Wednesday, October 2, 2019

How to Audit File and Folder Access

Whenever there are files and folder access in the windows system, the thing of interest is who accessed and when the access took place. Also, what happened to files after it was accessed. Moreover, if we can audit such access without having to use third-party application then it is awesome.

There’s a feature in Windows that keeps track when someone views, edits, or deletes something inside of a specified folder. What we need to do is simply enable audit of such events. This write up explains step by step of how we can configure auditing. This auditing feature is part of a Windows security feature called Group Policy.

1. Click on Run and type gpedit.msc and hit enter.

Two policies are seen Users and Computers. Users configuration setting controls policies for each users. So we are, at this point, interested in Computers Configuration because computer settings will be system wide and will affect all users.


2. Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy


3. Configure Audit Object Access. Double click on it and select both Success and Failure.


4. Close Group Policy.

This is our first step in auditing files and folders. This tells windows system that we are ready to monitor changes in any files, folder and other objects like Key, SAM etc. Step that follows will tell windows what exactly we want to track.

5. Right click on folder you want to monitor. Click Properties and then move to Security tab.


6. Click on Advanced and Auditing tab. This is the tab where actual configuration is done.



7. Click Add


8. Click Users and click on Check Names.


9. Click OK.

10. Click on the type of Audit (All, Success or Failure), What it applies to and Permissions you want to Audit and click OK.


11. Click on all OK.

If you want to view these events Go to Event Viewer -> Windows Logs -> Security



For file system related event you will get 4656 (File open), 4663(access and permission exercised) and 4658(file closed).

No comments:

Post a Comment