Configuring Object Level Auditing for File Integrity Monitoring

To audit file and folder access on Domain Controller/Member Servers/Workstation the corresponding object level audit entries must be applied to the Folders/Drives.

You can do this in three ways

  1. Manually on Each Folder/Drive.
  2. Using Powershell script.
  3. Global Object Access Auditing.

1.Manually on Each Folder/Drive

Configure Object Level Auditing for all the folders/drives configured in ADAudit Plus:

  1. For that, right-click the folder/drive that you want to audit, click Properties , and then click the Security tab .
  2. Click Advanced , and then click the “Auditing” tab .
  3. For the “Everyone” group, add the following entries.

 

Principal

Type

Access

Applies To

File/Folder Changes

Everyone

Success and Failure

  • Create Files / Write Data

  • Create Folders / Append Data

  • Write Attributes

  • Write Extended Attributes

  • Delete Subfolders and Files

  • Delete

 

This Folder, Subfolders and Files

Folder Permission and Owner Changes

Everyone

Success and Failure
  • Take Ownership
  • Change Ownership

 

This Folder and Subfolders

  1. Click on OK.
  2. This will set SACLs for the Folders selected.

2.Using Powershell Script

  1. Go to '<Installation Directory>\bin' folder on the powershell command prompt.
  2. For complete usage run 'ADAP-Set-SACL.ps1' script withouth any argument.
    Exmaple : .\ADAP-Set-SACL.ps1 -file '.\folders.csv' -mode add -username DOMAIN_NAME\username

3.Global Object Access Auditing

Need to configure the following Global Object Access settings in the respective GPO.It is recommended for workstations only.Because it will log all the file/folder changes in the computer

  1. Open Group Policy Management Console(GPMC).
  2. Edit the respective GPO.(FIM on DomainControllers,FIM on Member Servers,FIM on Workstations)
  3. Configure required Advanced Audit Policies. This settings can be found under
    1. Computer Configuration|Windows Settings|Security Settings|Advanced Audit Policy Configuration|System Audit Policies
      1. Global Object Access Auditing -> File System.
      2. Click Configure.
      3. For the “Everyone” group, add the following entries.Make sure you do not select read access.Because it will create noisy events

        4.  

        Principal

        Type

        Access

        Applies To

        File/Folder Changes

        Everyone

        Success and Failure

        • Create Files / Write Data

        • Create Folders / Append Data

        • Write Attributes

        • Write Extended Attributes

        • Delete Subfolders and Files

        • Delete

         

        This Folder, Subfolders and Files

        Folder Permission and Owner Changes

        Everyone

        Success and Failure
        • Take Ownership
        • Change Ownership

         

        This Folder and Subfolders

Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine
Get download link