I’m frequently asked about the best way to setup and report on file or folder accesses. In other words, I have a bunch of confidential files sitting on my network and I want to know who is accessing them.
So here it is (you might want to grab a coffee first!).
Unless you have a sophisticated end point security or file auditing solution in place, you’re pretty much limited to the quality of data found in your Windows Security Event log. By default, accesses to your confidential files are not going to trigger any entries to be written to the Event log. You first need to setup file or folder auditing.
WebSpy have written a nice article to help you out with this: Managing Event Logs
Personally, I’m running Windows Vista SP1. So I first turned on Object Access auditing by going to Control Panel | Administrative Tools | Local Security Policy | Local Policy | Audit Policy and set Audit Object Access for Success and Failure.
In Windows Explorer, navigate to the folder or files to audit, then Right-click | Properties | Security | Advanced | Auditing and click Continue when Vista’s User Access Control gets in the way. Here you get the option to add Users or Groups to the audit policy. So if you only want to know when Joe Bloggs access the file/folder, then only add Joe Bloggs. If you want to know when anyone accesses the file/folder then add your entire company.
Click OK and apply the changes. If applying this to a folder, take note of the setting to ‘apply the auditing entries to containers within this container’ at the bottom and use as required.
Congratulations. That’s the auditing setup. Once people start accessing these files(s), the auditing information will get recorded to the Security Event Log on the machine that hosts the file(s) in question.
The next step is to import the Windows Security log into your flavour of WebSpy Vantage. I’m using Vantage Ultimate, but the steps are the same for Premium and Giga.
- Run Vantage (as Administrator if on Vista)
- Go to the Storages tab and click Import Logs
- Run through the Import Wizard with these settings:
- Storage: New storage
- Input Type: Windows Event Log
- Loader Selection: Microsoft
- Input Selection: Add
Select either local computer, or multiple computers, enter authentication details and Click ‘Filter Event Logs’. Check the ‘Security’ Log and click OK.
- Click OK to start the import.
If there are any issues with the import process, consult these three WebSpy Knowledgebase articles to do with issues importing event logs:
- Event Log Troubleshooting (Known Issues and Fixes)
- Importing Event Logs from machines on a different domain
- Required Services for Event Log Importing
The first article came in handy for me as I’m running on Vista and in order to import from the Local Security log, you need to run Vantage as Administrator. To do this, go to C:\Program Files\WebSpy\Vantage Ultimate 2.1\ right-click the WebSpy.Vantage.exe and select ‘Run as Administrator’.
Once data has been imported into your storage, check it out on the Summaries screen.
To to the Summaries Tab, Run an Analysis on your new storage (ad-hoc analysis will do) , and go to the Category Summary. There should be some ‘File System’ items there assuming the file has been accessed since setting up file auditing. You can then drilldown to Event Type to see ‘Audit Success’ or ‘Audit Failure’. To see who has Successfully accessed a certain file, drilldown into the ‘Audit Success’ item.
Unfortunately the good stuff is buried in the ‘Message’ field, which you can only access in the Individual Records view. This is because the Message field in Event logs is free form and could vary wildly resulting in millions of unique items. A Message Summary has therefore been excluded from a default ad-hoc analysis for very good performance reasons.
Event logs can also be quite verbose, and if you drilldown to Individual Records at this stage, you’ll see lots of messages like ‘A handle to an object was requested’ which probably isn’t of any great value from a reporting perspective. One way to filter out this noise is by Event ID.
I’ve discovered that the events that correspond to ‘An attempt was made to access an object’ have the ID 4663. (One day I’ll create an alias to map Event IDs to their meaningful description. If you come across a good resource I can use for this, let me know!). So go to the Event ID summary and drilldown into 4463 to the Individual Records view.
Once you’re at Individual Records, you can hover over the message field to get details. You can also use the find edit box to search for a particular user or file:
You can export this view To Word Document, HTML, Text or CSV by right-clicking the Individual Records summary and clicking Export.
You can also create a report template to access this same information, but as there is no ‘Message’ summary to choose from, you need to use the Custom expression options, both when adding a column to a node in a Template, and when specifying your filter.
To add a column to a report that displays an Event Message:
- Go to the Reports Tab and click New Template
- Create an Analysis template based on the ‘All Windows Event Schemas’ schema
- Click New Node and click the Advanced button to launch the Advanced editor.
- On the General page, delete any existing Key columns and select Add | Key. In the Custom Expression section enter [Message] (include the square brackets) and click OK.
To filter the report:
- Go to the Filters page of the New Node dialog (alternatively you can specify this filter in for all nodes using the Template Properties dialog)
- Click Add | Field Value Filter. Select Category from the Summary drop down, and click Add. Enter ‘File System’ (without the quotes) and click OK. Click OK to add the filter.
- Click Add | Field Value Filter. Select Event ID from the Summary drop down and click Add. Enter ’4463′ (without the quotes) and click OK.
- To filter on the Message field, Select Add | Manual Filter Expression.
- Enter the expression:
- [Message] LIKE “text to filter for”
Change ‘text to filter for’ to the user or file that you want to search for. If you want to search for multiple strings, repeat the above expression separated by an AND or an OR, and place brackets wherever it makes sense. For example:
- [Message] LIKE “scottg” AND [Message] LIKE “.avi”
Will filter for all .avi files that scottg has accessed.
- [Message] LIKE “scottg” OR [Message] LIKE “.avi”
Will filter for any file that scottg has accessed and any avi that anyone has accessed.
- ([Message] LIKE “scottg” AND [Message] LIKE “.avi”) OR [Message] LIKE “andrew”
Will filter for any all avi files that scottg has accessed and any file that Andrew has accessed.
- [Message] LIKE “scottg” AND [Message] LIKE “.avi”
- You can add the individual filters using Add | Manual Filter Expression multiple times, and then using the Manual Filter Expression editor at the bottom to change ANDs to Ors and place brackets appropriately, like so:
- Right-click the Manual Filter Expression edit box and select Validate to make sure everything is good with the expression.
- Modify chart settings, sorting, etc as appropriate.
Here’s the resulting report template for you, but please note that it includes the filter above (events for the user’s ‘Asa’ and ‘Scottw’), so you will need to modify the filter and enter the users or files you want to filter on. Just use the user’s windows login name, and/or the name of the file. Alternatively, remove the filter altogether if you want to see all File Audit events.
That’s it! Now run your report, automate it using the Tasks screen, and your set!