Detect object access on file servers
This section explain how to configure windows auditing in order to detect the access to a specific file.
Navigate to the required file share > Right-click it and select Properties.
Switch to the Security tab and click the Advanced button. Than Go to the Auditing tab and click the Add button.
Configure the following settings:
- Principal: “Everyone”.
- Type: “All”.
- Applies to: “This folder subfolders and files”.
- Advanced Permissions: “List folder / read data”.
Click OK to apply settings.
Log on to your domain controller (DC) and run gpmc.msc
Edit or create a new GPO than click on Edit
Go to Computer Policy > Computer Configuration choose Windows Settings > click Security Settings and enable the following settings:
Local Policies > Audit Policy > Audit object access > Define > Success and Failures.
Advanced Audit Policy Configuration > System Audit Policies > Object Access > Audit Handle Manipulation > Define > Success and Failures.
If it is a new policy, link the new GPO to an OU with file servers: Go to Group Policy Management right-click the OU > click Link an Existing GPO and select the GPO that you created.
Force a Group Policy update on the selected OU: Go to Group Policy Management right-click the OU and click Group Policy Update.
Alternatively you can force the update on the target server using the command:
To confirm that everything
Open Event Viewer and search the Security Windows Logs for event ID 4663.