MCITP 70-640: Windows File Auditing

Показать описание

This video will look at how to perform file and folder auditing in Windows 8. File and Folder auditing allows the administrator to configure which files and folders they would like to track access for. This video will look at how to configure File and Folder auditing to get the best results.

Demonstration
To enable auditing on a particular file or folder, open the properties for that file and folder. In the properties, select the security tab and then select the advanced button. In the advanced dialog box select the auditing tab. This is where all the auditing options are found. If they do not appear, press the continue button to enable them.

Once the options are enabled, press the add button to add audit entries. At the top of the add Window is the option Select a principal. This option will allow you to select the user or group that you want to audit.

Under the principal option you have the type option. This can be configured to success, failure, or both.

In the middle part of the Windows you can choose which permissions that you want to audit. For example, if you only want to audit when changes are made, you could select the permission write and that is all. You also have the option for show advanced permissions if you want to customize the option further than what is available.

At the bottom of the screen is the option add a condition. This is a new feature in Windows 8 and Windows Server 2012. This option allows you to define and target auditing a lot better than ever before. This helps you capture the information you require rather than capture extra information that you do not require.

Computer Configuration\Windows Settings\Security Settings\Local Polices\Audit Policy
The setting that need to be configured for file and folder auditing is Audit object access. This can be configured to success, failure, or both.

To View the information generated from File and Folder auditing, this can be done from the Event Viewer under Windows Logs\Security.

Audit object access will record a lot of events in the event logs. These include events for the operating system opening and closing files and objects and also any other auditing settings that you have configured. One point to remember with auditing is that when an object is audited, future audit events may be suppressed. For example, if you audit read and write on a file, Windows will record the first read when the file is opened but will not record additional writes. These are filtered out automatically otherwise the log files would become quite large very fast. If you only want to audit write access, configure the auditing to only audit write access. This way, when a write is performed, the first write access will be recorded in the event viewer. Otherwise, if you are auditing read and write, a read access may be recorded first and write access will be filtered out and thus not recorded in the event viewer.

References
"MCTS 70-640 Configuring Windows Server 2008 Active Directory Second edition" pg 370-372

Рекомендации по теме

Комментарии

Thanks very much and thanks for watching.

itfreetraining

No problem, thanks for watching. Windows 8 takes some time to get use to, but does have some nice new features.

itfreetraining

Your videos always make things much clearer. Thank you!

LookingForTheTruth

There is some free software that can be used to recover deleted files. If you run a google search you should be able to find some. This will only work if the area on the harddisk that contained the files has not been overwritten. Once you determine the dates the files were deleted, you could look through the event viewer and work out who was using the computer at that time. That would give you any idea who deleted the files.

itfreetraining

Auditing is switched off by default in Windows. This is because it takes a lot of systems resources. For this reason there is no way to track it if it was enabled after the files were removed.

itfreetraining

Very informative, thanks very much for taking the time. I think the last three videos have saved me hours of poring over technet pages :-)

tonetoobtwo

Great videos!!! This one helped me a lot and have been watching your channel for a bit.

UNIXSOLJASysadminSyndicate

You can't send e-mail using auditing that I know of. What you can do is attach a trigger to the event in the event viewer. When auditing triggers that event it can send you an e-mail.

itfreetraining

Thanks again for another very useful video, appreciate them a lot :)

pflickgoal

This is just what I needed, thank you!

giantdad

Once again thank you and will keep going.

gadgetproblemnoproblem

File auditing is not enabled by default in Windows due to extra load it puts on the system.

itfreetraining

Hi thanks for this such a nice video. Just wanted like for instance like if i want an email alerts at my system then at that level of case what would be the result as because this would only enable the alerts to auditing and that too from the windows event.
At that case shall we have to use a third party tool. Please update.

LarryPicture

Ahhh ok I will look for Get Data Back. So there's no way to track a folder in windows by defoult? Thank for the response.

albertrv

Hi my cuestion is: But what can I do if the folders are already lost? How to know what happen with them if they are already missing, I am using windows 7 and i need to know who erased my files. This is helpful if you are plannig to track but if you didn't set it up this audit rule before, how i do to find out what happen with my video folder if i don't watch it in my desktop. Can you help Please

albertrv

Hi, what if i have 2 servers (1 domain and 1 file server), the audit policy suppose to configure under which server?
and the security log should be view on which server?

tony.t

Hello,

If i acces the file as an admin, it creates an event in the event log under Task Category that states: Removable Storage.
If i then try to acces the file or folder with a regular domain user, it creates an entry under Task Category that states: File System.

Now the admin has read and write access, but the user does not.
Maybe thats the reason why i'm getting different event items ?

TimTielens

hi
in event logs user : N/A so how you would know who access it? which user did what to that folder?
thanks

ascool

I'd really love to get to know the heroes behind the scene :)

sanctusjohn

I can't access Local Group Policy in Windows 7 Home Edition. Now what?

cyndyreavey

MCITP 70-640: Windows File Auditing

MCITP 70-640: Windows File Auditing

MCITP 70-640: Windows Auditing

MCITP 70-640: Active Directory Windows Auditing

MCITP 70-640: Windows File Auditing -in [Hindi]

FileAudit 4 | Windows File System Auditing. The Easy Way.

Enable File and Folder Access(Create, Edit & Delete) Auditing In Windows Server 2022

Turning on Windows File Auditing in Group Policy

Video Tutorial | FileAudit Installation (Windows File System Auditing)

Detecting Changes to File Shares via Native Tools

MCITP 70-640: Group Policy Software Installation Introduction

Change Auditor - How to monitor Windows File Servers

MCITP 70-640: Windows Security Settings and Security Templates

MCITP 70-640: New Features in Windows Server 2008 R2 and Service Pack 1

MCITP 70-640: Active Directory System Requirments

MCITP 70-640: Group Policy Optimization

Auditing Folder/File Access

MCITP 70-640: Active Directory Groups

MCITP 70-640: Active Directory Computer Accounts

Learn How to Audit Windows Server

MCITP 70-640: Group Policy Introduction

MCITP 70-640: Special Identities

FileAudit 4 Windows File System Auditing The Easy Way

Advanced Audit Policy Configuration for File Servers

MCITP 70-640: Active Directory Command Line Tools