Configuring Object Level Auditing for File Integrity Monitoring
To audit file and folder access on Domain Controller/Member Servers/Workstation the corresponding object level audit entries must be applied to the Folders/Drives.
You can do this in three ways
- Manually on Each Folder/Drive.
- Using Powershell script.
- Global Object Access Auditing.
1.Manually on Each Folder/Drive
Configure Object Level Auditing for all the folders/drives configured in ADAudit Plus:
- For that, right-click the folder/drive that you want to audit, click Properties , and then click the Security tab .
- Click Advanced , and then click the “Auditing” tab .
- For the “Everyone” group, add the following entries.
|
Principal |
Type |
Access |
Applies To |
File/Folder Changes |
Everyone |
Success and Failure |
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
Delete
|
This Folder, Subfolders and Files |
Folder Permission and Owner Changes |
Everyone |
Success and Failure |
- Take Ownership
- Change Ownership
|
This Folder and Subfolders |
- Click on OK.
- This will set SACLs for the Folders selected.
2.Using Powershell Script
- Go to '<Installation Directory>\bin' folder on the powershell command prompt.
- For complete usage run 'ADAP-Set-SACL.ps1' script withouth any argument.
Exmaple : .\ADAP-Set-SACL.ps1 -file '.\folders.csv' -mode add -username DOMAIN_NAME\username
3.Global Object Access Auditing
Need to configure the following Global Object Access settings in the respective GPO.It is recommended for workstations only.Because it will log all the file/folder changes in the computer
- Open Group Policy Management Console(GPMC).
- Edit the respective GPO.(FIM on DomainControllers,FIM on Member
Servers,FIM on Workstations)
- Configure required Advanced Audit Policies. This settings can be found under
- Computer Configuration|Windows Settings|Security
Settings|Advanced Audit Policy Configuration|System Audit
Policies
- Global Object Access Auditing -> File System.
- Click Configure.
- For the “Everyone” group, add the following entries.Make sure you do not select read access.Because it will create noisy events
|
Principal |
Type |
Access |
Applies To |
File/Folder Changes |
Everyone |
Success and Failure |
Create Files / Write Data
Create Folders / Append Data
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
Delete
|
This Folder, Subfolders and Files |
Folder Permission and Owner Changes |
Everyone |
Success and Failure |
- Take Ownership
- Change Ownership
|
This Folder and Subfolders |
Copyright © 2022,
ZOHO Corp.
All Rights Reserved.