Support
 
Phone Get Quote
 
Support
 
US: +1 888 720 9500
US: +1 888 791 1189
Intl: +1 925 924 9500
Aus: +1 800 631 268
UK: 0800 028 6590
CN: +86 400 660 8680

Direct Inward Dialing: +1 408 916 9892

Windows server auditing guide

 

Windows file server auditing guide

Introduction

1.1. Overview

Securely track file creation, modification, and deletion from both authorized and unauthorized accesses, with detailed forensics about security and permission changes to the documents in folder structure and shares.

1.2. Features and benefits of Windows file server auditing in ADAudit Plus 

  • Track accesses and changes to shares, files, and folders
  • Identify the username, workstation, and IP address of each user file activity
  • Receive email alerts upon suspicious activity
  • Audit Windows failover clusters for a secure and compliant network environment that experiences no downtime
  • Automate the tracking of changes through scheduled reports
  • Meet SOX, HIPAA, PCI DSS, and GLBA compliance requirements

2. Supported systems

2.1. Windows Server versions:

  • 2003/2003 R2
  • 2008/2008 R2
  • 2012/2012 R2
  • 2016/2016 R2
  • 2019

2.2. Share types

  • SMB
  • CIFS
  • DFS
  • DFSR

2.3. Volume types

  • Mounted volume
  • SAN volume
  • Junction path

2.4. File and folder activity

  • Created
  • Deleted
  • Modified
  • Read
  • Copied and pasted
  • Moved
  • Renamed
  • Owner changes
  • Permission changes
  • Audit settings changes
  • Failed read attempts
  • Failed write attempts
  • Failed delete attempts

3. Configuring Windows Server

  • Log in to ADAudit Plus' web console.
  • Click on the File Audit tab.
  • Select Windows File Server from under the Configured Server(s) drop-down list.
  • Click on Add Server.
  • Follow the instructions from the wizard to add the desired file server.
  • The last step of the wizard enables the automatic configuration of the audit policies and object-level auditing by default. If you wish to do this manually, unselect these options.

Important: Skip steps 4 and 5 if you have enabled the automatic configuration of the audit policies and object-level auditing.

4. Configuring audit policies

4.1. Automatic configuration

  • Log in to ADAudit Plus' web console.
  • Click on the File Audit tab.
  • Select Windows File Server from under the Configured Server(s) drop-down list.
  • Click on Configure Audit Policy in the right corner above the table view.
  • This will create a Group Policy object (GPO) [domainname_ADAuditPlusPolicy] and set the required audit policies for Windows file server auditing. This needs to be followed by setting up object-level auditing.

4.2. Manual configuration

4.2.1 Create a group and add all the file servers to be audited
  • Open ADUC, and create a new Global Security Group “ADAuditPlusFS.” Add the file servers to be audited to this newly created group.
4.2.2 Create a new GPO to define the audit configurations
  • Open the Group Policy Management Console (GPMC).
    • Create a new GPO named “ADAuditPlusFSPolicy” and referenced throughout this document as .
  • To link  at the domain level open GPMC, right-click on the domain, and select Link an Existing GPO. Select 
4.2.3 Apply audit settings only to the list of files servers that need to be audited
  • Click ADAudit PlusMSPolicy, navigate to the right panel, and then select the Delegation tab → Advanced → Authenticated Users. Remove the Apply Group Policy permission.
  • Add the ADAuditPlusFS group to the Security Filtering settings of the  GPO.
4.2.4 Configure advanced audit policies 

(Recommended for Windows Server 2008 and above.)

Configuring the advanced audit policies is recommended because it eliminates many of the unimportant events that often get recorded in the security log, leaving only the important ones that may require attention.

  • To set this up, edit  by right-clicking on the policy and selecting Edit.
  • Navigate to Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration, and configure the following settings.
Category Sub category Audit events Purpose
Object Access Audit File System Success, Failure File share auditing
  Audit File Share Success, Failure File share auditing
  Audit Handle Manipulation Success File integrity monitoring
4.2.5 Force audit policy
  • Enable Force audit policy subcategory settings in .
  • Navigate to Computer Configuration > Windows Settings > Security Settings > Local Polices > Security Options > Audit: Force audit policy subcategory settings (Windows Vista or later) to override the audit policy category settings.
4.2.6 Configure audit policies 

(Windows Server 2003 and below: not recommended.)

  • To set this up, edit  by right-clicking on the policy and selecting Edit.
  • Navigate to Configuration > Windows Settings > Security Settings > Audit Policy Configuration, and configure the following settings.
Category Audit events Purpose
Object Access  Success, Failure File share auditing
    File integrity monitoring

5.Configuring object-level auditing

To audit file and folder access, corresponding object-level auditing must be applied to shared folders. This can be achieved in three ways.

  • Automatic configuration
  • Manual configuration
  • Using PowerShell cmdlets

5.1. Automatic configuration

  • Log in to ADAudit Plus' web console.
  • Go to the File Audit tab in the top menu.
  • Click on Windows File Server under Configured Server(s) in the left pane.
  • Click on the Remove or View Configured File Shares icon corresponding to the file server you're looking to configure object-level auditing for in the list of servers.
  • Select the respective shares, and click Apply object-level audit settings on configured shares (found at the top right corner).

Color codes: Hover the cursor over the share to see the error code.

  • Green—Object-level auditing is set correctly.
  • Red—Object-level auditing is not set correctly or an error occurred during the configuration.
  • Orange—Object-level auditing configuration is in progress.

5.2. Manual configuration

  • Right-click on the share folder that you want to audit, select Properties, and then click on the Security tab.
  • Select Advanced, and then click on the Auditing tab.
  • For the Everyone group, add the following entries:
  Principal Type Access Applies To
File/folder changes Everyone Success, Failure
  • Create files / Write Data
  • Create folders / Append data
  • Write attributes
  • Write extended attributes
  • Delete sub folders and files
  • Delete
This Folder, sub folders, and files
Folder permission and owner changes Everyone Success, Failure
  • Take ownership
  • Change permissions
This folder and sub folders
File read Everyone Success, Failure
  • List folder / Read data
Files only
Folder read failure Everyone Success, Failure
  • List folder / Read data
This folder and sub folders

5.3. Using PowerShell cmdlets

  • Go to the >Installation Directory<\bin folder within the PowerShell command prompt.
  • Type in ADAP-Set-SACL.ps1.
  • Follow the steps to apply object-level auditing to shares on the file server.
  • Create a CSV file containing the Universal Naming Convention (UNC) path or local path and the type of auditing (file server auditing [FA] or file integrity monitoring [FIM]) of all the folders that you need to enable auditing for. 
  • The CSV file should contain the list of folders in the following format: >folder<,

Example:
\\SERVERNAME\folder,FA
C:\test folder,FA
E:\test folder,FIM
\\SERVERNAME\c$\folder,FIM

Once you have the CSV file that lists all the servers and the type of auditing required, go to the >Installation Directory<\bin folder within the PowerShell command prompt.

Type in:

.\ADAP-Set-SACL.ps1 -file '.\file name' -mode add (or) remove -recurse true (or) false -username DOMAIN_NAME\username

Where, 

parameter input variable mandatory
-file name of the CSV file containing the list of shared folders yes
-mode add - sets the object-level auditing settings
or
remove - removes the object-level auditing settings
yes
-recurse true - Replace all sub-folder object-level auditing settings with inheritable auditing settings applied to the chosen folder.
or
false - Apply object-level auditing settings only to the chosen folder 
Note: By default, the -recurse parameter is set to false
no
-username DOMAIN_NAME\username of the user with privilege over the file or folder to set the object-level auditing settings. (No cross-domain support) no

Note: When removing object-level auditing for a set of folders, the -type parameter is not mandatory.

For example:
  • To set object-level auditing for the list of folders in the shared_folders_list.CSV file, use:
    .\ADAP-Set-SACL.ps1 -file '.\shared_folders_list.CSV' -mode add
  • To replace all sub-folder object-level auditing settings with inheritable auditing settings applied to the shared_folders_list.CSV file, use:
    .\ADAP-Set-SACL.ps1 -file '.\shared_folders_list.CSV' -mode add -recurse true
  • To remove object-level auditing for the list of folders in the shared_folders_list.CSV file, use:
    .\ADAP-Set-SACL.ps1 -file '.\shared_folders_list.CSV' -mode remove
  •  

6. Configuring security log size and retention settings

  • Open GPMC.
  • Edit the >ADAuditPlusFSPolicy< GPO.
  • Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Event Log.
  • Configure Retention method for security log to Overwrite Events As Needed.
  • Configure the Maximum security log size as defined below. Ensure that the security log can hold a minimum of 12 hours worth of data.

7. Exclude configuration

Files/folders can be excluded based on File/folder local path, file type, process name, and user name by using the Exclude Configuration setting-

  • Log in to ADAudit Plus' web console.
  • Go to the File Audit tab, click on Excude Files under Configuration. and then on Excude Configuration.
  • Choose to exclude by File/Folder local path, File Type, Process Name, or Users.   
  • Click on '+', and provide the necessary exclude settings.

Examples, to exclude by File/Folder local path:

Objective To exclude a folder and all of its subfolders and files
Share configured Share configured
\\SERVER_NAME\share_name

Local path
c:\sharefolder
Path of folder that is to be excluded  c:\sharefolder\excludefolder
File/Folder or Regex Patterns File/Folder Patterns
Syntax
  • c:\sharefolder\excludefolder 
  • c:\sharefolder\excludefolder\*
What will get excluded
  • c:\sharefolder\excludefolder
  • c:\sharefolder\excludefolder\folder
  • c:\sharefolder\excludefolder\files.txt
  • c:\sharefolder\excludefolder\folder\files.txt
What won''t get excluded -
Objective To exclude "AppData" folder for every user profile
Share and folder path  \\SERVER_NAME\Users    c:\Users
Path of folder that is to be excluded  C:\Users\user1\AppData
File/Folder or Regex Patterns Regex Patterns
Syntax C:\\Users\\[^\\]*\\AppData
What will get excluded
  • C:\Users\user1\AppData
  • C:\Users\user2\AppData
  • C:\Users\user1\AppData\subfolder
  • C:\Users\user2\AppData\subfolder
What won''t get excluded
  • C:\Users\user1\subfolder\AppData
  • C:\Users\user2\subfolder\AppData
Objective To exclude files from a specific folder but audit all subfolders and its contents
Share and folder path  \\SERVER_NAME\share_name c:\sharefolder
Path of folder that is to be excluded  c:\sharefolder\excludefolder
File/Folder or Regex Patterns Regex Patterns
Syntax ^c:\\sharefolder\\excludefolder\\[^\\]*\.[^\\]*$
What will get excluded
  • c:\sharefolder\excludefolder\file.txt
  • c:\sharefolder\excludefolder\folder.withDot
What won''t get excluded
  • c:\sharefolder\excludefolder
  • c:\sharefolder\excludefolder\folderWithoutDot
  • c:\sharefolder\excludefolder\folderWithoutDot\subfolder
  • c:\sharefolder\excludefolder\folderWithoutDot\testfile.txt
  • c:\sharefolder\excludefolder\folder.withDot\subfolder
  • c:\sharefolder\excludefolder\folder.withDot\testfile.txt

8. Troubleshooting

  • How to check if the audit polices and the security log settings have been applied on the monitored computers:
    • Log in to any computer with domain IT admin privileges.
    • Run Command Prompt as an administrator.
    • Type gpresult /S >monitored computer< /F /H >file name<.HTML.
    • Navigate to C:\Users\>logged in user<\>file name.HTML< to check if all the audit policy settings and security logs settings are in place.
  • How to check if object-level auditing settings are in place:
    • Refer to section five found above.
  • How to verify that the events are present in the monitored computers:
    • Log in to any computer with domain admin privileges.
    • Go to Run, and type eventvwr.msc.
    • Right-click on Event Viewer, and connect to the target computer.
    • Check if the corresponding event numbers are present.

ADAudit Plus Trusted By

A single pane of glass for complete Active Directory Auditing and Reporting