It is common in enterprises to share files among many users across the Windows network. As most of these file contain critical information, it is expected that these files are shared only with users who genuinely require it. For e.g., files having credit card details of customers should be accessible only to the authorized users of the finance department. Similarly, a business file prepared by any of the directors, in normal situations, need not be accessible to the employees of the organization. So for the safety of the information, permissions are configured on these files. However, there always exists chances of security breaches. That is why file access auditing becomes very important. There is one more reason for auditing—regulatory compliances. Many organizations need to meet regulatory standards like HIPPA, SOX, and PCI. Also, auditing helps organizations to find out the possible security breach situations and to fix the security gaps in advance.
How to conduct auditing on important files in three steps :
Windows and Windows Server series of operating systems comes with security auditing features that can be used even by ordinary users. Basically, auditing involves three different steps :
1) Enable the policy setting ‘Audit object access’ using GPMC
2) Edit the SACL (System Access Control List) for the object
3) Check Windows security logs for information on audited events
Step 1: Enable object access auditing using GPMC
1) Open the Group Policy Management Console
2) Right-click the domain node and click ‘Create a GPO in this domain, and link it here’
3) Enter the new GPO name
4) Right-click the new GPO and select Edit
5) Expand to Computer Configuration/Policies/Windows settings/Security Settings/Local Policy/Audit Policy
6) Double-click Audit object access option
7) Check the Success option; click Apply
[Note: Check the Failure option also if you want to audit unsuccessful attempts too.]
Step 2: Edit the SACL (System Access Control List) for an object
System Access Control List provides you information on users who have access to the data and the type of access they have. To edit SACL, just right-click the file, select Properties, and go to the Security tab. You can add users (Advanced button) to the list, and can edit permissions (Edit button) of different users here.
Step 3: Check Windows security logs for auditing details
You can view the details about the recorded events using the Windows event viewer. By expanding to Windows Logs > Security, you can find list of all events. Also, it provides filtering options by which you can easily zero-in on the required event. Some of the relevant event IDs one can search are :
• Event ID 4656 – A handle to an object was requested
• Event ID 4663 – An attempt was made to access an object
Though auditing features in Windows OS are simple and effective, administrators always require more user-friendly solutions that allow auditing in somewhat automated way. That is why professional auditing solutions are popular with IT administrators. As some of them are available as trial version, one can try them free even before purchasing.
File access auditing is important in organizations that handle a lot of critical information. Auditing ensures the security of the important data and also helps in meeting the regulatory compliances. Microsoft has incorporated some auditing features in Windows and Windows Server operating systems to meet these auditing requirements. Many third party solutions that allow easy auditing of file accesses are also available.