File Share Auditing

With Logsign Unified SecOps Platform, you can analyze the logs on the File Server you have configured on Windows Server and find out about the changes users make on the files. Configure the auditing settings on the file server in the windows server 2012 r2 machine in the following process.

First of all, run on Windows Server 2012 R2 machine will open, and when you click the OK button after writing gpmc.msc, you'll get a window called Group Policy Management. With Group Policy Management, you can create security policies and elevate your security level to the next level.

At the top of the window, you will see Group Policy Management, followed by the order.

Group Policy Management

Forest: test.local

Domains

Test.local (may vary domain name in your network)

If you open the tabs sequentially, you expand the test.local tab. Then, right-click on the test.local menu and click on the New Organizational Unit tab.

29.png

In the window, you'll write the name of the "organization" to the name section. Since you'll perform an audit on the File Server, write File Servers and click on the OK button.

30.png

You will see the File Servers tab under the Test.local menu. Right-click on the File Servers menu, click on Create a GPO in this domain and Link it here. You can make a custom definition for the window named New GPO that opens, but in this example, write File System Audit Policy and then click on the OK button. On the right side of the window, you will see that the policy rule named File System Audit Policy has been created.

Right-click on the File System Audit Policy rule and click on the Edit tab. A window will appear to set the policy rules, which is called the Group Policy Management Editor.

31.png

 

When we click on Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local

Policies -> Audit Policy tab; Audit Policy rules will appear on the right side of the window.

 

32.png

Open each configuration one by one; right-click on the Properties tab or double-click. Then, in the window that will be opened, the define these policy settings box is marked under the Security Policy Setting tab. Then two (2) boxes named Success and Failure are activated under Audit these attempts. You can click on the Explain tab to get information about the policy rule. Once both are marked, the setting is saved with the OK button. This process is performed for each policy rule.

Please note that: You can only audit Success or Failure logs if desired.

After you set the policy rules, our following process will display logs with the WMI protocol on Logsign Unified SecOps Platform.

You can also do these with the Advanced Audit Policy in the Windows Server 2012 R2 version. We close the Local Policies tab and click on the Advanced Audit Policy Configuration -> Audit Policies -> Object Access tab below the menu. Then you will see the following items under the Subcategory heading to the right of the window.

Audit Detailed File Share

Audit File Share

Audit File System

Audit Handle Manipulation

Double-click each item or right-click to open the properties in the Properties tab. Then the Configure the following audit events box is checked to ensure that the Success and Failure boxes are active and these two (2) boxes are also marked. This process must be done individually for the four-item (4) listed above.

Please note that: When Audit Handle Manipulation is enabled, logs will be logged with event ID 4656.

After this process, you may see an intensive log because Windows will overwrite the event ID 4656. For this reason, you can leave the Audit Handle Manipulation option Not Configured.

After doing your configuration, click Run and type groupdate /force to be active, then click the OK button.

As the processes we have performed above are valid for all File Servers, we only can perform these operations for specific File Servers.

Reach the File System Audit Policy policy named Group Policy Management -> Forest: test.local -> Domains -> test.local -> File Servers -> File System Audit Policy. Then click on it, and see the policy page on the right. Select the Scope tab and right-click on the Authenticated Users group under the Security Filtering heading in the bottom window and remove it with the Remove button.

33.png

Select which computers or File Servers will be affected by the audit rule with the Add button. After clicking the Add button, you will see a small window titled Select User, Computer, or Group. The Object Types button is clicked, and the Computer box is marked, then the other boxes are unchecked. Continue with the OK button. Enter the object name to select the computer name you want to add to the section. Then click the OK button.

After this, configure which folders on the computer will be audited.

The folder is accessed and right-clicked on the Properties tab. In the window that opens, go to the Security tab and click on the Advanced button in the window's lower right corner.

34.png

Click on the Auditing icon and click on the Edit button below in the incoming window. Then, we click on the Add button.

35.png

When you click on the Select a principal button in the popup window, we set it to Everyone in the Enter the object name to select section. Then click the OK button.

36.png

The next step will be to activate audit on all Success and Failure events by selecting All from Type. In the Basic permissions section, you'll choose the audit procedures that are generally used.

Create files/write data

Create folders/append data

Delete subfolders and files

Delete

After marking the boxes next to the items, finish the process with the OK button.

37.png

Logsign Unified SecOps Platform will provide you with the opportunity to analyze events based on the settings you made after this process, according to the changes we made to the File Servers and the items we want to audit.

Was this article helpful?
3 out of 4 found this helpful

Articles in this section

See more
Become a Certified Logsign User/Administrator
Sign-up for Logsign Academy and take the courses to learn about Logsign USO Platform in detail. Enjoy the courses, and get your badges and certificates. In these courses, you'll learn how to use Logsign in your work and add value to your career.
Visit Our Blog
Our Logsign USO Platform illustrate our expertise. So do the blog. Through our blog posts, deepen your knowledge on various SecOps topics or get updated about important news & modern approaches for cybersecurity. Get into the habit of reading valuable information provided by Logsign. Be a step ahead.