Last Update: Sep 24, 2024 | Published: Sep 05, 2013
Keeping tabs on file and registry access in Windows Server has never been easier.
Auditing file access events in Windows Server isn’t a subject that’s likely to set you alight with excitement, especially as traditionally it has been something of a pain to configure. But in recent versions of Windows Server, the job has got easier. And that’s important, because in today’s world of regulatory compliance and the need to understand exactly what’s going on in our environments, we need to make sure audit logs are capturing the right data. Today I’ll go over how to configure Global Object Access Auditing in Windows Server.
Before the introduction of Global Object Access Auditing in Windows 7 and Windows Server 2008 R2, in order to audit access to a file you would need to set auditing configuration on files and folders using System Access Control Lists (SACLs) in the file system. SACLs are accessed by right-clicking a file or folder in Windows, selecting Properties from the menu and then switching to the Security tab. Auditing configuration can be changed by clicking Advanced in the Properties dialog and then switching to the Auditing tab in the Advanced Security Settings dialog.
As most administrators are aware, managing permissions on servers containing tens of thousands of files using Access Control Lists (ACLs) can become somewhat unwieldy, and configuring auditing this way is no less of a problem.
In order that audit events appear in the Event Log, you also need to enable success and/or failure auditing for Object Access, either using Group Policy or the Local Security Policy management console.
As its name suggest, Global Object Audit Access allows administrators to set file and registry auditing configuration per computer, rather than at the file system level. This makes it much easier to track the settings across servers on your network, rather than having to set and inspect SACLs at the file level.
In Windows Server 2008 R2, the Global Object Audit Access policy can be set as part of Advanced Audit Policy Configuration in Group Policy, which can found here: Computer ConfigurationPoliciesSecurity Settings. Note that the location of the settings differ from basic auditing.
When you configure file or registry Global Object Audit Access in Windows Server 2008 R2, instead of the simple success and failure options presented for most audit settings, you’ll notice there’s just a Configure button that takes you to a dialog to set audit configuration in exactly the same way as from the file system.
For Global Object Audit Access to work, Object AccessAudit File System or Object AccessAudit Registry must also be enabled for success/failure auditing.
Object Access and Global Object Access Auditing are expanded in Windows 8 and Windows Server 2012 (and later) to include expression-based audit policy. This allows system administrators to use complex logic to filter auditing to specific criteria. For example, I could an event to be logged when a file is successfully deleted by users in a specific department, as defined in Active Directory.
You can specify Boolean AND and OR operators, and even group together criteria to make complex expressions in the same way you would use parenthesis in a script.
In this example I’m going to monitor for deletions on my file servers, but restrict auditing to just users who are members of the Finance group in Active Directory (AD). I’ll apply the audit configuration settings using a Group Policy Object (GPO):
Note that you’ll need to have properly configured and working Dynamic Access Control (DAC) in your environment to be able to use expression-based auditing. DAC can be accessed from the Active Directory Administrative Center (ADAC). If you don’t have DAC configured, you can skip the steps to add a condition to the Global Object Access auditing entry. In this example, I already have Department properly configured as a claim type, with Finance set as a suggested value.
Once policy has updated on the affected devices, you can delete a file, and assuming that the account used to delete the file has the Department attribute in AD set to Finance, an event will be logged. Look for event 4663 in the Event Log.