Tracking down the “bad guys” can be really hard. Technically, the bad guys might not even really be bad guys. They could just be normal users performing regular tasks that – oops – they shouldn’t be doing at all.
Windows Auditing enables you to track down precisely who is doing what over which areas of the operating system.
When Windows Auditing is enabled you might be able to quickly figure out which users or groups are performing correct actions, and also performing “no nos” on files. Who is reading it? Who is editing it? Who deleted it?
With that in mind the skill of knowing who did what to which files is going to be pretty important to have down pat. You’ll want to be prepared in advance. In advance of a hack attempt, or a user doing something they shouldn’t do, or even, an administrator making a mistake. Yep, it’s true – we’re sometimes guilty of the occasional slip-up too!
Let’s start by auditing a file. You can also do this for all files in the folder, but to keep this simple – I’m going to stick with just one file in a share I’ve already got set up. You can see my example share name is Share 2, and I’ve got a file called “Secret.Txt” in the share.
There are a lot of steps to get this going here, so stick with me. Start out by right-clicking over the file and selecting Properties as seen in Figure 1.
Figure 1: We’re going to audit SECRET.TXT. Start out by visiting the Properties of the file. Once you’re there, click the Advanced button (not shown.) Then head over to the Auditing tab as seen in Figure 2.
Here’s the myth that we want to bust. In short, Auditing doesn’t really “begin” in this place. This is actually the second part of what you should be doing to get auditing to turn on at all. Many administrators turn file auditing on here and magically expect file auditing to work.
Except – oops – it doesn’t. Again, this is really the “Part II” of what you should be doing. We’ll get to “Part I” in a second, but since we’re here anyway, let’s continue onward.
Next, you’ll audit for the “who” you want. In this example, I’m auditing to see if someone named EastSalesUser1 has touched the file.
Next is to simply select which access attributes you want to audit for as seen in Figure 4.
Remember – I’m suggesting this is actually Part II of the auditing story. There’s really a Part I we should have configured first. But we’ll go ahead and do that now.
Part I (the part we’re going to do now) is actually to create a Group Policy Object which turns on auditing in the first place. Sort of like the “master switch” to enable the work we already did before this point. Start out by creating a Group Policy Object and linking it to where your computers live. In this example, I’m creating a Group Policy Object named “Turn on Auditing” and it’s linked over to “East Sales Servers” as seen in Figure 5.
Once the Group Policy Object is open for editing, find Computer Configuration | Policies | Security Settings | Local Policies | Audit Policies. For files, turn on Success and Failure for “Audit object access” which is the category used for files.
For a list of all the categories and what they turn on, you can check out this reference here: https://msdn.microsoft.com/en-us/library/ms878694.aspx.
Hope this little how-to tutorial busted some myths, gave you some guidance on some facts, and helps you get closer to your goals!