We can configure file access auditing in Windows Server 2016 so that events are logged every time a specified user or group successfully accesses or attempts and fails to access a specified file or folder. This post will show you how to configure file access auditing in Windows Server 2016.
This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.
Configure File Access Auditing
We want to enable the “Audit File System” policy which can be found under Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Security Policy Configuration > Audit Policies > Object Access.
This policy will audit user attempts to access objects in the file system, we can view these events in event viewer. From within this policy we can optionally enable it by selecting the check box shown below. We also then have the option of auditing either success or failure events, or both.
While this policy will enable auditing of the file system to the computer that it has been applied to, we need to actually enable auditing on a per file or folder basis. We can do this by right clicking a file or folder, select properties, and browse to the security tab.
Next click advanced, and from the advanced security settings window that opens, select the auditing tab.
We can now define a user or group that should be audited when they attempt to access this specific folder or file for either success, failure, or both event types. We can also specify if the rule applies to just this file or folder, subfolders, files within subfolders, subfolders only, files only, etc.
Toward the bottom we can also add conditions which further limit what we audit.
File Access Auditing Example
In this example I’ve configured a ‘test’ folder on the desktop of the administrator user. Every time any user successfully accesses this folder we want to know about it.
Now if we open the folder which we have access to, the following event has been logged in the security event logs with event ID 4663.
We can see the audit success event from when the administrator user accessed the test folder on the desktop, it’s working as expected.
Summary
We have shown you how to configure file access auditing in Windows Server 2016 by first enabling the appropriate group policy setting, and then by configuring the auditing on a specific file or folder.
This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.
0 Comments.