Changes

Auditing Windows Server 2008 File and Folder Access

2,323 bytes added, 19:18, 21 August 2008
Enabling File and Folder Auditing
Double click on the ''Audit Object Access'' item in the list to display the corresponding properties page and choose whether successsuccessful, failed, or both types of access to files or folder is to folders may be audited:
Once the settings are configured click on ''Apply'' to commit the changes and then ''OK'' to close the properties dialog. With file and folder auditing enabled the next task is to select which files and folders are to be audited.
 
== Configuring which Files and Folders are to be Audited ==
 
Once file and folder access auditing has been enabled the next step is to configure which files and folders are to be audited. As with permissions, auditing settings are inherited unless otherwise specified. For example, by default configuring auditing on a folder will result in access to all child subfolders and files also being audited. Just as with inherited permissions, the inheritance of auditing settings can be tuned off for either all, or individual files and folders.
 
To configure auditing for a specific file or folder begin by right clicking on it in Windows Explorer and selecting ''Properties''. In the properties dialog, select the ''Security'' tab and click on ''Advanced''. In the ''Advanced Security Settings'' dialog select the ''Auditing'' tab. Auditing requires elevated privileges. If not already logged in as an administrator click the ''Continue'' button to elevate privileges for the current task. At this point the Auditing dialog will display the ''Auditing entries'' list containing any users and groups for which auditing has been enabled as shown below:
 
 
[[Image:windows_server_2008_file_and_folder_auditing_entries.jpg|The file and folder auditing entries dialog]]
 
 
To add new users or groups whose access attempts to the select file or folder are to be audited click on the ''Add...''' button to access the ''Select User or Group'' dialog. Enter the names of groups or users to audit, or ''Everyone'' to audit access attempts by all users and click on ''OK'' to display the ''Auditing Entries for''' dialog as illustrated below:
 
 
[[Image:windows_server_2008_auditing_for.jpg|Configuring file and folder auditing for a specific user or group]]
 
 
Use the drop down list to control whether the auditing setting is to be applied to the current file or folder, or whether it should propagate down to all child files and/or sub-folders. Finally, select which types of access are to be audited and, for each type, whether successful, failed or both kinds of attempt are to be audited. Once configured, click on ''OK'' to commit the new auditing settings. From this point on, access attempts by the specified users and groups of the types specified will be recorded in the server's security logs.
 
== Reviewing Security Logs ==
== Selecting File and Folders to be Audited ==