Short guide How to audit manipulation with files and folders on Windows File Server.
1. First thing first you must configure Security policy to enable Auditing on machine:
Select only one of 2 following ways:
- Modern Granular way (2008+) – Advanced Audit Policy Configuration
- INFO: This will disable configuration of Old way through Object Access Audit Policy (2003) because this is more granular auditing and can’t be used 2 ways at once. This policy will not work if you have configured old way of policy by Domain GPO which has higher priority than local policy.
- Run > secpol.msc
- Advanced Audit Policy Configuration > System Audit Policies > Object Access
- Audit File System – Success
- Audit Handle Manipulation – Success
- Old way through Object Access Audit Policy (2003)
- INFO: Use this policy only if you use 2003 Server edition because this policy generates more events than you need.
- Run > secpol.msc
- Local Policies > Audit Policy
- Audit object access – Success
2. Then you can set Auditing on random folder in NTFS Advanced permissions:
- Right click on folder > Properties > Security
- Select Advanced > Auditing > Add
- Select object which you want audit – It can be specific user, group, computer. In most cases you will select Everyone because you want to audit everybody (does not matter if it’s domain or local everyone group) > OK
- Select auditing which fits your needs. Less is better to avoid huge amount of audited actions. If you want to audit just removed/moved files and folders, check Successful – Delete subfolder and files, Delete.
Last important thing is extend Security log file size:
- Run > eventvwr.msc
- Expand Windows Logs > Right click on Security > Properties
- Modify Maximum log size (KB) to fit your needs – I recommend at least 2GB (2048000 KB) > OK
Investigation who removed or moved file/folder:
- Open Security log and look for Event ID: 4660,4656. Where 4660 is notification who deleted object and at the same time 4656 handle request where is object saved. (Appliest to 2008+)