File and Folder Auditing on Windows Server 2003 and 2008

Auditing files and folders got much easier with Global Object Access auditing in Windows Server 2008 R2 and Windows 7. However, if your organization is still running Windows Server 2008, or earlier, for instance Windows Server 2003, setting up file and folder auditing will be a little more complicated. In this post, I’ll walk you through the steps required to configure earlier versions of Windows Server for file and folder auditing.

File and folder auditing isn’t enabled out-of-the-box in Windows Server, so the first step is to turn it on using local or Group Policy. If you have Active Directory (AD), a Group Policy Object (GPO) can be used to enable object access auditing. If you want to enable auditing on a single device, then the same setting can be enabled in local policy.

Enabling Auditing of All Devices in the Domain on Windows Server 2003 and 2008

In this example, I’ll add the auditing configuration to the Default Domain Policy, which will enable auditing on all devices in the domain, including the file servers where your files and folders are stored. In a production environment, you should create a new GPO, and apply it to an Organizational Unit (OU).

Before you start, make sure the Group Management Policy Console (GPMC) is installed on at least one server. Download GPMC here for Windows Server 2003. Windows Server 2008 includes GPMC, but it’s not installed by default. Install it by opening a command prompt, and running the following Server Manager command:

ServerManagerCmd -install gpmc

Once GPMC is installed, follow the instructions below:

  • Log in to a server as a domain administrator, and open the Group Policy Management Console (GPMC). Type msc in the Run dialog, and click OK.
  • In Group Policy Management, expand your AD forest, Domains, and your domain.
  • Right click the Default Domain Policy GPO, and select Edit from the menu.
  • In the Group Policy Management Editor window, in the left pane under Computer Configuration, expand Policies > Windows Settings > Security Settings > > Local Policies > Audit Policies and click Audit Object Access.
  • In the Audit Object Access Properties dialog, check Success and Failure as required, and then click OK.
  • Close the Group Policy Management Console.

The next time Group Policy refreshes on devices in scope of the GPO, the auditing setting you configured in the policy above will be applied.

Setting Auditing of Files and Folders

Enabling the Audit Object Access setting isn’t enough to get auditing working. You also need to configure the System Access Control List (SACL) of each object that you want to audit. In this example, we’ll enable auditing of a folder.

  • Right click the folder that you want to enable auditing on, and select Properties from the context menu.
  • Switch to the Security tab in the Properties
  • Click Advanced on the Security
  • Switch to the Auditing
  • On the Auditing tab, type the name of the user or group, whose access to the folder you want to audit, into the Enter the object name to select box, and click OK.
  • Check Successful and Failed as required in the security dialog for the actions you’d like to audit, and when you’re finished, click OK.
  • Close all the open dialog boxes.

Audit events will now start appearing in the Security log in Event Viewer, including:

Event ID (2003 and earlier) Event ID (2008 and later) Description
560 4656 A handle to an object was requested
562 4658 The handle to an object was closed
564 4660 An object was deleted
567 4663 An attempt was made to access an object
n/a 4685 The state of a transaction has changed
n/a 4985 The state of a transaction has changed

 

In Windows Server 2008, event ID 4663 can indicate different types of events, including ownership of file taken, generic file read, and ACL on files modified.