×

Windows File Server Auditing – How to Track Who Accesses, Reads Files!

Last Updated: January 27th, 2021 by in Guides, Windows

If you are using file servers to store and share the data among multiple users then auditing is very important for data security. Windows file system auditing is a very useful tool that allows you to track and monitor who accesses and reads files. File analysis log will help you to find what data an attacker tried to access and steal.

In this tutorial, we will show you how to enable Windows file system auditing and track the files.

Enable Audit Policy

You can enable the audit policy on the domain or local system. In this section, we will show you how to enable the audit policy on the local system.

Follow the below steps to enable the audit policy.

Step 1 : Press Windows + R and type gpedit.msc in the Run dialog box as shown below:

Step 2 : Click on the OK button to launch the local group policy editor:

Step 3 : In the left pane, navigate to “Computer Configuration => “Windows Settings” => “Security Settings” => “Local Policies” => “Audit Policy”. You should see all available policies in the right pane:

Step 4 : Double-click “Audit object access” policy to open its “Properties” as shown below:


Step 5 : Select “Success” and “Failure” check box then click on the Apply and OK button to close the window.

Step 6 : Next, update the Group policy settings by running the “Gpupdate /force” command in run as windows:

Apply Audit Policy on File and Folder that You want to Track

Next, you will need to apply audit policy on file or folder that you want to track. Follow the below steps to apply the audit policy:

Step 1 : Open “Windows Explorer” and navigate to the file or folder that you want to audit.
Step 2 : Right-click on the folder and select “Properties” from the context menu. The file’s properties window appears on the screen.


Step 3 : On the Security tab click on the Advanced. You should see the following screen:

Step 4 : On the Auditing tab click on the Continue. You should see the following screen:

Step 5 : Now, you will need to add a new audit policy. Click on the Add button. You should see the following screen:

Step 6 : Click on the select a principal. You should see the following screen:

Step 7 : Add users that you want to track and click on the OK button. You should see the following screen:

Step 8 : Select All in Type field, select “This folders, subfolders and files” in Applies to the field then select appropriate permissions and click on the OK button to close “Auditing Entry for File Access auditing” window.

Step 9 : Click “Apply” and “OK” to close the window. Click “Apply” and “OK” to close file properties.

Track Files with Windows Event Viewer

At this point, file auditing policy is set up on the folder. Now, you can track the file changes using the event viewer.

Open the Windows Event Viewer and navigate to “Windows Logs” => “Security”. You can also use the “Filter Current Log” option to find the relevant events. For example, if anyone opens the file, event ID 4663 will be logged. You can see all events ID in the following screen:

Double click on the first event, you should see the file access log in the following screen:

Track and Monitor Events with Lepide File Server Auditor

You can also use Lepide File Server Auditor for auditing, reporting and alerting on file server changes and permission changes to protect data and detect threats.

Windows do not allow to organize the audited data into a readable and actionable format. Doing this manually will be a time-consuming and complex process. So it is recommended to use the special file system auditing tool like Lepide File Server Auditor.

Conclusion

In the above guide, you learned how to audit files and directories and track changes with Windows file system auditing. I hope you can now implement this solution easily on the domain controller.