It can be sometimes necessary and judicious to be warned when a user is accessing a shared resource.
This example describes the procedure to use in order to audit on a workstation or on a centralized resource (e.g: a file server), all the access of users (read, copy, selection) to a specific file or directory.
An email which contains the observation and reaction report will then be sent to warn the administrator.
This topic can also be used as a starting point to audit other types of objects (registry key, printer...), for a success, or failure attempts, and this accoring to a group of users, a list of users, or computers. The approach will be then relatively similar.
Requirements before creating the alert with IDEAL Alerter :
- The file system of the disk hosting the resource must be a NTFS format.
- Simple file sharing must be disabled: This is in Windows Explorer / Tools / Folder options / View tab: "Use simple file sharing (Recommended)" : please, UNCHECK this feature
- Enable auditing in the local security policy : Administrative Tools / Local security policy (or secpol.msc command). In the Local policies menu, Audit Policy, select Audit object access. Then choose to audit the succesfull attempts.
- Set the objects to be audited : To add an audit on the desired file / directory : Right click/ Properties on the file, Security tab then Advanced. In the Auditing tab, select the type of objects (Users, groups, computers ...) then add the objects you want to audit.
Check List folder / read data.
If the audited object is a directory, it is also possible to apply the observation to sub-objects (files / folders). Then apply the auditing.
With IDEAL Alerter :
- Create a new alert, named for example "Auditing shared folders access".
- Add the following event to be monitored :
When a user is accessing a file / directory, the event logs generate excessive entries for the same action. Nevertheless, lit is possible to filter the events from their identifier, to keep only accesses on the audited objects.
Identifier 560 : Objects access (for 2003 Server, XP computers and previous OS).
Identifier 4656 : Objects access (for Vista, 2008 Server, 7 computers).
The description "MySharedFolder;READ_CONTROL" identifies here the name of the monitored directory (MySharedFolder) and the access mask to this folder (READ_CONTROL).
The state after detection "Continue the observation", enables to infinitely pursue the monitoring of security logs
- Add the following action to be performed :
Fill in the different settings required to send the Email.
If the SMTP server requires an authentication, check "Use authentication", then enter the authentication information.
The communication with the SMTP server can be easily tested by clicking on the "Test" button.
- Select the target computers on which the alert must be applied :
- Confirm the alert creation by clicking on the "OK" button.