With Logsign Unified SecOps Platform, you can analyze the logs on the File Server you have configured on Windows Server and find out about the changes users make on the files. Configure the auditing settings on the file server in the windows server 2012 r2 machine in the following process.
First of all, run on Windows Server 2012 R2 machine will open, and when you click the OK button after writing gpmc.msc, you'll get a window called Group Policy Management. With Group Policy Management, you can create security policies and elevate your security level to the next level.
At the top of the window, you will see Group Policy Management, followed by the order.
Group Policy Management
Forest: test.local
Domains
Test.local (may vary domain name in your network)
If you open the tabs sequentially, you expand the test.local tab. Then, right-click on the test.local menu and click on the New Organizational Unit tab.
In the window, you'll write the name of the "organization" to the name section. Since you'll perform an audit on the File Server, write File Servers and click on the OK button.
You will see the File Servers tab under the Test.local menu. Right-click on the File Servers menu, click on Create a GPO in this domain and Link it here. You can make a custom definition for the window named New GPO that opens, but in this example, write File System Audit Policy and then click on the OK button. On the right side of the window, you will see that the policy rule named File System Audit Policy has been created.
Right-click on the File System Audit Policy rule and click on the Edit tab. A window will appear to set the policy rules, which is called the Group Policy Management Editor.
When we click on Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local
Policies -> Audit Policy tab; Audit Policy rules will appear on the right side of the window.
Open each configuration one by one; right-click on the Properties tab or double-click. Then, in the window that will be opened, the define these policy settings box is marked under the Security Policy Setting tab. Then two (2) boxes named Success and Failure are activated under Audit these attempts. You can click on the Explain tab to get information about the policy rule. Once both are marked, the setting is saved with the OK button. This process is performed for each policy rule.
Please note that: You can only audit Success or Failure logs if desired.
After you set the policy rules, our following process will display logs with the WMI protocol on Logsign Unified SecOps Platform.
You can also do these with the Advanced Audit Policy in the Windows Server 2012 R2 version. We close the Local Policies tab and click on the Advanced Audit Policy Configuration -> Audit Policies -> Object Access tab below the menu. Then you will see the following items under the Subcategory heading to the right of the window.
Audit Detailed File Share
Audit File Share
Audit File System
Audit Handle Manipulation
Double-click each item or right-click to open the properties in the Properties tab. Then the Configure the following audit events box is checked to ensure that the Success and Failure boxes are active and these two (2) boxes are also marked. This process must be done individually for the four-item (4) listed above.
Please note that: When Audit Handle Manipulation is enabled, logs will be logged with event ID 4656.
After this process, you may see an intensive log because Windows will overwrite the event ID 4656. For this reason, you can leave the Audit Handle Manipulation option Not Configured.
After doing your configuration, click Run and type groupdate /force to be active, then click the OK button.
As the processes we have performed above are valid for all File Servers, we only can perform these operations for specific File Servers.
Reach the File System Audit Policy policy named Group Policy Management -> Forest: test.local -> Domains -> test.local -> File Servers -> File System Audit Policy. Then click on it, and see the policy page on the right. Select the Scope tab and right-click on the Authenticated Users group under the Security Filtering heading in the bottom window and remove it with the Remove button.
Select which computers or File Servers will be affected by the audit rule with the Add button. After clicking the Add button, you will see a small window titled Select User, Computer, or Group. The Object Types button is clicked, and the Computer box is marked, then the other boxes are unchecked. Continue with the OK button. Enter the object name to select the computer name you want to add to the section. Then click the OK button.
After this, configure which folders on the computer will be audited.
The folder is accessed and right-clicked on the Properties tab. In the window that opens, go to the Security tab and click on the Advanced button in the window's lower right corner.
Click on the Auditing icon and click on the Edit button below in the incoming window. Then, we click on the Add button.
When you click on the Select a principal button in the popup window, we set it to Everyone in the Enter the object name to select section. Then click the OK button.
The next step will be to activate audit on all Success and Failure events by selecting All from Type. In the Basic permissions section, you'll choose the audit procedures that are generally used.
Create files/write data
Create folders/append data
Delete subfolders and files
Delete
After marking the boxes next to the items, finish the process with the OK button.
Logsign Unified SecOps Platform will provide you with the opportunity to analyze events based on the settings you made after this process, according to the changes we made to the File Servers and the items we want to audit.