There’s a nice little feature built into Windows that allows you to track when someone views, edits, or deletes something inside of a specified folder. So if there’s a folder or file that you want to know who is accessing, then this is the built-in method without having to buy any additional software.
This feature is actually part of a system called Group Policy, which is used by most IT Professionals who manage computers in the corporate network using servers, however, this policy system can also be used locally without any servers.
The term Group Policy basically refers to a set of registry settings that can be controlled via a graphical user interface. You enable or disable settings and these edits are updated in the Windows registry.
To get to the policy editor, click on Start and then Run.
In the textbox, type “gpedit.msc” without the quotes as shown below:
Now you should see something that is similar to the image below:
There are two main categories of policies: user and computer. As you might have guessed, the user policies control the settings for each user whereas the computer settings will be system wide settings and will effect all users. In our case we’re going to want our setting to be for all users, so we’ll expand our the Computer Configuration section.
Continue expanding to Security Settings -> Local Policies -> Audit Policy. I’m not going to explain much of the other settings here since this is primairly focused on auditing a folder. Now you’ll see a set of policies and their current settings on the right hand side. Audit policy is what controls whether or not the operating system is configured and ready to track changes.
Now check the setting for Audit Object Access by double clicking on it and selecting both Success and Failure. Click OK and now we’re done the first part which is telling Windows that we want it to be ready to monitor changes. Now the next step is to tell it what EXACTLY we want to track. You can close out of the Group Policy console now.
Now navigate to the folder using Windows Explorer that you would like to monitor. In Explorer, right click on the folder and click Properties. Click on the Security Tab and you see something similar to this:
Now click on the Advanced button and click on the Audting tab. This is where we’ll actually configure what we want to monitor for this folder.
Go ahead and click the Add button. A dialog will appear asking you to select a User or Group. In the box, type in the word “users” and click Check Names. The box will automatically update with the name of the local users group for your computer in the form COMPUTERNAME\Users.
Click OK and now you’ll get another dialog called “Audit Entry for X”. This is the real meat of what we’ve been wanting to do. Here is where you’ll select what you want to watch for this folder. To make things easier, I suggest selecting Full Control, which will automatically select all the other options below it. Do this for Success and Failure. This way, whatever is done to that folder or the files within it, you will have a record.
Now click OK and click OK again and OK one more time to get out of the whole multi-dialog box set. And now you have sucessfully configured audting on a folder! So you might ask, how do you view the events?
In order to view the events, you need to go to the Control Panel and click on Administrative Tools. Then open up the Event Viewer. Click on the security tab and you’ll see a large listing of events on the right hand side:
If you go ahead and create a file or simply open the folder and click the Refresh button in the Event Viewer (the button with the two green arrows), you’ll see a bunch of events in the category of Object Access. It’ll also list the user and computer. Now if you have a computer with multiple user accounts, then you can just scroll through the list and see if the object access message is there with another user name listed. However, if you think someone might be viewing items under your name, you’ll have to instead scroll through and look at the date and time.
In order to make it easier to look through so many events, you can put a filter and just see the important stuff. Click on the View menu at the top and click on Filter. In the Event ID box, type in the number 560. This is the event associated with a particular user performing an action and will give you the relavant information without having to look through thousands of entries.
If you want to get more information about an event, simply double click on it to view.
This is the information from the screen above:
Event Type: Success Audit
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 3/11/2007
Time: 2:57:35 AM
User: RELIAGENETECH\akishore
Computer: ASEEM
Event Source: Security
Event Category: Object Access
Event ID: 560
Date: 3/11/2007
Time: 2:57:35 AM
User: RELIAGENETECH\akishore
Computer: ASEEM
Description:
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Test\New Microsoft Word Document.doc
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: akishore
Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA ReadAttributes WriteAttributes
Object Open:
Object Server: Security
Object Type: File
Object Name: D:\Test\New Microsoft Word Document.doc
Image File Name: C:\WINDOWS\explorer.exe
Primary User Name: akishore
Accesses: READ_CONTROL SYNCHRONIZE ReadData (or ListDirectory) WriteData (or AddFile) AppendData (or AddSubdirectory or CreatePipeInstance) ReadEA WriteEA ReadAttributes WriteAttributes
Here I created a new Microsoft Word document in the Test folder and it tells me that the object type was a file and Explorer was being used by user akishore. And I performed a read and a write according to the “Accesses” section. If you just want to see if someone else is accessing a folder, then simply look at the entries date and time or user fields.
0 comments:
Post a Comment