Monitor the resource attributes on files and folders
This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you're using advanced security auditing options to monitor dynamic access control objects.
If your organization has a carefully thought out authorization configuration for resources, changes to these resource attributes can create potential security risks. Examples include:
- Changing files that have been marked as high business value to low business value.
- Changing the Retention attribute of files that have been marked for retention.
- Changing the Department attribute of files that are marked as belonging to a particular department.
Use the following procedures to configure settings to monitor changes to resource attributes on files and folders. These procedures assume that have configured and deployed central access policies in your network. For more information about how to configure and deploy central access policies, see Dynamic Access Control: Scenario Overview .
Note: Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
To monitor changes to resource attributes on files
- Sign in to your domain controller by using domain administrator credentials.
- In Server Manager, point to Tools, and then click Group Policy Management.
- In the console tree, right-click the flexible access Group Policy Object, and then click Edit.
- Double-click Computer Configuration, double-click Security Settings, double-click Advanced Audit Policy Configuration, double-click Policy Change, and then double-click Audit Authorization Policy Change.
- Select the Configure the following audit events check box, select the Success and Failure check boxes, and then click OK.
After you configure settings to monitor resource attributes on files, verify that the changes are being monitored.
To verify that changes to resource attributes on files are monitored
Use administrator credentials to sign in to the server that hosts the resource you want to monitor.
From an elevated command prompt, type gpupdate /force, and then press ENTER.
Attempt to change resource properties on one or more files and folders.
In Server Manager, click Tools, and then click Event Viewer.
Expand Windows Logs, and then click Security.
Depending on which resource attributes you attempted to change, you should look for the following events:
- Event 4911, which tracks changes to file attributes
- Event 4913, which tracks changes to central access policies
Key information to look for includes the name and account domain of the principal attempting to change the resource attribute, the object that the principal is attempting to modify, and information about the changes that are being attempted.