In this tutorial you will be shown how to configure group policy to track file change events on your windows file server.
In the event of a data breach, businesses often want to know who accessed the data and when. They also want to know what kind of changes were made. With this method you can track file changes in your Windows file server. This will help you prevent insider threats by knowing who is accessing files they don’t need access to. Plus, it can help during data breach investigations by proving who changed what.
Step 1: Enabling the ‘Audit object access’ policy
Remote connect to your DC and Launch the Group Policy Management console (Run –> gpedit.msc)
Create a new GPO named “Server Audits” and apply it to the root of your domain.
3. Right click “Server Audits” policy followed by clicking on Edit within the menu.
4. Navigate to Computer Configuration -> Policies -> Windows Settings -> Security Settings ->Local Policies -> Audit Policy.
5. Right click ‘Audit object access’ and select properties, afterwards turn auditing on for both success and failure.
6. Push the policy to your devices.
Step 2: Setup auditing on folder shares
Log onto your file server and locate the folder share you would like to audit. Right click the folder and go to Properties. Click the Security tab and then click Advanced.
2. In Advanced Security Settings, go to the Auditing tab and click Add to add a new auditing entry.
3. Click on Select a principal and choose and for object name we will select Domain Users.
4. Now lets click on Show advanced permissions and we will check the following attributes:
- Traverse folder / execute file
- List Folder / read data
- Create files / write data
- Create folders / append data
- Write attributes
- Delete subfolders and files
- Read Permissions
5. Click the OK button once all is selected and then apply, it will then go through the process of changing your Windows Security. Follow these steps again for any other Shares you would like to audit.
Step 3: How to view the audit logs in Event Viewer.
- Open up Event Viewer
- Expand Windows Logs
- Click on Security
- Now you should see Audit logs in your even viewer with who is accessing what.