8
1
I believe there is no other way to check on a Windows System (for instance Win 7) who has copied or access a file or folder except for enabling File Auditing in the Local Security Policy.
Now that I have enabled the policy (Security Settings > Audit Policy > Audit Object Access (Success, Failure); my question is how do I know now if someone has copied/viewed/modified the file/folder?
6
Since we already have the Local Policy Audit set to your preferences, what we need to do is look for Security Events by following:
Control Panel> Administrative Tools> Event Viewer> Windows Logs> Security
Then we look for the said events. The list of all such plausible Security Events are listed at technet.microsoft.com - Audit Policy Settings Under Local Policies\Audit Policy
For events specific to Diectory access please see technet.microsoft.com - Audit directory service access
Hashfyre
Posted 2012-12-20T05:52:45.147
Reputation: 161
1
Dealing with file auditing data can be a mess especially it's for PCI or some other server wide needs. There are several products on the market that can help but most of them rely on the event log.
Our company has one that can do it without the event log; it's called FileSure and you can find it here: http://www.bystorm.com
To be fair, our best competitor is File System Auditor from Quest and they don't use the event log either.
File copying and/or data theft is more difficult to detect since while your data is on the server, the copying is most likely happening on a workstation. I know FileSure can help with that too...I don't know if our competitors can.
Iunknown
Posted 2012-12-20T05:52:45.147
Reputation: 139
From what I understand of the event ID's (And I also tried it) event logs will only be generated for the objects (files) on whom I Right click > Properties > Security > Advances > Audit and then add a specific user for whom I can audit.
What I want is for all the files in a filder; I am able to carry out audit for any user of my domain as its not possible for me to add users to it manually. Will that be possible ? – None – 2012-12-20T07:41:47.910