Windows Svr Std 2003 ZH,How to audit File share ?

  • Article

Problem:
======
You would like to know how audit file and folders access

Solution:
======
Step 1: To enable local Windows security auditing
1. Log on to server with an account that has Administrator rights.
2. Click Start, point to Run, and then type "gpedit.msc".
3. Expand Computer Configuration->Windows Settings->Local Policies, and then double-click Audit Policy.
4. In the right pane, double-click the policy "Audit object access".
5. Click the Success (An audited security access attempt that succeeds).
Note: If there server is a domain controller, please open "Domain Controller Security Policy" to do the above settings.

Step 2: To audit the folder objects
1. Open explorer, right click folder/file and choose properties.
2. Click Security tab.
3. Click Advanced button.
4. In the Access Control Settings window, click Auditing Tab.
5. Click Add button to add the users you want to audit and choose to below audit entries.
For example: you want to know who deletes this folder or subfolder and files, then you audit everyone for "Delete" and "Delete Subfolders and Files" events.
6. Close the all windows

Step 3: Check the information in the Event Viewer.
1. Open event viewer.
2. Check the events under security logs. For a permission change, there will event 560 logged.
Tips: First filter the security log to only view the events with ID 560.
Then type the file or folder name if the descript of the find window to locate the exact events. Below is a sample event.

Event Type: Success Audit
Event Source: Security
Event Category: Object
Event ID: 560
User: AAAAdministrator
Computer: AAA
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: E:1New Text Document.txt
Handle ID: 1260
Operation ID: {0,198287}
Process ID: 360
Image File Name: C:WINDOWSexplorer.exe Primary User Name: Administrator Primary Domain: AAA Primary Logon ID: (0x0,0x12C8C) Client User Name: - Client Domain: - Client Logon ID: -
Accesses: DELETE
ReadAttributes
Privileges: -
Restricted Sid Count: 0
Access Mask: 0x10080

Reference:
=========
How To Enable and Apply Security Auditing in Windows 2000 https://support.microsoft.com/kb/300549/en-us