Keeping tabs on file and registry access in Windows Server has never been easier.
Auditing file access events in Windows Server isn’t a subject that’s likely to set you alight with excitement, especially as traditionally it has been something of a pain to configure. But in recent versions of Windows Server, the job has got easier. And that’s important, because in today’s world of regulatory compliance and the need to understand exactly what’s going on in our environments, we need to make sure audit logs are capturing the right data. Today I’ll go over how to configure Global Object Access Auditing in Windows Server.
Auditing File Access
Before the introduction of Global Object Access Auditing in Windows 7 and Windows Server 2008 R2, in order to audit access to a file you would need to set auditing configuration on files and folders using System Access Control Lists (SACLs) in the file system. SACLs are accessed by right-clicking a file or folder in Windows, selecting Properties from the menu and then switching to the Security tab. Auditing configuration can be changed by clicking Advanced in the Properties dialog and then switching to the Auditing tab in the Advanced Security Settings dialog.
As most administrators are aware, managing permissions on servers containing tens of thousands of files using Access Control Lists (ACLs) can become somewhat unwieldy, and configuring auditing this way is no less of a problem.
In order that audit events appear in the Event Log, you also need to enable success and/or failure auditing for Object Access, either using Group Policy or the Local Security Policy management console.
Global Object Audit Access
As its name suggest, Global Object Audit Access allows administrators to set file and registry auditing configuration per computer, rather than at the file system level. This makes it much easier to track the settings across servers on your network, rather than having to set and inspect SACLs at the file level.
In Windows Server 2008 R2, the Global Object Audit Access policy can be set as part of Advanced Audit Policy Configuration in Group Policy, which can found here: Computer Configuration\Policies\Security Settings\. Note that the location of the settings differ from basic auditing.
When you configure file or registry Global Object Audit Access in Windows Server 2008 R2, instead of the simple success and failure options presented for most audit settings, you’ll notice there’s just a Configure button that takes you to a dialog to set audit configuration in exactly the same way as from the file system.
For Global Object Audit Access to work, Object Access\Audit File System or Object Access\Audit Registry must also be enabled for success/failure auditing.
Expression-Based Audit Policy
Object Access and Global Object Access Auditing are expanded in Windows 8 and Windows Server 2012 (and later) to include expression-based audit policy. This allows system administrators to use complex logic to filter auditing to specific criteria. For example, I could an event to be logged when a file is successfully deleted by users in a specific department, as defined in Active Directory.
You can specify Boolean AND and OR operators, and even group together criteria to make complex expressions in the same way you would use parenthesis in a script.
Configure Global Object Access
In this example I’m going to monitor for deletions on my file servers, but restrict auditing to just users who are members of the Finance group in Active Directory (AD). I’ll apply the audit configuration settings using a Group Policy Object (GPO):
- Log on to a Windows Server 2012 file server in your domain with an account that has permission to create new GPOs.
- Open Server Manager from the icon on the desktop Taskbar or from the Start screen.
- Open the Group Policy Management Console (GPMC) from the Tools menu in Server Manager.
- In the left pane of GPMC, expand your AD forest, the Domains folder and then your AD domain. Right-click the Group Policy Objects folder and select New from the menu.
- In the New GPO dialog, give the new Group Policy Object a name, leave the Source Starter GPO field set to (none) and click OK.
- You will see the new GPO in the right pane of GPMC. Right-click the GPO and select Edit from the menu.
- In the Group Policy Management Editor window, expand Computer Configuration\Policies\Security Settings\Advanced Audit Policy Configuration\Audit Policies in the left pane.
- Click Object Access in the list of audit settings.
- In the right pane, double-click Audit File System.
- In the Audit File System Properties dialog, check Configure the following audit events.
- Check Success, Failure and click OK.
- In the Group Policy Management Editor window, click Global Object Audit Access at the bottom of the list audit settings.
- In the right pane of the editor window, double-click File system.
- In the File system Properties dialog, check Define this policy setting on the Policy tab and click Configure.
- In the Advanced Security Settings for Global File SACL dialog, click Add.
- In the Auditing Entry for Global File SACL dialog, click Select a principal.
- In the Select User, Computer, Service Account, or Group dialog, type Everyone in the box under Enter the object name to select and click OK.
- Leave Success selected in the Type menu.
- In the Auditing Entry for Global File SACL dialog under Permissions, click Clear all and then select only Delete.
- At the bottom of the dialog, click Add a condition. Make sure that User is selected in the first drop-down menu.
- In the second drop-down menu, select Department.
Note that you’ll need to have properly configured and working Dynamic Access Control (DAC) in your environment to be able to use expression-based auditing. DAC can be accessed from the Active Directory Administrative Center (ADAC). If you don’t have DAC configured, you can skip the steps to add a condition to the Global Object Access auditing entry. In this example, I already have Department properly configured as a claim type, with Finance set as a suggested value.
- In the third-drop down, select Equals. In the fourth, make sure that Value is selected.
- At the end of the new condition, select Finance from the drop-down menu.
- Now click OK in the Auditing Entry dialog, again in the Advanced Security Settings dialog, and once more in the File system Properties dialog.
- Close the Group Policy Management Editor window.
- Back in GPMC, right click your domain in the left pane and select Link an Existing GPO from the menu.
- In the Select GPO dialog, select the GPO you just created and click OK.
Once policy has updated on the affected devices, you can delete a file, and assuming that the account used to delete the file has the Department attribute in AD set to Finance, an event will be logged. Look for event 4663 in the Event Log.