Enable Audit Policy
1. Create a Group Policy Object and name it something to the effect of File Server Audit Policy
2. Edit the GPO, browse to Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\ and define the following Audit Policy settings
The settings below are from the WS2008R2SP1 Member Server Security Compliance baseline of the Security Compliance Manager (SCM) - http://technet.microsoft.com/en-us/solutionaccelerators/cc835245.aspx with the exception of Object Access: File System which I enabled for Success
AUDIT POLICY
VALUE
Account Logon: Credential Validation
Success and Failure
Account Logon: Kerberos Authentication Service
No Auditing
Account Logon: Kerberos Service Ticket Operations
No Auditing
Account Logon: Other Account Logon Events
No Auditing
Account Management: Application Group Management
No Auditing
Account Management: Computer Account Management
Success
Account Management: Distribution Group Management
No Auditing
Account Management: Other Account Management Events
Success and Failure
Account Management: Security Group Management
Success and Failure
Account Management: User Account Management
Success and Failure
Detailed Tracking: DPAPI Activity
No Auditing
Detailed Tracking: Process Creation
Success
Detailed Tracking: Process Termination
No Auditing
Detailed Tracking: RPC Events
No Auditing
DS Access: Detailed Directory Service Replication
No Auditing
DS Access: Directory Service Access
No Auditing
DS Access: Directory Service Changes
No Auditing
DS Access: Directory Service Replication
No Auditing
Logon-Logoff: Account Lockout
No Auditing
Logon-Logoff: IPsec Extended Mode
No Auditing
Logon-Logoff: IPsec Main Mode
No Auditing
Logon-Logoff: IPsec Quick Mode
No Auditing
Logon-Logoff: Logoff
Success
Logon-Logoff: Logon
Success and Failure
Logon-Logoff: Network Policy Server
No Auditing
Logon-Logoff: Other Logon/Logoff Events
No Auditing
Logon-Logoff: Special Logon
Success
Object Access: Application Generated
No Auditing
Object Access: Certification Services
No Auditing
Object Access: Detailed File Share
No Auditing
Object Access: File Share
No Auditing
Object Access: File System
Success
Object Access: Filtering Platform Connection
No Auditing
Object Access: Filtering Platform Packet Drop
No Auditing
Object Access: Handle Manipulation
No Auditing
Object Access: Kernel Object
No Auditing
Object Access: Other Object Access Events
No Auditing
Object Access: Registry
No Auditing
Object Access: SAM
No Auditing
Policy Change: Audit Policy Change
Success and Failure
Policy Change: Authentication Policy Change
Success
Policy Change: Authorization Policy Change
No Auditing
Policy Change: Filtering Platform Policy Change
No Auditing
Policy Change: MPSSVC Rule-Level Policy Change
No Auditing
Policy Change: Other Policy Change Events
No Auditing
Privilege Use: Non Sensitive Privilege Use
No Auditing
Privilege Use: Other Privilege Use Events
No Auditing
Privilege Use: Sensitive Privilege Use
Success and Failure
System: IPsec Driver
Success and Failure
System: Other System Events
No Auditing
System: Security State Change
Success and Failure
System: Security System Extension
Success and Failure
System: System Integrity
Success and Failure
3. Also remember to set the following settings as well under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options -
a. Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings to Enabled
b. Audit: Shut down system immediately if unable to log security audits to Disabled
Event Log Size
You may need to increase the size of the Security event log to accommodate the new events generated configure the following group policy settings. This can be done with the policy setting Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security - Maximum Log Size (KB). For maximum supported sizes see http://support.microsoft.com/kb/957662Note: if you wish to archive old events, set Retain old events to Enabled and Backup log automatically when full to Enabled. By doing so, the event log file is automatically closed and renamed when it is full and a new file is then started. If you do not wish to retain old events, set Retain old events to Disabled.
Set up Audit System Access Control List (SACL)
The critical part is setting up the right amount of auditing for the right security principal and for the right resources. The image below shows the folder structure for which I will be setting up the audit entries:
I created an entry for UserHomeFolder that applies to the folder, subfolders and files, for the Builtin Administrators group for all accesses.
The rationale behind this is that since the users have exclusive rights to their home folders, besides them, only members of the local administrators group would have the ability to read or modify the contents of the folders.
Sample events
Here’s a selection of some of the types of events you can expect to see with auditing enabled:Security Event Cleared
Log Name: SecuritySource: Microsoft-Windows-Eventlog
Date: 8/14/2013 7:59:09 AM
Event ID: 1102
Task Category: Log clear
Level: Information
Keywords: Audit Success
User: N/A
Computer: RootMS01.Reskit.com
Description:
The audit log was cleared.
Subject:
Security ID: RESKIT\BWayne
Account Name: BWayne
Domain Name: RESKIT
Logon ID: 0x871de
Ownership of File Taken
Log Name: SecuritySource: Microsoft-Windows-Security-Auditing
Date: 8/14/2013 1:39:46 AM
Event ID: 4663
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: RootMS01.Reskit.com
Description:
An attempt was made to access an object.
Subject:
Security ID: RESKIT\pparker
Account Name: pparker
Account Domain: RESKIT
Logon ID: 0x1119f6
Object:
Object Server: Security
Object Type: File
Object Name: C:\Shares\UserHomeFolder\BWayne\BusinessProposal.txt
Handle ID: 0x290
Process Information:
Process ID: 0x7cc
Process Name: C:\Windows\System32\dllhost.exe
Access Request Information:
Accesses: WRITE_OWNER
Access Mask: 0x80000
Security ACL on File Modified
Log Name: SecuritySource: Microsoft-Windows-Security-Auditing
Date: 8/14/2013 1:41:39 AM
Event ID: 4663
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: RootMS01.Reskit.com
Description:
An attempt was made to access an object.
Subject:
Security ID: RESKIT\pparker
Account Name: pparker
Account Domain: RESKIT
Logon ID: 0x1119f6
Object:
Object Server: Security
Object Type: File
Object Name: C:\Shares\UserHomeFolder\BWayne\BusinessProposal.txt
Handle ID: 0x360
Process Information:
Process ID: 0x730
Process Name: C:\Windows\System32\dllhost.exe
Access Request Information:
Accesses: WRITE_DAC
Access Mask: 0x40000
Generic File Read
Log Name: SecuritySource: Microsoft-Windows-Security-Auditing
Date: 8/14/2013 1:51:48 AM
Event ID: 4663
Task Category: File System
Level: Information
Keywords: Audit Success
User: N/A
Computer: RootMS01.Reskit.com
Description:
An attempt was made to access an object.
Subject:
Security ID: RESKIT\pparker
Account Name: pparker
Account Domain: RESKIT
Logon ID: 0x17235b
Object:
Object Server: Security
Object Type: File
Object Name: C:\Shares\UserHomeFolder\BWayne\BusinessProposal.txt
Handle ID: 0x1b4
Process Information:
Process ID: 0x2f8
Process Name: C:\Windows\System32\dllhost.exe
Access Request Information:
Accesses: READ_CONTROL
Access Mask: 0x20000
Run scripts to report on 4663 events
The PowerShell script below queries the Security event log on one or more servers for events with id 4663. This event documents actual operations performed against files and other objects for which auditing is enabled in the Security tab. The script also lists the name of the object and the bitwise equivalent of the permissions were actually exercised.Save the code below to a file with the .ps1 extension. On the first line, replace machine names with the names of your fileservers. And on the last line, replace the output file and folder name.
$server = "RootMS01","RootDC01" $out = New-Object System.Text.StringBuilder $out.AppendLine("ServerName,EventID,TimeCreated,UserName,File_or_Folder,AccessMask") $ns = @{e = "http://schemas.microsoft.com/win/2004/08/events/event"} foreach ($svr in $server) { $evts = Get-WinEvent -computer $svr -FilterHashtable @{logname="security";id="4663"} -oldestHere’s some typical output:
foreach($evt in $evts) { $xml = [xml]$evt.ToXml()
$SubjectUserName = Select-Xml -Xml $xml -Namespace $ns -XPath "//e:Data[@Name='SubjectUserName']/text()" | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty Value
$ObjectName = Select-Xml -Xml $xml -Namespace $ns -XPath "//e:Data[@Name='ObjectName']/text()" | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty Value
$AccessMask = Select-Xml -Xml $xml -Namespace $ns -XPath "//e:Data[@Name='AccessMask']/text()" | Select-Object -ExpandProperty Node | Select-Object -ExpandProperty Value
$out.AppendLine("$($svr),$($evt.id),$($evt.TimeCreated),$SubjectUserName,$ObjectName,$AccessMask")
Write-Host $svr Write-Host $evt.id,$evt.TimeCreated,$SubjectUserName,$ObjectName,$AccessMask
} } $out.ToString() | out-file -filepath C:\Temp\4663Events.csv
| ServerName | EventID | TimeCreated | UserName | File_or_Folder | AccessMask |
| RootMS01 | 4663 | 08/14/2013 08:01:09 | BWayne | C:\Shares\UserHomeFolder\LSkywalker\Projects.txt | 0x20000 |
| RootMS01 | 4663 | 08/14/2013 08:01:16 | BWayne | C:\Shares\UserHomeFolder\LSkywalker\Projects.txt | 0x80 |
| RootMS01 | 4663 | 08/14/2013 08:01:16 | BWayne | C:\Shares\UserHomeFolder\LSkywalker\Projects.txt | 0x20000 |
| RootMS01 | 4663 | 08/14/2013 08:01:19 | BWayne | C:\Shares\UserHomeFolder\LSkywalker\Projects.txt | 0x80 |
| RootMS01 | 4663 | 08/14/2013 08:01:19 | BWayne | C:\Shares\UserHomeFolder\LSkywalker\Projects.txt | 0x20000 |
| RootMS01 | 4663 | 08/16/2013 11:39:37 | Administrator | C:\Shares\UserHomeFolder\BWayne | 0x20000 |
| RootMS01 | 4663 | 08/16/2013 11:39:55 | Administrator | C:\Shares\UserHomeFolder\BWayne\New Text Document.txt | 0x20000 |
| RootMS01 | 4663 | 08/16/2013 11:40:05 | Administrator | C:\Shares\UserHomeFolder\BWayne\New Text Document.txt | 0x10000 |
| RootMS01 | 4663 | 08/20/2013 10:58:34 | Administrator | C:\Shares\UserHomeFolder\BWayne | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 10:59:08 | Administrator | C:\Shares\UserHomeFolder\LSkywalker | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 10:59:23 | Administrator | C:\Shares\UserHomeFolder\BWayne | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 10:59:23 | Administrator | C:\Shares\UserHomeFolder\BWayne | 0x80 |
| RootMS01 | 4663 | 08/20/2013 10:59:23 | Administrator | C:\Shares\UserHomeFolder\BWayne | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 10:59:23 | Administrator | C:\Shares\UserHomeFolder\BWayne | 0x1 |
| RootMS01 | 4663 | 08/20/2013 10:59:23 | Administrator | C:\Shares\UserHomeFolder\BWayne | 0x40000 |
| RootMS01 | 4663 | 08/20/2013 11:00:12 | Administrator | C:\Shares\UserHomeFolder\LSkywalker\Projects.txt | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 11:01:15 | PParker | C:\Shares\UserHomeFolder\LSkywalker\Projects.txt | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 11:01:15 | PParker | C:\Shares\UserHomeFolder\LSkywalker\Projects.txt | 0x1 |
| RootMS01 | 4663 | 08/20/2013 11:02:19 | PParker | C:\Shares\UserHomeFolder\BWayne\HRStuff.txt | 0x80000 |
| RootMS01 | 4663 | 08/20/2013 11:02:22 | PParker | C:\Shares\UserHomeFolder\BWayne\HRStuff.txt | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 11:02:24 | PParker | C:\Shares\UserHomeFolder\BWayne\HRStuff.txt | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 11:02:36 | PParker | C:\Shares\UserHomeFolder\BWayne\HRStuff.txt | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 11:02:37 | PParker | C:\Shares\UserHomeFolder\BWayne\HRStuff.txt | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 11:02:39 | PParker | C:\Shares\UserHomeFolder\BWayne\HRStuff.txt | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 11:02:53 | PParker | C:\Shares\UserHomeFolder\BWayne\HRStuff.txt | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 11:02:53 | PParker | C:\Shares\UserHomeFolder\BWayne | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 11:02:53 | PParker | C:\Shares\UserHomeFolder\BWayne\HRStuff.txt | 0x40000 |
| RootMS01 | 4663 | 08/20/2013 11:02:53 | PParker | C:\Shares\UserHomeFolder\BWayne\HRStuff.txt | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 11:02:56 | PParker | C:\Shares\UserHomeFolder\BWayne\HRStuff.txt | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 11:02:56 | PParker | C:\Shares\UserHomeFolder\BWayne\HRStuff.txt | 0x1 |
| RootMS01 | 4663 | 08/20/2013 11:36:07 | Administrator | C:\Shares\UserHomeFolder\LSkywalker\Projects.txt | 0x20000 |
| RootMS01 | 4663 | 08/20/2013 11:38:43 | Administrator | C:\Shares\UserHomeFolder\LSkywalker | 0x20000 |
| RootDC01 | Administrator | C:\Shares\UserHomeFolder\LSkywalker | 0x20000 |
You can use the table below (taken from http://msdn.microsoft.com/en-us/library/windows/desktop/aa822867(v=vs.85).aspx ) to interpret the AccessMask values to the file and directory access rights.
| AccessMask Value | Constant | Description |
| 0 (0x0) | FILE_READ_DATA | Grants the right to read data from the file. |
| 0 (0x0) | FILE_LIST_DIRECTORY | Grants the right to read data from the file. For a directory, this value grants the right to list the contents of the directory. |
| 1 (0x1) | FILE_WRITE_DATA | Grants the right to write data to the file. |
| 1 (0x1) | FILE_ADD_FILE | Grants the right to write data to the file. For a directory, this value grants the right to create a file in the directory. |
| 4 (0x4) | FILE_APPEND_DATA | Grants the right to append data to the file. For a directory, this value grants the right to create a subdirectory. |
| 4 (0x4) | FILE_ADD_SUBDIRECTORY | Grants the right to append data to the file. For a directory, this value grants the right to create a subdirectory. |
| 8 (0x8) | FILE_READ_EA | Grants the right to read extended attributes. |
| 16 (0x10) | FILE_WRITE_EA | Grants the right to write extended attributes. |
| 32 (0x20) | FILE_EXECUTE | Grants the right to execute a file. |
| 32 (0x20) | FILE_TRAVERSE | Grants the right to execute a file. For a directory, the directory can be traversed. |
| 64 (0x40) | FILE_DELETE_CHILD | Grants the right to delete a directory and all the files it contains (its children), even if the files are read-only. |
| 128 (0x80) | FILE_READ_ATTRIBUTES | Grants the right to read file attributes. |
| 256 (0x100) | FILE_WRITE_ATTRIBUTES | Grants the right to change file attributes. |
| 65536 (0x10000) | DELETE | Grants the right to delete the object. |
| 131072 (0x20000) | READ_CONTROL | Grants the right to read the information in the security descriptor for the object. |
| 262144 (0x40000) | WRITE_DAC | Grants the right to modify the DACL in the object security descriptor for the object. |
| 524288 (0x80000) | WRITE_OWNER | Grants the right to change the owner in the security descriptor for the object. |
| 1048576 (0x100000) | SYNCHRONIZE | Grants the right to use the object for synchronization. |
- 4670 (Authorization Policy Change)
- 4907 (Audit Policy Change), and
- 1102 (Log clear)
Setting up Custom Views in Event Viewer
You can create a filter that includes events from multiple event logs that satisfy specified criteria. You can then name and save that filter as a custom view. To apply the filter associated with a saved custom view, you navigate to the custom view in the console tree and click its name. See http://technet.microsoft.com/en-us/library/cc709635.aspx for steps on how to create a Custom View.As an example, the following filter looks for file access events by a user with sAMAccountName pparker:
Final Thoughts
1. If you need to set up audit SACLs on a large number of files, Global Object Access Auditing lets you create System Access Control Lists (SACL) for the entire computer, based on file and registry. See http://blogs.technet.com/b/askds/archive/2011/03/10/global-object-access-auditing-is-magic.aspx for more information2. Enabling Object Access: File Share audit policy will generate very helpful 5145 events like the one below:
Log Name: SecurityHowever, since there are no SACLs for shares, once this setting is enabled, access to all shares on the system will be audited and a large volume of these events will be generated.
Source: Microsoft-Windows-Security-Auditing
Date: 8/14/2013 2:08:25 AM
Event ID: 5145
Task Category: Detailed File Share
Level: Information
Keywords: Audit Success
User: N/A
Computer: RootMS01.Reskit.com
Description:
A network share object was checked to see whether client can be granted desired access.
Subject:
Security ID: RESKIT\Administrator
Account Name: Administrator
Account Domain: RESKIT
Logon ID: 0x49199
Network Information:
Object Type: File
Source Address: 10.10.10.11
Source Port: 61361
Share Information:
Share Name: \\*\Shares
Share Path: \??\C:\Shares
Relative Target Name: UserHomeFolder\LSkywalker\Projects.txt
Access Request Information:
Access Mask: 0x120089
Accesses: READ_CONTROL
SYNCHRONIZE
ReadData (or ListDirectory)
ReadEA
ReadAttributes
Access Check Results:
READ_CONTROL: Granted by Ownership
SYNCHRONIZE: Granted by D:(A;;FA;;;WD)
ReadData (or ListDirectory): Granted by D:(A;;FA;;;WD)
ReadEA: Granted by D:(A;;FA;;;WD)
3. A backup job running under the context of a local administrator on the file server will also generate a large volume of 4663 events. The command AuditPol /Set /User:Reskit\BackupAcct /Subcategory:”File System” /Success:Enable /Exclude can be used for a user-level exclusion. However this setting is not honored for users who are members of the Administrators local group.
This comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteExcellent article, it explanation that how to audit file access on file server. I found good information from https://www.netwrix.com/file_server_auditing.html which provide a way to audit all access events on files/folders and enables the real-time event monitoring to constantly monitor the access events generated on this server. It helps to get all the required the information for entire change.
ReplyDeleteThanks for the blog that covers a wide range of file server auditing
ReplyDeleteThanks to give a valuable information.
ReplyDeletefile server auditing