File System (Global Object Access Auditing)

A brief look at configuring File System Audit Policy

File System (Global Object Access Auditing), which is part of the Advanced Security Audit Policy, enables you to configure a global system access control list (SACL) on the file system for a computer.

An administrator can add a user or group to the global SACL by selecting Configure security check box on the policy’s property page. Doing this allows you to define a computer system access control lists (SACLs) per object type for the file system. The SACL defined by the administrator is then automatically applied to all file system object type.

In case both a global SACL and a file or folder SACL are configured on a computer, the effective SACL is derived from a combination of the file or folder SACL and the global SACL. In this case, events are generated if an activity matches either the global SACL, or the file or folder SACL. This policy setting must be used along with the File System security policy setting which is found under Object Access.

Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.

Audit events will only be generated for objects that have configured SACLs. Also events will be generated only when the type of access requested (such as Write, Read, or Modify) and the account making the request match the specified SACL requirements.

Enabling a success audit, generates an event each time any account has successfully accessed a file system object that matches SACL requirements. Enabling a failure audit generates an audit entry each time any user unsuccessfully attempts to access a file system object that matches SACL settings.

Here's a list of events that you should monitor in the Event Viewer as prescribed by the Microsoft documentation.

Events List:

• 4656(S, F): A handle to an object was requested.
• 4658(S): The handle to an object was closed.
• 4660(S): An object was deleted.
• 4663(S): An attempt was made to access an object.
• 4664(S): An attempt was made to create a hard link.
• 4985(S): The state of a transaction has changed.
• 5051(-): A file was virtualized.
• 4670(S): Permissions on an object were changed.

About ADAudit Plus

ADAudit Plus is a real time change auditing software that helps keep your Active Directory, Azure AD, Windows file servers, NetApp filers, EMC file systems, Synology file systems, Windows member servers, and workstations secure and compliant. With ADAudit Plus, you can get visibility into:

• Authorized and unauthorized AD management changes
• User logons, logoffs, and account lockouts
• GPO changes
• Group attribute and membership changes
• OU changes
• Privileged access and permission changes
• Azure AD logons, and changes to roles, groups, and applications
• PowerShell scripts and modules

among other things.

There are more than 200 event-specific reports, and you can configure instant email alerts. You can also export the reports to XLS, HTML, PDF and CSV formats to assist in interpretation and forensics. For more information on ADAudit Plus, visit: https://www.manageengine.com/active-directory-audit/.