Windows Server 2008 and 2008 R2 have been one of the most widely deployed servers in the project setups where they are used for supporting collaborative work environments. However, because of the very nature of these kinds of setup where multiple resources have access to the same objects, assigning responsibility for user actions become utmost important.
This can be ensured by auditing all User actions related to file and folder access. In this guide, we are going to see how we can enable auditing on Windows Server 2008 and 2008R2.
On Windows Server 2008 and 2008 R2, auditing file and folder accesses consists of two parts.
Step 1: Enable File and Folder auditing
Enabling File and Folder auditing
It can be done in two ways :
a) Through Group Policy (for Domains, Sites and Organizational Units)
b) Local Security policy (for single Servers)
Step 2: Enable auditing for object access
To enable auditing for object access on a MS Windows Server 2008, follow these steps :
A) Open Group Policy Management Console.
B) Go to the concerned domain and expand the node against it
C) Go to the Group Policy Objects and right – click on it
D) Select New from the popup menu
E) In the New GPO dialog box, enter the name of the new GPO and click ‘Ok’
F) Right-click on the newly created GPO and select ‘Edit’ from the pop-up menu
G) The Group Policy Management Editor window opens up
H) Go to Computer Configuration ► Policies ► Windows Settings ► Security Settings ► Local Policies ► Audit Policies
I) In the right-pane, the list of all policies is displayed
(i) Audit Account Logon Events
(ii) Audit Account Management
(iii) Audit Directory Service Access
(iv) Audit Logon Events
(v) Audit Object Access
(vi) Audit Policy Change
(vii) Audit Privilege Use
(viii) Audit Process Tracking
(ix) Audit system Events
J) Go to the policy for which you want to define settings. If you define settings for all policies, a lot of logs will be generated
K) Double-click on the policy for which you want to define the settings
L) In the Properties dialog box that opens up, select Success/Failure or both
M) Click on ‘Ok’ to close the window
N) Next, you need to apply this policy on the DC. Go to RUN command and type: gpupdate/force/boot/logoff and click ‘Ok’
O) Gpupdate command prompt opens up and a message is displayed: “Updating Policy …”
Step 3: Select specific Folder and define Users
After the policy has been applied, the next thing is to select Files and Folders and which Users’ actions are to be audited
To select specific Folder and define Users, follow these steps :
a) Go to Windows Explorer
b) Right-click on it and select Properties
c) In the Properties dialog box, select the Security tab and click on ‘Advanced’
d) In the Advanced Security Settings dialog box, select the Auditing tab
e) Click on the ‘Add…’ button.
f) In the Select User or Group dialog, enter names of Users whose accesses are to be audited
g) Select ‘Everyone’ to audit access attempts by all Users. Click on ‘OK’
h) Auditing Entry for Accounts dialog box opens up
I) Select the type of accesses to be audited. Successful access/Failed access or both can
be selected
j) Click ‘Ok’ and ‘Apply’ to save the settings
From this point onwards, all the access attempts to this particular folder by all Users would be recorded on the DC. To view these event logs use Windows event viewer.