File Access Monitoring

[karldenton]

Hi,
Does anyone know of a program (paid if necessary) to monitor which files are access by which people at what time ?
Thanks

[sukh]

Hi

If you're using Windows, you can do this for free. Below is an high level overview for XP but can work on servers and other editions.

How to audit user access of files, folders, and printers in Windows XP

Sukh

[zag]

I always wondered this as well.

Is there an easy way to do this on a file server share?

[sukh]

Hi

Yes you can, look at the MSFT technet site.

Sukh

[dhicks]

Is there an easy way to do this on a file server share?

Do any NAS appliences offer you file usage auditing/statistics as part of their web interface or anything?

[Arthur]

Global Object Access Auditing is Magic

[Arthur]

To elaborate on my previous post a little, the link which Sukh posted describes the "old" way of creating audit policies. If you have a 2008 R2 server, the policies located under 'Advanced Audit Policy Configuration' provide much more control over what gets audited, thereby cutting down on the number of events you have to sift through. Being able to find out why someone was granted or denied access is also made significantly easier thanks to a policy called "Audit Handle Manipulation" (see the second and third quotes below).

More details here:
http://go.microsoft.com/fwlink/?LinkId=140969
http://technet.microsoft.com/en-us/l...40(WS.10).aspx

The nine basic audit policies under "Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy" allow you to configure security audit policy settings for broad sets of behaviors, some of which generate many more audit events than others. An administrator has to review all events that are generated, whether they are of interest or not.

In Windows Server 2008 R2 and Windows 7, administrators can audit more specific aspects of client behavior on the computer or network, thus making it easier to identify the behaviors that are of greatest interest. For example, in "Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Audit Policy", there is only one policy setting for logon events, Audit logon events. In "Computer Configuration\Policies\Windows Settings\Security Settings\Advanced Audit Policy Configuration\System Audit Policies", you can instead choose from eight different policy settings in the "Logon/Logoff" category. This provides you with more detailed control of what aspects of logon and logoff you can track.

In Windows 7 and Windows Server 2008 R2, the reason why someone has been granted or denied access is added to the open handle event. This makes it possible for administrators to understand why someone was able to open a file, folder, or file share for a specific access. To enable this functionality, the handle manipulation audit policy also needs to be enabled so that success events record access attempts that were allowed and failure events record access attempts that were denied.

One of the most common auditing needs is to track access to a particular file or folder. For example, you might need to identify an activity such as a user writing to a file that he or she should not have had access to. By enabling "reason for access" auditing, not only will you be able to track this type of activity, but you will also be able to identify the exact access control entry that allowed the undesired access, which can significantly simplify the task of modifying access control settings to prevent similar undesired object access in the future.

A global object access audit policy can be used to enforce object access audit policy for a computer, file share, or registry without having to configure and propagate conventional SACLs. Configuring and propagating SACLs is a more complex administrative task and is difficult to verify, particularly if you need to verify to an auditor that security policy is being enforced. By using a global object access audit policy, you can enforce a security policy such as "Log all administrative Write activity on servers containing Finance information" and verify that critical assets are being protected.

Listed below are all of the policies under Advanced Audit Policy Configuration.

Code:

Account Logon
Audit Credential Validation
Audit Kerberos Authentication Service
Audit Kerberos Service Ticket Operations
Audit Other Account Logon Events
Account Management
Audit Application Group Management
Audit Computer Management
Audit Distribution Group Management
Audit Other Account Management Events
Audit Security Group Management
Audit User Account Management
Detailed Tracking
Audit DPAPI Activity
Audit Process Creation
Audit Process Termination
Audit RPC Events
DS Access
Audit Detailed Directory Service Replication
Audit Directory Service Access
Audit Directory Service Changes
Audit Directory Service Replication
Logon/Logoff
Audit Account Lockout
Audit IPSec Extended Mode
Audit IPSec Main Mode
Audit IPSec Quick Mode
Audit Logoff
Audit Logon
Audit Network Policy Server
Audit Other Logon/Logoff Events
Audit Special Logon
Object Access
Audit Application Generated
Audit Certification Services
Audit Detailed File Share
Audit File Share
Audit File System
Audit Filtering Platform Connection
Audit Filtering Platform Packet Drop
Audit Handle Manipulation
Audit Kernel Object
Audit Other Object Access Events
Audit Registry
Audit SAM
Policy Change
Audit Audit Policy Change
Audit Authentication Policy Change
Audit Authorization Policy Change
Audit Filtering Platform Policy Change
Audit MPSSVC Rule-Level Policy Change
Audit Other Policy Change Events
Privilege Use
Audit Non-Sensitive Privilege Use
Audit Sensitive Privilege Use
Audit Other Privilege Use Events
System
Audit IPsec Driver
Audit Other System Events
Audit Security State Change
Audit Security System Extension
Audit System Integrity
Global Object Access Auditing
File System (Global Object Access Auditing)
Registry (Global Object Access Auditing)

[sukh]

Hi

Thanks for the additional information for this post Arthur. It's kind of hard answering a post without any specific details. Therefore I just gave an indication that it is possible to achieve and used XP as an example.

This leads to a request which I feel would benefit the technical forums, which is to maybe have a template/set of questions to be answered to provide details of the issue/scenario before posting.

Sukh

[Churritos]

Yes, we use netwrix file server change reporter. The product generates reports on changes and access to file servers, including changes and access attempts to files, folders, shares, and permissions. We’ve been using it for years and it’s a very good tool.

[apeo]

Above post = me thinks.

[Churritos]

My organization uses a tool called NetWrix File Server Change Reporter, which audits and reports file server changes and access events. It sends reports on changes and access attempts to files, folders, shares and permissions. My last company used a product called Tripwire File Integrity Manager, which has similar capabilities. Both tools are very good.

[dhicks]

It sends reports on changes and access attempts to files, folders, shares and permissions.

I'm currently writing a similar tool, but for workflow purposes rather than security - when a file is added to a folder or changed, I want to be able to kick off a process that does something with that file. This is for handling things like auto-thumbnailing of images as they appear on our system, auto-coverting video files, etc. My approach so far has simply been to write a simple indexer that periodically traverses the directory tree and compares the files it finds with the previous set of files it found. I did look at creating a FUSE-based file system that would run given triggers when a file was updated, but that would require files to be stored on a particular server as opposed to accross whatever shares are already in place, and all the FUSE file systems I've seen have had terrible performance in a production environment. Do these products do something different to get better performance, or is their approach pretty much the same?

[zag]

I'm currently writing a similar tool, but for workflow purposes rather than security - when a file is added to a folder or changed, I want to be able to kick off a process that does something with that file. This is for handling things like auto-thumbnailing of images as they appear on our system, auto-coverting video files, etc. My approach so far has simply been to write a simple indexer that periodically traverses the directory tree and compares the files it finds with the previous set of files it found. I did look at creating a FUSE-based file system that would run given triggers when a file was updated, but that would require files to be stored on a particular server as opposed to accross whatever shares are already in place, and all the FUSE file systems I've seen have had terrible performance in a production environment. Do these products do something different to get better performance, or is their approach pretty much the same?

I was gonna ask what the performance was like on something like that. Doing checksums on files is a fine art to get speedy.

[dhicks]

I was gonna ask what the performance was like on something like that. Doing checksums on files is a fine art to get speedy.

Performance is why I wanted to use a proper "file-has-been-updated" event from the file system, but there doesn't seem to be a file system that actually does that. It's not at the stage yet where I can really test performance, it's still very much a work in progress.