+ Post New Thread
Results 1 to 14 of 14
Windows Thread, File Access Monitoring in Technical; Hi, Does anyone know of a program (paid if necessary) to monitor which files are access by which people at ...
  1. #1

    Join Date
    Apr 2007
    Location
    York
    Posts
    551
    Thank Post
    9
    Thanked 4 Times in 4 Posts
    Rep Power
    19

    File Access Monitoring

    Hi,
    Does anyone know of a program (paid if necessary) to monitor which files are access by which people at what time ?
    Thanks

  2. #2

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    If you're using Windows, you can do this for free. Below is an high level overview for XP but can work on servers and other editions.

    How to audit user access of files, folders, and printers in Windows XP

    Sukh

  3. Thanks to sukh from:

    dhicks (18th March 2011)

  4. #3
    zag
    zag is online now
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,734
    Thank Post
    893
    Thanked 414 Times in 348 Posts
    Blog Entries
    12
    Rep Power
    85
    I always wondered this as well.

    Is there an easy way to do this on a file server share?

  5. #4

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    Yes you can, look at the MSFT technet site.

    Sukh

  6. #5

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,610
    Thank Post
    1,224
    Thanked 772 Times in 670 Posts
    Rep Power
    234
    Quote Originally Posted by zag View Post
    Is there an easy way to do this on a file server share?
    Do any NAS appliences offer you file usage auditing/statistics as part of their web interface or anything?

  7. #6


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,702
    Thank Post
    220
    Thanked 2,611 Times in 1,922 Posts
    Rep Power
    776

  8. #7


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,702
    Thank Post
    220
    Thanked 2,611 Times in 1,922 Posts
    Rep Power
    776
    To elaborate on my previous post a little, the link which Sukh posted describes the "old" way of creating audit policies. If you have a 2008 R2 server, the policies located under 'Advanced Audit Policy Configuration' provide much more control over what gets audited, thereby cutting down on the number of events you have to sift through. Being able to find out why someone was granted or denied access is also made significantly easier thanks to a policy called "Audit Handle Manipulation" (see the second and third quotes below).

    More details here:
    http://go.microsoft.com/fwlink/?LinkId=140969
    http://technet.microsoft.com/en-us/l...40(WS.10).aspx

    The nine basic audit policies under "Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy" allow you to configure security audit policy settings for broad sets of behaviors, some of which generate many more audit events than others. An administrator has to review all events that are generated, whether they are of interest or not.

    In Windows Server 2008 R2 and Windows 7, administrators can audit more specific aspects of client behavior on the computer or network, thus making it easier to identify the behaviors that are of greatest interest. For example, in "Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy", there is only one policy setting for logon events, Audit logon events. In "Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies", you can instead choose from eight different policy settings in the "Logon/Logoff" category. This provides you with more detailed control of what aspects of logon and logoff you can track.
    In Windows 7 and Windows Server 2008 R2, the reason why someone has been granted or denied access is added to the open handle event. This makes it possible for administrators to understand why someone was able to open a file, folder, or file share for a specific access. To enable this functionality, the handle manipulation audit policy also needs to be enabled so that success events record access attempts that were allowed and failure events record access attempts that were denied.
    One of the most common auditing needs is to track access to a particular file or folder. For example, you might need to identify an activity such as a user writing to a file that he or she should not have had access to. By enabling "reason for access" auditing, not only will you be able to track this type of activity, but you will also be able to identify the exact access control entry that allowed the undesired access, which can significantly simplify the task of modifying access control settings to prevent similar undesired object access in the future.
    A global object access audit policy can be used to enforce object access audit policy for a computer, file share, or registry without having to configure and propagate conventional SACLs. Configuring and propagating SACLs is a more complex administrative task and is difficult to verify, particularly if you need to verify to an auditor that security policy is being enforced. By using a global object access audit policy, you can enforce a security policy such as "Log all administrative Write activity on servers containing Finance information" and verify that critical assets are being protected.
    Listed below are all of the policies under Advanced Audit Policy Configuration.

    Code:
    Account Logon
    
    • Audit Credential Validation
    • Audit Kerberos Authentication Service
    • Audit Kerberos Service Ticket Operations
    • Audit Other Account Logon Events
    Account Management
    • Audit Application Group Management
    • Audit Computer Management
    • Audit Distribution Group Management
    • Audit Other Account Management Events
    • Audit Security Group Management
    • Audit User Account Management
    Detailed Tracking
    • Audit DPAPI Activity
    • Audit Process Creation
    • Audit Process Termination
    • Audit RPC Events
    DS Access
    • Audit Detailed Directory Service Replication
    • Audit Directory Service Access
    • Audit Directory Service Changes
    • Audit Directory Service Replication
    Logon/Logoff
    • Audit Account Lockout
    • Audit IPSec Extended Mode
    • Audit IPSec Main Mode
    • Audit IPSec Quick Mode
    • Audit Logoff
    • Audit Logon
    • Audit Network Policy Server
    • Audit Other Logon/Logoff Events
    • Audit Special Logon
    Object Access
    • Audit Application Generated
    • Audit Certification Services
    • Audit Detailed File Share
    • Audit File Share
    • Audit File System
    • Audit Filtering Platform Connection
    • Audit Filtering Platform Packet Drop
    • Audit Handle Manipulation
    • Audit Kernel Object
    • Audit Other Object Access Events
    • Audit Registry
    • Audit SAM
    Policy Change
    • Audit Audit Policy Change
    • Audit Authentication Policy Change
    • Audit Authorization Policy Change
    • Audit Filtering Platform Policy Change
    • Audit MPSSVC Rule-Level Policy Change
    • Audit Other Policy Change Events
    Privilege Use
    • Audit Non-Sensitive Privilege Use
    • Audit Sensitive Privilege Use
    • Audit Other Privilege Use Events
    System
    • Audit IPsec Driver
    • Audit Other System Events
    • Audit Security State Change
    • Audit Security System Extension
    • Audit System Integrity
    Global Object Access Auditing
    • File System (Global Object Access Auditing)
    • Registry (Global Object Access Auditing)

  9. #8

    Join Date
    Dec 2008
    Location
    Essex
    Posts
    2,137
    Thank Post
    1
    Thanked 326 Times in 316 Posts
    Rep Power
    77
    Hi

    Thanks for the additional information for this post Arthur. It's kind of hard answering a post without any specific details. Therefore I just gave an indication that it is possible to achieve and used XP as an example.

    This leads to a request which I feel would benefit the technical forums, which is to maybe have a template/set of questions to be answered to provide details of the issue/scenario before posting.

    Sukh

  10. #9

    Join Date
    Nov 2012
    Posts
    6
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    Yes, we use netwrix file server change reporter. The product generates reports on changes and access to file servers, including changes and access attempts to files, folders, shares, and permissions. We’ve been using it for years and it’s a very good tool.

  11. #10
    apeo's Avatar
    Join Date
    Sep 2005
    Location
    Lost
    Posts
    1,612
    Thank Post
    95
    Thanked 115 Times in 111 Posts
    Rep Power
    41
    Above post = me thinks.

  12. #11

    Join Date
    Nov 2012
    Posts
    6
    Thank Post
    0
    Thanked 0 Times in 0 Posts
    Rep Power
    0
    My organization uses a tool called NetWrix File Server Change Reporter, which audits and reports file server changes and access events. It sends reports on changes and access attempts to files, folders, shares and permissions. My last company used a product called Tripwire File Integrity Manager, which has similar capabilities. Both tools are very good.

  13. #12

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,610
    Thank Post
    1,224
    Thanked 772 Times in 670 Posts
    Rep Power
    234
    Quote Originally Posted by Churritos View Post
    It sends reports on changes and access attempts to files, folders, shares and permissions.
    I'm currently writing a similar tool, but for workflow purposes rather than security - when a file is added to a folder or changed, I want to be able to kick off a process that does something with that file. This is for handling things like auto-thumbnailing of images as they appear on our system, auto-coverting video files, etc. My approach so far has simply been to write a simple indexer that periodically traverses the directory tree and compares the files it finds with the previous set of files it found. I did look at creating a FUSE-based file system that would run given triggers when a file was updated, but that would require files to be stored on a particular server as opposed to accross whatever shares are already in place, and all the FUSE file systems I've seen have had terrible performance in a production environment. Do these products do something different to get better performance, or is their approach pretty much the same?

  14. #13
    zag
    zag is online now
    zag's Avatar
    Join Date
    Mar 2007
    Posts
    3,734
    Thank Post
    893
    Thanked 414 Times in 348 Posts
    Blog Entries
    12
    Rep Power
    85
    Quote Originally Posted by dhicks View Post
    I'm currently writing a similar tool, but for workflow purposes rather than security - when a file is added to a folder or changed, I want to be able to kick off a process that does something with that file. This is for handling things like auto-thumbnailing of images as they appear on our system, auto-coverting video files, etc. My approach so far has simply been to write a simple indexer that periodically traverses the directory tree and compares the files it finds with the previous set of files it found. I did look at creating a FUSE-based file system that would run given triggers when a file was updated, but that would require files to be stored on a particular server as opposed to accross whatever shares are already in place, and all the FUSE file systems I've seen have had terrible performance in a production environment. Do these products do something different to get better performance, or is their approach pretty much the same?
    I was gonna ask what the performance was like on something like that. Doing checksums on files is a fine art to get speedy.

  15. #14

    dhicks's Avatar
    Join Date
    Aug 2005
    Location
    Knightsbridge
    Posts
    5,610
    Thank Post
    1,224
    Thanked 772 Times in 670 Posts
    Rep Power
    234
    Quote Originally Posted by zag View Post
    I was gonna ask what the performance was like on something like that. Doing checksums on files is a fine art to get speedy.
    Performance is why I wanted to use a proper "file-has-been-updated" event from the file system, but there doesn't seem to be a file system that actually does that. It's not at the stage yet where I can really test performance, it's still very much a work in progress.

SHARE:
+ Post New Thread

Similar Threads

  1. remote file access
    By bart21 in forum Windows
    Replies: 6
    Last Post: 6th January 2011, 09:58 AM
  2. RdWeb and File Access
    By chrissmall in forum Windows Server 2008 R2
    Replies: 4
    Last Post: 3rd November 2009, 03:53 PM
  3. remote file access
    By IA76 in forum How do you do....it?
    Replies: 2
    Last Post: 10th February 2009, 12:40 PM
  4. File Access Permissions....
    By MyDejaVu in forum Windows
    Replies: 3
    Last Post: 15th July 2008, 05:45 PM
  5. Monitoring boarders access
    By Simcfc73 in forum Wireless Networks
    Replies: 2
    Last Post: 12th January 2007, 07:59 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •