Auditing File and Folder Access
Access permissions only help protect data; they don't tell you who deleted important data or who was trying to access files and folders inappropriately. To track who accessed files and folders and what they did, you must configure auditing for file and folder access. Every comprehensive security strategy should include auditing. Auditing settings you configure are applied to specific computers through local computer policy and to multiple computers through Group Policy.
Because auditing policies are applied as part of computer configuration rather than of user configuration, they must be applied through GPOs that are applied to computer OUs. Therefore, if you want an auditing setting to be applied to specific file servers, you configure the auditing setting in a Group Policy Object linked to the appropriate resource OUs. If you want an auditing setting to be applied throughout a domain, you configure the auditing setting in a Group Policy Object linked to the domain, and the setting will apply to all computers in the domain.
Generally, when you want auditing settings to apply only to specified resources and groups of users, you modify the security settings of the relevant objects so that auditing is enabled for the security groups of which the users are members. For example, you could configure auditing on the CurrentProjects folder to track changes and deletions that members of the TempWorkers group make.
Windows Server supports basic auditing and advanced auditing. Basic auditing includes the settings under Windows Settings\Security Settings\Local Policies\Audit Policy. Advanced auditing includes the settings under Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies. When you configure auditing, you use either basic or advanced auditing, not both. Advanced auditing can be applied to computers running Windows 7 or later and Windows Server 2008 R2 or later (and Windows Server 2008 and Windows Vista when logon scripts are used to apply advanced audit policy).
To track file and folder access, you must do the following:
- Enable either basic or advanced auditing.
- Specify which files and folders to audit or enable global object access auditing.
- Track audit events by monitoring the security logs or using a collection tool such as Audit Collection Services in System Center Operations Manager.
Keep in mind that global object access policy is designed to be used with advanced auditing. If you choose to use advanced auditing rather than basic auditing, you can prevent conflicts between basic and advanced settings by forcing Windows to ignore basic auditing settings. To do this, enable the Audit: Force Audit Policy security setting as appropriate in Group Policy. This security setting is under Windows Settings\Security Settings\Local Policies\Security Options.
Enabling basic auditing for files and folders
You configure basic auditing policies by using Group Policy or local security policy. Use Group Policy when you want to set auditing policies for an entire site, domain, or organizational unit. Local security policy settings apply to an individual workstation or server and can be overridden by Group Policy.
To enable basic auditing of files and folders for multiple computers through Group Policy, select Group Policy Management on the Tools menu in Server Manager. Next, press and hold or right-click the GPO you want to work with and then select Edit. In Group Policy Management Editor, expand Policies, Windows Settings, Security Settings, and Local Policies and then select Audit Policy.
To enable basic auditing of files and folders for a specific computer, start the Local Security Policy tool by selecting the related option on the Tools menu in Server Manager. Expand Local Policies and then select Audit Policy.
Next, double-tap or double-click Audit Object Access. This opens the Audit Object Access Properties dialog box shown. In a domain, enable the policy for configuration by selecting Define These Policy Settings. Under Audit These Attempts, select the Success check box to log successful access attempts, the Failure check box to log failed access attempts, or both check boxes and then tap or click OK. This enables auditing, but it doesn't specify which objects should be audited. You do that by editing the properties of each object that you want to track, which can include files and folders, registry settings, and more.
Enabling advanced auditing
As with basic auditing, you configure advanced auditing policies by using Group Policy or local security policy. To enable advanced auditing of files and folders for multiple computers through Group Policy, select Group Policy Management on the Tools menu in Server Manager. Next, press and hold or right-click the GPO you want to work with and then select Edit. In Group Policy Management Editor, expand Policies, Windows Settings, Security Settings, Advanced Audit Policy Configuration, and Audit Policies and then select Object Access.
To enable auditing of files and folders for a specific computer, start the Local Security Policy tool by selecting the related option on the Tools menu in Server Manager. Expand Advanced Audit Policy Configuration and System Audit Policies - Local Group Policy Object and then select Object Access.
With advanced auditing, identify specific types of object access to track by using the available options, which include the following:
- Audit File Share:
Generates audit events whenever an attempt is made to access a shared folder. Because shared folders don't have system access control lists (SACLs), access to all shares on the system is audited (which includes network access to the SYSVOL on domain controllers). Only one audit event is recorded for any connection established between a client and a file share. To record events every time a file or folder on a share is accessed, use the Audit Detailed File Share policy. - Audit File System:
Generates audit events for objects when the type of access requested and the account making the request match the settings in SACLs set on the objects. For example, if a user tries to modify a file and is a member of a group for which you enabled auditing of success and failure Modify events, related audit events will be generated and recorded in the security log. An audit event is generated each time an account accesses a file system object with a matching SACL. - Audit Detailed File Share:
Generates audit events whenever an attempt is made to access a file or folder on a share. Because shared folders don't have SACLs, access to all shared files and folders on the system is audited. An audit event is recorded every time a file or folder on a share is accessed.
To configure these policies, double-tap or double-click a policy to open its Properties dialog box. Select Configure The Following Audit Events and then select the Success check box to log successful access attempts, the Failure check box to log failed access attempts, or both check boxes and then tap or click OK. This enables auditing, but it doesn't specify which files and folders should be audited.
Next, ensure that advanced audit policy overrides basic audit policy. To do this, whenever you edit the Group Policy Objects and enable advanced audit policy, you must also enable the Audit: Force Audit Policy Subcategory Settings security setting. This security setting is under Windows Settings\Security Settings\Local Policies\Security Options.
In the Group Policy editor, double-tap or double-click the Audit: Force Audit Policy security setting to open its Properties dialog box. Select Define This Policy Setting and then select Enabled. Finally, tap or click OK.
Specifying files and folders to audit
After you enable the auditing of object access, you can set the level of auditing by either specifying which files and folders to audit or enabling global object access auditing. Auditing of individual folders and files enables you to control whether and how folder and file usage is tracked. Keep in mind that auditing is available only on NTFS and ReFS volumes. In addition, everything discussed about inheritance applies to files and folders as well-and this is a good thing. This enables you, for example, to audit access to every file or folder on a volume just by specifying that you want to audit the root folder of the volume.
You can use either File Explorer or Server Manager to view and configure auditing. In Server Manager, press and hold or right-click the share you want to work with and then tap or click Properties. In the Properties dialog box, tap or click the Permissions in the left pane. Tap or click Customize Permissions to open the Advanced Security Settings dialog box.
In File Explorer, you can view special permissions by pressing and holding or right-clicking the file or folder you want to work with and selecting Properties on the shortcut menu. In the Properties dialog box, select the Security tab and then tap or click Advanced to open the Advanced Security Settings dialog box.
In the Advanced Security Settings dialog box, tap or click the Auditing tab. You can now view and manage auditing settings by using the options.
The Auditing Entries list shows the users, groups, or computers whose actions you want to audit. To remove an account, select the account in the Auditing Entries list and then tap or click Remove.
You can audit access related to basic permissions and special permissions as listed in Table 19-1 and Table 19-2, respectively. Keep in mind that basic permissions include multiple special permissions. Therefore, when you audit the Modify permission, this tracks access related to Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Create Files/Write Data, Create Folders/Append Data, Write Attributes, Write Extended Attributes, Delete, and Read permissions.
Table-1 Special permissions for folders
Special Permissions Full Modify Read & List Read Write Control Execute Folder Contents Traverse Folder/ X X X X Execute File List Folder/ Read Data X X X X X Read Attributes X X X X X Read Extended X X X X X Attributes Create Files/Write X X X Data Create Folders/ X X X Append Data Write Attributes X X X Write Extended X X X Attributes Delete Subfolders X And Files Delete X X Read Permissions X X X X X X Change Permissions X Take Ownership X
Table-2 Special permissions for files
Special Permissions Full Modify Read & Read Write Control Execute Traverse Folder/ X X X Execute File List Folder/ X X X X Read Data Read Attributes X X X X Read Extended X X X X Attributes Create Files/Write X X X Data Create Folders/Append X X X Data Write Attributes X X X Write Extended X X X Attributes Delete Subfolders X And Files Delete X X Read Permissions X X X X X Change Permissions X Take Ownership X
You can configure auditing for additional users, computers, or groups by following these steps:
- Tap or click Add and then click Select A Principal to open the Select Users, Computers, Service Accounts, Or Groups dialog box.
- Type the name of a user, computer, or group in the current domain and then tap or click Check Names. Be sure to reference the user account name rather than the user's full name. Only one name can be entered at a time. If you want to audit actions for all users, use the special Everyone group. Otherwise, select the specific user groups, users, or both that you want to audit.
- Tap or click OK. The user and group are added, and the Principal and the Auditing Entry dialog box are updated to show this. Only basic permissions are listed by default. If you want to work with advanced permissions, tap or click Show Advanced Permissions to display the special permissions.
- Optionally, use the Applies To list to specify at what level objects are audited. If you are
working with a folder and want to replace the auditing entries on all child objects of this
folder (and not on the folder itself), select Only Apply These Settings To Objects And/Or Containers Within This Container.
Note:
The Applies To list enables you to specify where you want the auditing settings to apply. The Only Apply These Settings To Objects And/Or Containers Within This Container check box controls how auditing settings are applied. When this check box is selected, auditing settings on the parent object replace settings on child objects. When this check box is cleared, auditing settings on the parent object are merged with existing settings on child objects. - Use the Type list to specify whether you are configuring auditing for success, failure, or both and then specify which actions should be audited. Success logs successful events such as successful file reads. Failure logs failed events such as failed file deletions. The events you can audit are the same as the special permissions discussed previously, except that you can't audit the synchronizing of offline files and folders.
- If you're using claims-based policies and want to limit the scope of the auditing entry, you can add claims-based conditions to the auditing entry. For example, if all corporate computers are members of the Approved Computers group, you might want to audit access closely by devices that aren't members of this group.
- Tap or click OK. Repeat this process to audit other users, groups, or computers.
Note:
Often, you'll want to track only failed actions. This way, you know if someone was trying to perform an action and failed. Keep in mind that a failed attempt doesn't always mean someone is trying to break into a file or folder. A user simply might have doubletapped or double-clicked a folder or file to which he didn't have access. In addition, some types of actions can cause multiple failed attempts to be logged even when the user performed the action only once. Regardless, as an administrator, you should check multiple failed attempts because of the possibility that someone is attempting to breach your system's defenses.
Instead of tracking access to specific files and folders, your business or compliance policies might require you to track specific types of access on sensitive computers. For example, you might need to track all access activity on servers containing sensitive data. To do this without having to configure SACLs, you can use global object access policy.
Global object access policy is designed to be used with advanced auditing and two object access areas:
- Audit File System, which must be enabled to track global access to files and folders
- Audit Registry, which must be enabled to track global access to the registry
After you enable file system auditing, registry auditing, or both, you can enable global access policy. Global access policy generates audit events for objects when the type of access requested and the account making the request match the settings in SACLs configured in the global access policy.
You configure global access policy by using Group Policy or local security policy. Follow these steps:
- Open the GPO you want to work with for editing. Next, in Group Policy Management Editor, expand Policies, Windows Settings, Security Settings, Advanced Audit Policy Configuration, and Audit Policies and then select Global Object Access Auditing.
- Double-tap or double-click the File System setting to open its Properties dialog box. Select Define This Policy Setting and then tap or click Configure. This opens the Advanced Security Settings For Global File SACL dialog box.
- In the Advanced Security Settings For Global File SACL dialog box, tap or click Add. Next, in the Auditing Entry dialog box, tap or click Select A Principal to open the Select User, Computer, Service Account Or Group dialog box. Type the name of the user, group, or computer to audit and then tap or click Check Names. Only one name can be entered at a time. Be sure to reference the user account name rather than the user's full name.
- Use the Type list to specify whether you are tracking successful or failed access and then select the permissions you want to audit. If you want to track both successful and failed access, choose All as the type.
Extending access policies to auditing
With Windows Server 2012 R2, you can extend claims-based access controls to auditing. Here, you create central audit policies that use claims and resource properties. The result is a more targeted and easier-to-manage auditing policy that can help you meet business and compliance requirements such as policies that do the following:
- Audit everyone who tries to access sensitive or confidential data but doesn't have a security clearance that would allow this
- Audit contractors and vendors when they try to access documents that aren't related to projects they are working on
Precise targeting helps limit the volume of collected data while focusing on the most relevant data. Although the auditing events are generated on a per-server basis, event collection and analysis tools, such as Audit Collection Services in System Center Operations Manager, make it possible to collect the events centrally and search through them in new ways.
The easiest way to extend claims-based access controls to auditing is to follow these steps:
- Enable and configure central access policies.
- Enable either object access or global object access auditing.
- Use the claim types and resource properties you defined to help you fine-tune audit policy.
An example of extending claims-based access controls to auditing. Here, you limit the auditing to members of the Contractors group who are outside a specified country or region and who don't have their Company property set as City Power.
Monitoring the security logs
Any time files and folders that you've configured for auditing are accessed, the action is written to the system's Security log, where it's stored for your review. The Security log is accessible from Event Viewer. Successful actions can cause successful events, such as successful file reads, to be recorded. Failed actions can cause failed events, such as failed file deletions, to be recorded.