Share via

File server audit

Federico Coppola 1,181 Reputation points
2020-10-11T16:53:16.557+00:00

Hi all,
I need to audit company file servers.
In the company there are three file servers and domain users use them through DFS tecnology.

How can I audit file access, download file from file server and more?

Thanks
Federico

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | Storage high availability | Other
Windows for business | Windows Client for IT Pros | User experience | Other
0 comments
Accepted answer
  1. Vicky Wang 2,741 Reputation points
    2020-10-12T08:51:13.683+00:00

    Hi,
    Enable File and Folder auditing which can be done in two ways:
    Through Group Policy (for Domains, Sites and Organizational Units)
    Local Security policy (for single Servers)
    Configure audit settings for File and Folders
    This article will cover the process of enabling auditing for object access on a Windows Server 2012 through Group Policy.
    reference:https://www.lepide.com/how-to/enable-file-folder-access-auditing-windows-server-2012.html
    Tip: This answer contains the content of a third-party website. Microsoft makes no representations about the content of these websites. We provide this content only for your convenience.
    Best wishes
    Vicky

    0 comments

8 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Federico Coppola 1,181 Reputation points
    2020-10-12T09:30:59.193+00:00

    Hi @Anonymous ,
    I have tried to configure file system audit on just the first file server inside DFS company.

    First of all, I have created a Domain Group Policy too. Here an example guide: https://www.varonis.com/blog/windows-file-system-auditing/

    31664-audit-fs-gpo.png

    Later I have done your suggested steps.
    I have edited "shares" folder. Inside this main folders (this folder is not shared) there are inside shared company folders.
    I have set "Authenticated Users" and "Full Control" inside auditing tab.

    Here there are photos about this task:

    31509-audit-fs-1.png

    31610-audit-fs-2.png

    I have three file servers. Is it possible done this task just one time at DFS level?

    After that I have found important event id such as (you can see them using EventViewer > Security):

    • 4660 --> file deleted
    • 4663 --> file opened

    Finally, always from GPO settings (Computer configuration > Policies > Windows Settings > Security settings > Advanced Audit Policy Configuration > Object Access) I have found three more audit settings about file system and file share.

    31672-audit-fs-3.png

    Thanks so much for your help

  2. Anonymous
    2020-10-12T11:34:21.93+00:00

    I have three file servers. Is it possible done this task just one time at DFS level?

    Unfortunately you'll need to set it up on all three servers. We can't audit the namespace itself.

    --please don't forget to Accept as answer if the reply is helpful--

    0 comments
  3. Federico Coppola 1,181 Reputation points
    2020-10-31T23:51:02.907+00:00

    Dear @Anonymous ,
    Thanks for your help!

    Federico

  4. Deleted

    This answer has been deleted due to a violation of our Code of Conduct. The answer was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

    Comments have been turned off. Learn more

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.