What is file auditing?
An inspection of all the events occurring within file servers is called file auditing. This includes the monitoring of file access with details of who accessed what file, when, and from where; an analysis of the most accessed and modified files; successful and failed file access attempts; and more. The main objective of the file server auditing process is to keep track of all the operations taking place within the configured server environments and ensure data security and visibility throughout the data life cycle.
How does file auditing work?
The following framework is for the file auditing process.
ConfigureThe necessary SACLs for file servers, failover clusters, and workgroup servers for an accurate and comprehensive audit.
AuditFile and folder operations in real time, based on the auditing policies specified in the configured servers.
ReportOn file operations such as read, write, security permission changes, and more for internal and external auditing purposes.
AlertTechnicians when the system captures activities that are not in line with prescribed usage policies.
InvestigateThe root cause of anomalies and implement corrective actions to patch the loopholes through which security breaches can occur.
Check out these file server auditing best practices to know the nuances of auditing file servers and how it's done effectively.
Important file audit event IDs
The following events should be monitored to speed up the detection of any actions that can cause damage within file server environments.
|Event IDs||Description||What it means|
|4656||A handle to an object was requested.||Monitors requests to access files and folders.|
|4658||The handle to an object was closed.||Aids in knowing how long a handle was open.|
|4660||An object was deleted.||Generated when an object is deleted.|
|4663||An attempt was made to access an object.||Indicates that an action was attempted on an object.|
|4670||Permissions on an object were changed.||Detects when ACLs are changed on an object.|
|4907||Auditing settings on object were changed.||Monitors changes in the SACL of an object.|
Limitations of native file auditing
While native file auditing has sufficient tools to help organizations build a basic auditing system, it is far removed from ground reality. It's next to impossible to implement an actionable file auditing system using native methods, let alone a system that fulfils the mandates prescribed by regulatory laws.
A few notable downsides of native file auditing are:
- It is suitable only for smaller environments. It does not scale up to meet the audit rigours of a large organization, causing performance issues.
- The event logs generated in the native auditing tool will be overwritten once the disk storage capacity becomes full.
- Single-console reporting is impossible. All events are haphazardly logged and requires clever scripting and correlation to extract who-did-what-and-on-which-file-style reports.
- Important audit data is difficult to single out because of poor search capabilities.
- The same event might have a different ID in different versions of Windows file servers, so the task of covering them all falls on the script writer.
- The number of log entries generated for every action is too many. Hence, finding risky events which might lead to security incidents is time-consuming and task-intensive.
- Any suspicious activities performed within the file system would go unnoticed and drilling down into the cause of mishaps, if any, would be difficult due to the absence of alerting or email notification capabilities.
- It doesn't support compliance-specific reporting.