Occasionally it is necessary to determine who modified a file or moved a folder. Enabling auditing on your Windows server will allow you to determine changes to a file or folder. When configured, the server’s security log is updated whenever access to an object occurs. The information is accessible from the security log on the server.
Auditing provides a method for documenting system and user events. However, audit only meaningful events rather than every single event in the entire system is recommended. This reasons for this are that:
- Logging everything will quickly fill up the security log.
- Auditing every user and every system event will log hundreds of events every minute.
- The security log can quickly fill up, meaning that no more events will be logged until the log has been cleared out.
- Excessive logging consumes disk and processor time which might cause performance problems for the server.
- Logs cease to be meaningful if you log everything since locating a record of a security breach could take considerable time..
What needs to be audited?
An audit policy can be applied to any server or workstation. It is recommended that auditing be enabled on all domain controllers because they are so crucial to your firm’s security. File servers or application servers should also have audit policies if they contain any sensitive or confidential data. It’s not recommended to audit workstations, simply because all sensitive data should be stored on a server and reviewing the audit logs on every single workstation is very time consuming.
The following types of auditing can be performed:
- Account Management: Tracks changes to accounts
- Directory Service Access: Tracks access to the Active Directory services
- Logon Events: Tracks logins, logouts, and network connections
- Object Access: Tracks access to files, directories, and other NTFS objects (including printers)
- Policy Change: Tracks changes to user rights, audit policies, and trusts
- Privilege Use: Tracks changes to user privileges
- Process Tracking: Tracks program activation and termination, and other object or process activity
- System Events: Tracks server shutdowns and restarts, and logs events affecting system policy
File level auditing
With Object Access auditing enabled you can take advantage of file level auditing. By selecting the properties of a file object, you can select users or groups that you want to audit. You can choose from a list of auditable actions related to the object. You can perform a success and/or failure audit on any of the actions by selecting the appropriate check boxes.
Auditing will not alert you to a security breach or an attempted hack on your system. Review of the security log is required. It is best to review the log daily and to understand what the security log entries mean. Logs fill up quickly and depending on the configuration can overwrite themselves so it is important to review the logs for security breaches on a regular basis.
Quality assurance and individual accountability
By advising your employees about file auditing practices, they are more likely to ensure the accuracy of their work and adhere to company security policies knowing that their actions will be recorded in a security log. A file audit will track the changes to an object which will help office managers determine if errors were made by the user, by the system or application software, or by some other source.