Thursday, 4 March 2010

Windows Server File Auditing - a HOWTO guide

The reason for this is quite simple. I have had to do this only a hand full of times and there is some misinformation out there that needs to be put straight, so please do link to this post from forums and other such sites where people need clear and concise step-by-step instructions. 

Here goes...

Open Group Policy Management from Administrative tools.

  • Expand the domain where you want to apply the auditing.
  • Right click and choose 'Edit', on the GPO that applies to the computers / Servers you want the auditing to be active on, or create a new GPO and filter the OU's, Computers and Servers as required.
  • Expand, Computer configuration -> Windows Settings -> Security Settings -> Local Policies, Select 'Audit Policy', in the right hand pane double click 'Audit Object Access'.
  • Tick 'Define these Settings', then tick 'Success', click OK.
  • Close the Group Policy Object editor.
  • Browse to the file/folder/drive (FFD) which you want to audit on one of the computers where the GPO with the new settings applies (you may be able to use the $ shares e.g. \\ws-01\c$ I have not tested this yet )
  • Right click the FFD and choose 'Properties' -> 'Security' -> 'Advanced' select the 'Auditing' tab.
  • Click 'Add', type the Group or user's name(s) who you want to audit, or if you want to audit Every user including Administrators type Everyone. Click 'Check Names' to make sure the group/user is found, Click OK.
  • Make sure the drop down list is set on 'This folder, subfolders and files' if you want to Audit any files and folders contained in this FFD, otherwise choose the appropriate option for you.
  • Select from the tick boxes below what you want to Audit, the most common Auditing people will want to enable will be the 'Delete subfolder and files' and 'Delete', ensuring you tick the 'Successful'. 
  • DO NOT tick the box 'Apply these auditing enteries to objects and/or containers within this container only' otherwise the auditing will not propagate down the directory tree properly and thus negates using the option from the drop down list 'This folder, subfolders and files'.
  • If you have applied this Auditing to a file or Folder, clear the checkbox 'Allow inheritable auditing entries from parent to propagate to this object and all child objects. Include these with entries explicitly defined here.', if you are applying it to a drive there will be no parent objects and thus this option won't be displayed for obvious reasons.
  • Click OK to all open Dialog boxes, auditing is now enabled!
Providing you've followed these steps (and I haven't fouled anything up, it is late after all) you should see some new events in the Security log in Event Viewer.

The main event you're looking for is:
Type: Success Audit
Category: Object Access
Event ID: 560

This gives you the username, location, time & date and file or folder that has been deleted.

In an up coming article I'll expand on this to show how you can audit Public Folders within Exchange.

Thanks for reading!