C:\Shares\UserHomeFolder\BWayne\New Text Document.txt

0x10000

RootMS01

4663

08/20/2013 10:58:34

Administrator

C:\Shares\UserHomeFolder\BWayne

0x20000

RootMS01

4663

08/20/2013 10:59:08

Administrator

C:\Shares\UserHomeFolder\LSkywalker

0x20000

RootMS01

4663

08/20/2013 10:59:23

Administrator

C:\Shares\UserHomeFolder\BWayne

0x20000

RootMS01

4663

08/20/2013 10:59:23

Administrator

C:\Shares\UserHomeFolder\BWayne

0x80

RootMS01

4663

08/20/2013 10:59:23

Administrator

C:\Shares\UserHomeFolder\BWayne

0x20000

RootMS01

4663

08/20/2013 10:59:23

Administrator

C:\Shares\UserHomeFolder\BWayne

0x1

RootMS01

4663

08/20/2013 10:59:23

Administrator

C:\Shares\UserHomeFolder\BWayne

0x40000

RootMS01

4663

08/20/2013 11:00:12

Administrator

C:\Shares\UserHomeFolder\LSkywalker\Projects.txt

0x20000

RootMS01

4663

08/20/2013 11:01:15

PParker

C:\Shares\UserHomeFolder\LSkywalker\Projects.txt

0x20000

RootMS01

4663

08/20/2013 11:01:15

PParker

C:\Shares\UserHomeFolder\LSkywalker\Projects.txt

0x1

RootMS01

4663

08/20/2013 11:02:19

PParker

C:\Shares\UserHomeFolder\BWayne\HRStuff.txt

0x80000

RootMS01

4663

08/20/2013 11:02:22

PParker

C:\Shares\UserHomeFolder\BWayne\HRStuff.txt

0x20000

RootMS01

4663

08/20/2013 11:02:24

PParker

C:\Shares\UserHomeFolder\BWayne\HRStuff.txt

0x20000

RootMS01

4663

08/20/2013 11:02:36

PParker

C:\Shares\UserHomeFolder\BWayne\HRStuff.txt

0x20000

RootMS01

4663

08/20/2013 11:02:37

PParker

C:\Shares\UserHomeFolder\BWayne\HRStuff.txt

0x20000

RootMS01

4663

08/20/2013 11:02:39

PParker

C:\Shares\UserHomeFolder\BWayne\HRStuff.txt

0x20000

RootMS01

4663

08/20/2013 11:02:53

PParker

C:\Shares\UserHomeFolder\BWayne\HRStuff.txt

0x20000

RootMS01

4663

08/20/2013 11:02:53

PParker

C:\Shares\UserHomeFolder\BWayne

0x20000

RootMS01

4663

08/20/2013 11:02:53

PParker

C:\Shares\UserHomeFolder\BWayne\HRStuff.txt

0x40000

RootMS01

4663

08/20/2013 11:02:53

PParker

C:\Shares\UserHomeFolder\BWayne\HRStuff.txt

0x20000

RootMS01

4663

08/20/2013 11:02:56

PParker

C:\Shares\UserHomeFolder\BWayne\HRStuff.txt

0x20000

RootMS01

4663

08/20/2013 11:02:56

PParker

C:\Shares\UserHomeFolder\BWayne\HRStuff.txt

0x1

RootMS01

4663

08/20/2013 11:36:07

Administrator

C:\Shares\UserHomeFolder\LSkywalker\Projects.txt

0x20000

RootMS01

4663

08/20/2013 11:38:43

Administrator

C:\Shares\UserHomeFolder\LSkywalker

0x20000

RootDC01

   

Administrator

C:\Shares\UserHomeFolder\LSkywalker

0x20000

 

You can use the table below (taken from http://msdn.microsoft.com/en-us/library/windows/desktop/aa822867(v=vs.85).aspx ) to interpret the AccessMask values to the file and directory access rights.

AccessMask Value

Constant

Description

0 (0x0)

FILE_READ_DATA

Grants the right to read data from the file.

0 (0x0)

FILE_LIST_DIRECTORY

Grants the right to read data from the file. For a directory, this value grants the right to list the contents of the directory.

1 (0x1)

FILE_WRITE_DATA

Grants the right to write data to the file.

1 (0x1)

FILE_ADD_FILE

Grants the right to write data to the file. For a directory, this value grants the right to create a file in the directory.

4 (0x4)

FILE_APPEND_DATA

Grants the right to append data to the file. For a directory, this value grants the right to create a subdirectory.

4 (0x4)

FILE_ADD_SUBDIRECTORY

Grants the right to append data to the file. For a directory, this value grants the right to create a subdirectory.

8 (0x8)

FILE_READ_EA

Grants the right to read extended attributes.

16 (0x10)

FILE_WRITE_EA

Grants the right to write extended attributes.

32 (0x20)

FILE_EXECUTE

Grants the right to execute a file.

32 (0x20)

FILE_TRAVERSE

Grants the right to execute a file. For a directory, the directory can be traversed.

64 (0x40)

FILE_DELETE_CHILD

Grants the right to delete a directory and all the files it contains (its children), even if the files are read-only.

128 (0x80)

FILE_READ_ATTRIBUTES

Grants the right to read file attributes.

256 (0x100)

FILE_WRITE_ATTRIBUTES

Grants the right to change file attributes.

65536 (0x10000)

DELETE

Grants the right to delete the object.

131072 (0x20000)

READ_CONTROL

Grants the right to read the information in the security descriptor for the object.

262144 (0x40000)

WRITE_DAC

Grants the right to modify the DACL in the object security descriptor for the object.

524288 (0x80000)

WRITE_OWNER

Grants the right to change the owner in the security descriptor for the object.

1048576 (0x100000)

SYNCHRONIZE

Grants the right to use the object for synchronization.

Remember to also report on the following events:

  1. 4670 (Authorization Policy Change)
  2. 4907 (Audit Policy Change), and
  3. 1102 (Log clear)

Setting up Custom Views in Event Viewer

You can create a filter that includes events from multiple event logs that satisfy specified criteria. You can then name and save that filter as a custom view. To apply the filter associated with a saved custom view, you navigate to the custom view in the console tree and click its name. See http://technet.microsoft.com/en-us/library/cc709635.aspx for steps on how to create a Custom View.

As an example, the following filter looks for file access events by a user with sAMAccountName pparker:

<QueryList>
  <Query Id="0" Path="Security">
    <Select Path="Security">
     *[System[(EventID=4663)]]
     and
     *[EventData[Data[@Name='SubjectUserName'] and (Data='pparker')]] 
    </Select>
  </Query>
</QueryList>

clip_image004

clip_image005

Final Thoughts

1. If you need to set up audit SACLs on a large number of files, Global Object Access Auditing lets you create System Access Control Lists (SACL) for the entire computer, based on file and registry. See http://blogs.technet.com/b/askds/archive/2011/03/10/global-object-access-auditing-is-magic.aspx for more information

2. Enabling Object Access: File Share audit policy will generate very helpful 5145 events like the one below:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          8/14/2013 2:08:25 AM
Event ID:      5145
Task Category: Detailed File Share
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      RootMS01.Reskit.com
Description:
A network share object was checked to see whether client can be granted desired access.
Subject:
        Security ID:           RESKIT\Administrator
        Account Name:          Administrator
        Account Domain:               RESKIT
        Logon ID:              0x49199
Network Information:   
        Object Type:           File
        Source Address:               10.10.10.11
        Source Port:           61361
Share Information:
        Share Name:            \\*\Shares
        Share Path:            \??\C:\Shares
        Relative Target Name:  UserHomeFolder\LSkywalker\Projects.txt
Access Request Information:
        Access Mask:           0x120089
        Accesses:              READ_CONTROL
                              SYNCHRONIZE
                              ReadData (or ListDirectory)
                              ReadEA
                              ReadAttributes
Access Check Results:
        READ_CONTROL:  Granted by Ownership
                              SYNCHRONIZE:   Granted by        D:(A;;FA;;;WD)
                              ReadData (or ListDirectory):  Granted by        D:(A;;FA;;;WD)
                              ReadEA: Granted by     D:(A;;FA;;;WD)

However, since there are no SACLs for shares, once this setting is enabled, access to all shares on the system will be audited and a large volume of these events will be generated.

3. A backup job running under the context of a local administrator on the file server will also generate a large volume of 4663 events. The command AuditPol /Set /User:Reskit\BackupAcct /Subcategory:”File System” /Success:Enable /Exclude can be used for a user-level exclusion. However this setting is not honored for users who are members of the Administrators local group.


Posted by Tristan Kington, MSPFE Editor, only I never done it, I only said I done it.

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • Hi , Thanks a lot for this scripts but as per the solutions derived its been noticed that this can not do the audit. Now its like for instance i want to know who so ever access the file server then at that moment of case what would be the out put and moreover i want to know the ip of the person who so ever access my file server at that moment of case what can be the feasible solution. Please update this as well and thanks again for such a nice scripts.

  • Lindsay, you can see all that information in the output, see the bottom entry. You combine Share with file access, and you have the answer. If you need real time monitoring, you need something that can consume the event logs as they are generated. This is not that.

  • Lindsay, You may try this file access auditing tool ( http://www.fileaccessauditing.com/) to know who is accessing file and get real time alert when a someone accessed or modify a specific file.

  • Dear Liju Varghese,
    I have a File Server (Windows Server 2008 R2) in domain environment (AD is Windows Server 2008 R2).
    In File Server I open Local Security Policy --> Advanced Audit Policy Configuration --> under System Audit Policies - Local Group Policy Object

    Object Access: Audit File Share Enable Success and Failure

    On the Folder I want to audit, Security Tab, Avanced, Auditing Tab
    I add Everyone (Apply onto This folder, subfolders and files) with Access "Delete subfolders and files" only (Sucess and Failure)

    But in Event Viewer / Security I see many 5145 events :

    Access Request Information:
    Access Mask: 0x1
    Accesses: ReadData (or ListDirectory)

    How can I log only events which are generated when an attempt is made to delete a shared folder/file ?