11/7/2019 Windows File Server Auditing
We can configure file access auditing in Windows Server 2016 so that events are logged every time a specified user or group successfully accesses or attempts and fails to access a specified file or folder. This post will show you how to configure file access auditing in Windows Server 2016. May 31, 2017 Scenario: File Access Auditing.; 3 minutes to read; In this article. Applies To: Windows Server 2016, Windows Server 2012 R2, Windows Server 2012. Security Auditing is one of the most powerful tools to help maintain the security of an enterprise. One of the key goals of security audits is regulatory compliance.
Learning has never been so easy!
Windows Server 2008 and 2008 R2 have been one of the most widely deployed servers in the project setups where they are used for supporting collaborative work environments. However, because of the very nature of these kinds of setup where multiple resources have access to the same objects, assigning responsibility for user actions become utmost important.
This can be ensured by auditing all User actions related to file and folder access. In this guide, we are going to see how we can enable auditing on Windows Server 2008 and 2008R2. On Windows Server 2008 and 2008 R2, auditing file and folder accesses consists of two parts. 3 Steps totalStep 1: Enable File and Folder auditing
Enabling File and Folder auditing
It can be done in two ways :
a) Through Group Policy (for Domains, Sites and Organizational Units) b) Local Security policy (for single Servers) Step 2: Enable auditing for object access
To enable auditing for object access on a MS Windows Server 2008, follow these steps :
A) Open Group Policy Management Console.
B) Go to the concerned domain and expand the node against it C) Go to the Group Policy Objects and right - click on it D) Select New from the popup menu E) In the New GPO dialog box, enter the name of the new GPO and click ‘Ok' F) Right-click on the newly created GPO and select ‘Edit’ from the pop-up menu G) The Group Policy Management Editor window opens up H) Go to Computer Configuration ► Policies ► Windows Settings ► Security Settings ► Local Policies ► Audit Policies I) In the right-pane, the list of all policies is displayed
(i) Audit Account Logon Events
(ii) Audit Account Management (iii) Audit Directory Service Access (iv) Audit Logon Events (v) Audit Object Access (vi) Audit Policy Change (vii) Audit Privilege Use (viii) Audit Process Tracking (ix) Audit system Events
J) Go to the policy for which you want to define settings. If you define settings for all policies, a lot of logs will be generated
K) Double-click on the policy for which you want to define the settings L) In the Properties dialog box that opens up, select Success/Failure or both M) Click on ‘Ok’ to close the window N) Next, you need to apply this policy on the DC. Go to RUN command and type: gpupdate/force/boot/logoff and click ‘Ok’ O) Gpupdate command prompt opens up and a message is displayed: “Updating Policy ..” Step 3: Select specific Folder and define Users
After the policy has been applied, the next thing is to select Files and Folders and which Users’ actions are to be audited
To select specific Folder and define Users, follow these steps :
a) Go to Windows Explorer
b) Right-click on it and select Properties c) In the Properties dialog box, select the Security tab and click on ‘Advanced’ d) In the Advanced Security Settings dialog box, select the Auditing tab e) Click on the ‘Add..’ button. f) In the Select User or Group dialog, enter names of Users whose accesses are to be audited g) Select ‘Everyone’ to audit access attempts by all Users. Click on ‘OK’ h) Auditing Entry for Accounts dialog box opens up I) Select the type of accesses to be audited. Successful access/Failed access or both can be selected j) Click ‘Ok’ and ‘Apply’ to save the settings
From this point onwards, all the access attempts to this particular folder by all Users would be recorded on the DC. To view these event logs use Windows event viewer.
References
4 Comments
Recently, I helped a customer achieve two objectives:
Windows File Server Auditing File Delete
I thought I would share this in case you found yourself wanting to do something similar.
A word of caution, though: Due to the wide scope of what can be audited and to the degree in which the information can be logged, it is very important that you first establish the audit objectives for your company as a whole and your department in particular. These objectives will also be influenced by the country you are in and any industry affiliation. Decisions will also have to be made regarding the retention policies of your audit logs.
Environment Overview
My lab setup consists of two domain controllers and a file server, all running Windows Server 2008 R2 and a Windows 7 workstation.
The Audit policy is configured within a Group Policy Object and linked to the Organizational Unit that contains the computer object of RootMS01.
The file server hosts the file shares, folders and files I will be setting up the Audit System Access Control List (SACL) on.
A few caveats:
Enable Audit Policy
1. Create a Group Policy Object and name it something to the effect of File Server Audit Policy
2. Edit the GPO, browse to Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationAudit Policies and define the following Audit Policy settings
The settings below are from the WS2008R2SP1 Member Server Security Compliance baseline of the Security Compliance Manager (SCM) - http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx with the exception of Object Access: File System which I enabled for Success
3. Also remember to set the following settings as well under Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options -
a. Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings to Enabled
b. Audit: Shut down system immediately if unable to log security audits to Disabled
Event Log Size
You may need to increase the size of the Security event log to accommodate the new events generated configure the following group policy settings. This can be done with the policy setting Computer ConfigurationAdministrative TemplatesWindows ComponentsEvent Log ServiceSecurity - Maximum Log Size (KB). For maximum supported sizes see http://support.microsoft.com/kb/957662
Note: if you wish to archive old events, set Retain old events to Enabled and Backup log automatically when full to Enabled. By doing so, the event log file is automatically closed and renamed when it is full and a new file is then started. If you do not wish to retain old events, set Retain old events to Disabled.
Set up Audit System Access Control List (SACL)
The critical part is setting up the right amount of auditing for the right security principal and for the right resources. The image below shows the folder structure for which I will be setting up the audit entries:
I created an entry for UserHomeFolder that applies to the folder, subfolders and files, for the Builtin Administrators group for all accesses.
The rationale behind this is that since the users have exclusive rights to their home folders, besides them, only members of the local administrators group would have the ability to read or modify the contents of the folders.
Sample events
Here’s a selection of some of the types of events you can expect to see with auditing enabled:
Security Event Cleared
Log Name: Security
Source: Microsoft-Windows-Eventlog Date: 8/14/2013 7:59:09 AM Event ID: 1102 Task Category: Log clear Level: Information Keywords: Audit Success User: N/A Computer: RootMS01.Reskit.com Description: The audit log was cleared. Subject: Security ID: RESKITBWayne Account Name: BWayne Domain Name: RESKIT Logon ID: 0x871de Ownership of File Taken
Log Name: Security
Source: Microsoft-Windows-Security-Auditing Date: 8/14/2013 1:39:46 AM Event ID: 4663 Task Category: File System Level: Information Keywords: Audit Success User: N/A Computer: RootMS01.Reskit.com Description: An attempt was made to access an object. Subject: Security ID: RESKITpparker Account Name: pparker Account Domain: RESKIT Logon ID: 0x1119f6 Object: Object Server: Security Object Type: File Object Name: C:SharesUserHomeFolderBWayneBusinessProposal.txt Handle ID: 0x290 Process Information: Process ID: 0x7cc Process Name: C:WindowsSystem32dllhost.exe Access Request Information: Accesses: WRITE_OWNER Access Mask: 0x80000 Security ACL on File Modified
Log Name: Security
Source: Microsoft-Windows-Security-Auditing Date: 8/14/2013 1:41:39 AM Event ID: 4663 Task Category: File System Level: Information Keywords: Audit Success User: N/A Computer: RootMS01.Reskit.com Description: An attempt was made to access an object. Subject: Security ID: RESKITpparker Account Name: pparker Account Domain: RESKIT Logon ID: 0x1119f6 Object: Object Server: Security Object Type: File Object Name: C:SharesUserHomeFolderBWayneBusinessProposal.txt Handle ID: 0x360 Process Information: Process ID: 0x730 Process Name: C:WindowsSystem32dllhost.exe Access Request Information: Accesses: WRITE_DAC Access Mask: 0x40000 Generic File Read
Log Name: Security
Source: Microsoft-Windows-Security-Auditing Date: 8/14/2013 1:51:48 AM Event ID: 4663 Task Category: File System Level: Information Keywords: Audit Success User: N/A Computer: RootMS01.Reskit.com Description: An attempt was made to access an object. Subject: Security ID: RESKITpparker Account Name: pparker Account Domain: RESKIT Logon ID: 0x17235b Object: Object Server: Security Object Type: File Object Name: C:SharesUserHomeFolderBWayneBusinessProposal.txt Handle ID: 0x1b4 Process Information: Process ID: 0x2f8 Process Name: C:WindowsSystem32dllhost.exe Access Request Information: Accesses: READ_CONTROL Access Mask: 0x20000 Run scripts to report on 4663 events
The PowerShell script below queries the Security event log on one or more servers for events with id 4663. This event documents actual operations performed against files and other objects for which auditing is enabled in the Security tab. The script also lists the name of the object and the bitwise equivalent of the permissions were actually exercised.
Windows File Server Auditor
Save the code below to a file with the .ps1 extension. On the first line, replace machine names with the names of your fileservers. And on the last line, replace the output file and folder name.
$server = 'RootMS01','RootDC01'
$out = New-Object System.Text.StringBuilder $out.AppendLine('ServerName,EventID,TimeCreated,UserName,File_or_Folder,AccessMask') $ns = @{e = 'http://schemas.microsoft.com/win/2004/08/events/event'} foreach ($svr in $server) { $evts = Get-WinEvent -computer $svr -FilterHashtable @{logname='security';id='4663'} -oldest
foreach($evt in $evts)
{ $xml = $evt.ToXml()
$SubjectUserName = Select-Xml -Xml $xml -Namespace $ns -XPath '//e:Data[@Name='SubjectUserName']/text()' | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty Value
$ObjectName = Select-Xml -Xml $xml -Namespace $ns -XPath '//e:Data[@Name='ObjectName']/text()' | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty Value
$AccessMask = Select-Xml -Xml $xml -Namespace $ns -XPath '//e:Data[@Name='AccessMask']/text()' | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty Value
$out.AppendLine('$($svr),$($evt.id),$($evt.TimeCreated),$SubjectUserName,$ObjectName,$AccessMask')
Write-Host $svr
Write-Host $evt.id,$evt.TimeCreated,$SubjectUserName,$ObjectName,$AccessMask
}
} $out.ToString() | out-file -filepath C:Temp4663Events.csv
Here’s some typical output:
You can use the table below (taken from http://msdn.microsoft.com/en-us/library/windows/desktop/aa822867(v=vs.85).aspx ) to interpret the AccessMask values to the file and directory access rights.
Remember to also report on the following events:
Setting up Custom Views in Event Viewer
You can create a filter that includes events from multiple event logs that satisfy specified criteria. You can then name and save that filter as a custom view. To apply the filter associated with a saved custom view, you navigate to the custom view in the console tree and click its name. See http://technet.microsoft.com/en-us/library/cc709635.aspx for steps on how to create a Custom View.
As an example, the following filter looks for file access events by a user with sAMAccountName pparker:
<QueryList>
<Query Path='Security'> <Select Path='Security'> *[System[(EventID=4663)]] and *[EventData[Data[@Name='SubjectUserName'] and (Data='pparker')]] </Select> </Query> </QueryList> Final Thoughts
1. If you need to set up audit SACLs on a large number of files, Global Object Access Auditing lets you create System Access Control Lists (SACL) for the entire computer, based on file and registry. See http://blogs.technet.com/b/askds/archive/2011/03/10/global-object-access-auditing-is-magic.aspx for more information
2. Enabling Object Access: File Share audit policy will generate very helpful 5145 events like the one below:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing Date: 8/14/2013 2:08:25 AM Event ID: 5145 Task Category: Detailed File Share Level: Information Keywords: Audit Success User: N/A Computer: RootMS01.Reskit.com Description: A network share object was checked to see whether client can be granted desired access. Subject: Security ID: RESKITAdministrator Account Name: Administrator Account Domain: RESKIT Logon ID: 0x49199 Network Information: Object Type: File Source Address: 10.10.10.11 Source Port: 61361 Share Information: Share Name: *Shares Share Path: ??C:Shares Relative Target Name: UserHomeFolderLSkywalkerProjects.txt Access Request Information: Access Mask: 0x120089 Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) ReadEA ReadAttributes Access Check Results: READ_CONTROL: Granted by Ownership SYNCHRONIZE: Granted by D:(A;;FA;;;WD) ReadData (or ListDirectory): Granted by D:(A;;FA;;;WD) ReadEA: Granted by D:(A;;FA;;;WD)
However, since there are no SACLs for shares, once this setting is enabled, access to all shares on the system will be audited and a large volume of these events will be generated.
Windows Ftp Server
3. A backup job running under the context of a local administrator on the file server will also generate a large volume of 4663 events. The command AuditPol /Set /User:ReskitBackupAcct /Subcategory:”File System” /Success:Enable /Exclude can be used for a user-level exclusion. However this setting is not honored for users who are members of the Administrators local group.
Windows File Server Enable Auditing
Posted by Tristan Kington, MSPFE Editor, only I never done it, I only said I done it.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |