An administrator can use the auditing security events to get reliable information about all events in the system, monitor user activities, and use the information to identify vulnerabilities in the server’s security. On Windows, such events are recorded into the Security log of the operating system. In this article, we will show you how to configure security audit policies in Windows using the example of configuring file and folder access auditing.
You can use the Group Policy console to configure audit policies on Windows. If you are configuring policies for domain computers/servers, use the Group Policy Management Console (gpmc.msc). You can use the Local Group Policy Editor console (gpedit.msc) when setting up audit policy on a standalone server or in a workgroup.
There are two sections in the GPO console, which contain basic and advanced audit policies.
The basic audit policy is located under GPO section: Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy. The following event categories are available in it:
- Audit account logon events;
- Audit account management;
- Audit directory service access;
- Audit logon events;
- Audit object access;
- Audit policy change;
- Audit privilege use;
- Audit process tracking;
- Audit system events.
Advanced audit policies are located under the section: Computer Configuration > Windows Settings > Security Settings > Advanced Audit Policy Configuration. There are 60 different audit policies, divided into 10 categories.
- Account Logon;
- Account Management;
- Detailed Tracking;
- DS Access;
- Object Access;
- Policy Change;
- Privilege Use;
- Global Object Access Auditing.
In most cases, you need to use audit policies from the Advanced Audit Policy Configuration section—they allow you to fine-tune auditing and exclude unnecessary security events.
Before enabling Windows audit policies, we recommend you to increase the maximum size of the Security log from 128 Mb (by default in Windows Server).
Run the Event Viewer console (eventvwr.msc), expand Windows Logs, and open the Security log properties. Increase the value in the Maximum log size (KB) field.
Now you need to configure the policy for auditing user access to files and folders on the shared network folder. Go to the Advanced Audit Policy > Object Access section. Open the properties for the Audit File Share and Audit File System subcategories.
Enable the policy: Configure the following audit events.
Specify what events should be recorded in the Security log:
- Success — successful user access to objects in the shared folder
- Failure — unsuccessful access events to folders.
In our case, it is enough to audit only Success events.
Now you need to assign an audit policy to the shared folder (create system access control lists—SACLs).
Now open the properties of the network folder, go to Security tab > Advanced > Auditing tab > Continue.
Click the Add > Select a principal button and add principals—these are users or groups (local or from Active Directory) whose activities you want to audit. We added the Domain Users or Everyone groups (this means that we will audit access to the shared network folder for all users).
Next, in the Permissions section, specify what user actions should be logged. I selected events from the Delete category.
Save the changes and update the policies on the computer using the gpupdate command:
Now, if any user deletes a file or folder in your network folder, an event with EventID 4660 from the Microsoft Windows security source with Task Category File System “An object was deleted” will appear in the Security log.
The event contains the user who deleted the file (Account Name).
It is not recommended to enable many audit events at once—this can cause increased the load on the computer. In addition, it is difficult to look for a large number of security events.
You can also manage audit policies through the auditpol.exe command line tool.
To display information about all enabled audit policies, run the command:
auditpol /get /category:*
To enable a specific audit policy, the following syntax is used:
auditpol /set /subcategory:"Registry" /success:enable
To reset audit policies to their clean state, use the command: