Windows Server 2012 R2 – How to detect who Read a file on a File Server

It is good practice that you setup a auditing on important shared folders on your Windows Server 2012 R2 and especially to the shared folders that suppose to have limited access and and few users are eligible and approved to access the files. Lets face it, there will be always some individual on your network who will be trying to access restricted folders or files for whatever reasons. Continuous monitoring of who has viewed what files can help you keep access to sensitive information under close surveillance control and, thus, enhance data security.

Lets setup this audit policy on our Windows Server 2012 R2 server:

  • Navigate to the required file share folder
  • Right-click it and select “Properties
  • Select Security Tab > Advanced button > Auditing tab > Click “Add” button

Configure the following settings:

  • Principal:”everyone”
  • Type: “All”
  • Applies to: “This folder, subfolders and files”
  • Advanced Permissions: “List Folder / read data” > Click “OK” – 3 times.

In next step we will need to create a new GPO:

  • Run gpmc.msc > Create a new GPO > Edit it: Go to “Computer Policy” > Computer Configuration > Windows Settings > Security Settings:
  • Local Policies > Audit Policy > Audit object access > Define > Success and Failures
  • Advanced Audit Policy Configuration > System Audit Policies > Object Access > Audit File System > Define > Success and Failures
  • Advanced Audit Policy Configuration > System Audit Policies > Object Access > Audit Handle Manipulation > Define > Success and Failures

Lets go to Event Log:

  • Go to Event Log > Define
  • Maximum Security log size to 4GB
  • Retention method for security log to Overwrite events as needed

Link the new GPO to OU with File Servers:

  • Go to: “Group Policy Management” > Right-click the defined OU > Chose “Link and Existing GPO” > Chose the GPO you have just created
  • Force the group policy update > Right-click the defined OU > Click “Group Policy Update

You have now successfully setup auditing on the shared folder with sensitive files if some one tried to access it or viewed some files – all is now written in your security log and with event ID: 4663 (Access: ReadData or List Directory).

In case you want quickly find out if such event occurred in last 24 hours on your sensitive folder you can use PowerShell and pull this info from logs:

PS C:\:>Get-EventLog -LogName Security -Newest 10 | Where-Object { $_.EventID -eq 4663 }

It will show you last 10 events with the ID 4663 – for more details you can view the events in event log, where you can see who accessed the file/folder and what exact file the user tried to view.

Be the first to comment on "Windows Server 2012 R2 – How to detect who Read a file on a File Server"

Leave a comment

Your email address will not be published.


*


Get Adobe Flash player Plugin by wpburn.com wordpress themes