16

I need a way to monitor user file access on windows. What I need is:

  • monitoring of user opening, modifying (don't need to know what the changes were, just that a file was modified), copying, pasting and renaming files
  • file access monitoring on shared drives that user has access to
  • file access monitoring on local drives is a plus
  • needs to run in background (needs to be out of reach of a non-privileged user)
  • some kind of reporting is a plus
  • if no reporting capability is provided it needs to have log exporting capability and logs need to be "parseable" (and not in some "wild" format that has no logic/structure)
  • including/excluding folders that need to be monitored is a plus

Is there such a tool for windows?

I found process monitor, but I could not find a way to run it in background and I would have to create a programm to create some kind of report out of procmon logs.

Any other tools I should check out?

tkit
  • 3,272
  • 5
  • 28
  • 36
  • Why are you monitoring the files? – this.josh Aug 30 '11 at 23:11
  • 2
    Because my boss / upstream superiors say so. I don't mean to be rude with my answer, it's just for something at work. It's legal and part of the policy, nothing shady if that's the reason why you're asking (and/or for someone voting to close the question). – tkit Aug 31 '11 at 06:53
  • 1
    I was trying to determine if you were attempting to maintain the integrity of files on the system, detect users attempting to subvert access control, detect users accessing files they shouldn't be (maintain confidentiality), or preserve the configuration of the system. Its odd to want to monitor shared drive access on the client machine instead of the serving machine. Its odd that you want to monitor file access instead of making the files inaccessible. I had assumed you had a legal or contractual right to do so as contributors here are not amicable to illegal or immoral activity. – this.josh Aug 31 '11 at 06:54
  • It's hard to make files inaccessible if a lot of people use shared drives and if some of them sometimes leave files where they shouldn't (by mistake or for whatever other reason, more people - more space, more mistakes), so other people can access them even if they're not supposed to. Making them inaccessible would be a perfect scenario, I agree. Then I would probably not be asking my question hehe. And also, monitoring of shared drives could be done on serving machines, that would be fine of course. – tkit Aug 31 '11 at 07:03
  • And I find it that often when I see "why do you need that?" in a security-related questions, it's usually to determine if you're trying to do something malicious so that was my initial thought. – tkit Aug 31 '11 at 07:09
  • The user environment would have been good detail to add to your questions. I read it and saw no stated purpose for monitoring. Except fot the fact that you asked on IT Security it could have been an attempt to tune file serving performance based on what files users modify. Without understanding what you goal it is hard to provide a good answer. – this.josh Aug 31 '11 at 07:24
  • procmon runs pretty well in background: http://blogs.msdn.com/b/yash/archive/2009/03/23/using-procmon-in-command-line.aspx – akira Feb 01 '14 at 13:17

3 Answers3

12

The built in windows auditing can do this if you're running a domain, or at least windows 2003/Vista and are willing to set it up in group policy. Enable object access auditing and then set up the files and folders you want to audit. There are a large nunber of tools that can then read and sort/filter the windows logs ... I'm a fan of GFI EventsManager, but there are a lot of options.

A basic blog on the how to setup is here:How to monitor file and folder access on a windows file server

iivel
  • 1,583
  • 10
  • 13
  • The link is unfortunately down, at least at the moment. (500 Internal Server Error) – akauppi Jun 30 '14 at 08:20
  • Akauppi - thanks; I've changed the link to reference a Wayback Machine archived copy so that shouldn't happen again. – iivel Jul 14 '14 at 21:47
2

Although this is kinda a "reverse solution" from what I initially needed because it gets installed on the server rather than on the workstation, I will mention it anyway. The tool is called CPTRAX and it might be good enough for someone.

The only downside at the moment is that you can not monitor certain users unly, but you have to monitor everyone accessing the shared drives and if you need info on certain users only, you do that in "generating report" phase.. So if you have a lot of users accessing shared drives, leaving them "open" for longer periods, this might have a noticeable impact on your server (CPU and HDD wise).

tkit
  • 3,272
  • 5
  • 28
  • 36
1

Our product FileAudit (from ISDecisions) should be able to help you. It monitors and records all access and access attempts, ownership changes and permission modifications to all files and folders across one or several Windows systems - in real time. It's a simple agentless deployment that can be installed in minutes. It ensures security with access reports and automatic email alerts to predetermined access events and centralizes and archives all events. Free Trial and full support at http://www.fileaudit.com Hope this helps.

chris
  • 11
  • 2