SOLVED: How To Enable File Auditing

Published by Ian Matthews on

A month ago we had a client that had a successful attack on their infrastructure and to protect themselves one of more than 100 changes included auditing a few folders. Specifically they wanted to have a listing stored somewhere every time someone accessed a particular folder.

To enable folder auditing on Windows Server or Client (i.e. Windows 11), follow these steps:

Click to Expand Screenshot

how to enable file auditing - gpo and security audit
  1. Enable the Audit Policy:
    • Open the Group Policy Management Console (GPMC) or Local Group Policy Editor (gpedit.msc).
    • Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy Configuration > Audit Policies > Object Access.
    • Enable the Audit File System policy. You can choose to audit Success, Failure, or both2.
  2. Configure Auditing on the Folder:
    • Right-click the folder you want to audit and select Properties.
    • Go to the Security tab and click Advanced.
    • In the Advanced Security Settings window, go to the Auditing tab.
    • Click Add, then select the Principal (user or group) you want to audit.
    • Choose the Type of access to audit (Success, Failure, or both).
    • Specify the Applies to setting (this folder, subfolders, and files).
    • Select the Permissions you want to audit (e.g., Read, Write, Delete)2.
  3. View Audit Logs:
    • Open the Event Viewer.
    • Navigate to Windows Logs > Security to view the audit events. Look for events with ID 4663 for file access

Click to Expand Screenshot

how to enable find file audits in event viewer

While not absolutely required, it’s a very good idea to expand the size of your windows security event log because auditing creates a lot of entries and you will find it fills up and starts deleting the oldest entries fairly quickly.

You can see in the screen shot above we did that by simply right clicking on the security log, selecting properties and we tripled our size to 60MB, which is still quite small. As such we notified the client that if they are concerned something has been accessed that they are worried about they should notify us quickly, so we could get the information before it gets deleted.

Categories: Windows 11 & Windows 10Windows Server

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

disk manager safe to delete the recovery partition

SOLVED: Is It Safe To Delete The Recovery Partition?

We had a client with an odd partition configuration. As you can see in the screen shot to the right, the recovery partition appears after C: drive volume with data on it. The question is, Read more…

Set The Time Service On A Windows Domain

SOLVED: How To Correctly Set The Time Service On A Windows Domain

Time synchronization especially between Domain Controllers often comes into question with our smaller clients, who do not have it setup correctly. The simplified version of the configuration is that the domain controller which holds the Read more…

action pack vs partner pack

SOLVED: Partner Launch Benefits vs Microsoft Action Pack

If you are a Microsoft partner you will probably have become aware that in January the Microsoft Action Pack that has been around for the better part of two decades is going away. There are Read more…