Configuring Audit Polices for Windows File Server Auditing
- Open Group Policy Management Console(GPMC).
- Create a New GPO “ADAuditPlusFSPolicy”
- Link the "ADAuditPlusFSPolicy" at Domain level
- Open GPMC|right click the Domain |Select Link an Existing
GPO|Select the “ADAuditPlusFSPolicy”
- Edit the "ADAuditPlusFSPolicy"(right click the policy and
"Edit")
- Configure required Advanced Audit Policies for 2k8 and
above(recommended). This settings can be found under
- Computer Configuration|Windows Settings|Security
Settings|Advanced Audit Policy Configuration|System Audit
Policies
- Audit File Shares :
- Select Object Access -> Audit File System(Success, Failure), Audit Handle Manipulation(Success, Failure), Audit File Share(Success).
- Select Policy Change -> Audit Policy Change(Success, Failure)
- Audit Polices required For Windows File Server Auditing (for
2k3 and below)
- Computer Configuration|Windows Settings|Security
Settings|Local Polices|Audit Policy
- Audit File Shares: Configure Object Access
(Success,Failure).
- Force Advanced Audit Policy
- Computer Configuration|Windows Settings|Security
Settings|Local Polices|Security Options
- Enable Audit: Force audit policy subcategory settings (Windows
Vista or later) to override audit policy category settings.
- Remove “Apply Group Policy” privilege for Authenticated
Users in the above created GPO, follow the steps to do the
same.
- Get the GUID value for "ADAuditPlusFSPolicy"
- Open GPMC, click on the "ADAuditPlusFSPolicy"
- Click on the "Details" tab(right side)
- Note the unique id value of "Unique ID"
- Remove "Apply Group Policy" privilege for Authenticated
Users
- Open "dsa.msc"; Start -> Run -> dsa.msc
- "Domain" -> System -> Policies -> "Unique ID"
- Right click the "Unique ID" -> Security tab ->
Advanced
- Remove "Allow" for "Apply Group Policy"
- Create a new Global Security Group and add the File Servers
to be audited in that group.
- Open ADUC|Create a new Global Security Group
“ADAuditPlusFS” . Add configured File Servers into a member
of the above created group.
- Add the above group “ADAuditPlusFS “ into the
"Security Filtering" settings of “ADAuditPlusFSPolicy” GPO.
Copyright © 2022,
ZOHO Corp.
All Rights Reserved.
Get download link