Google
Search WWW Search msexchangetips.blogspot.com

Sunday, August 20, 2006

Windows: Audit Changes Made to File Folders or Registry

Summary: This article will delve into auditing changes such as: Changing attributes, writing to, deleting, moving so it can be traced back to a process or user...

To track a Process or User that may be making modifications to a File Folders and Registry, perform the task below.


Caution: This degree of auditing will put a performance hit on the box.



To set up the local policy to Audit Process Tracking:
=====================================
1) Click Start then Run then type
"gpedit.msc" (without the quotes)
2) This will execute the Group Policy Object
3) Expand the following:
+Computer Configuration
+Windows Settings
+Security Settings
+Local Policies
+Audit Process Tracking
4) Under 'Audit these attempts' place a check on
- Failure
- Success
5) Once the policy has been set, run the following command to apply the policy
For Windows 2000: Secedit /refreshpolicy
For Windows XP or 2003: Gpupdate.exe



To set up the local policy to Audit Object access:
=====================================
1) Click Start then Run then type
"gpedit.msc" (without the quotes)
2) This will execute the Group Policy Object
3) Expand the following:
+Computer Configuration
+Windows Settings
+Security Settings
+Local Policies
+Audit Policy
4) Under 'Audit Policy' doubleclick 'Audit Object Access'
5) Under 'Audit these attempts" place a check on
- Failure
- Success



Auditing the registry
=====================================
1) Call up Regedt32 and browse to the key you want to audit
2) Windows 2000: Click the 'Security' menu and select 'Permissions'
Windows 2003/XP Click the 'Edit' menu and select 'Permissions'
3) Click the 'Advanced' button
4) Select the 'Auditing' tab and click the 'Add' button
5) Add the 'Everyone' group and click 'OK'
6) The resulting "Auditing Entry for " dialog box appears
7) In the "Apply onto" drop menu, select "This key and subkeys"
8) Choose the actions you want to audit for... commonly we want to track
changes to the registry... so we'll want to place a check on the following:
'Set Value' Successful and Failed
'Create Subkey' Successful and Failed
'Delete' Successful and Failed
9) Click OK
10) Clear the checkbox on "Allow inheritable auditing entries from parent to propagate to this object"
11) Click OK then OK again to exit
Auditing files or folders



=====================================
1) In Explorer.exe browse to the file or folder you want to audit
2) Click the 'Security' menu
3) Click the 'Advanced' button
4) Select the 'Auditing' tab and click the 'Add' button
5) Add the 'Everyone' group and click 'OK'
6) The resulting "Auditing Entry for " dialog box appears
7) In the "Apply onto" drop menu, select "This folder, subfolders and files"
8) Choose the actions you want to audit for...
For example, if attributes are being changed or files are being deleted
Place check marks under the following:
'Write Attributes' Successful
'Write Extended Attributes' Successful
'Delete Subfolders and Files' Successful
'Delete' Successful
'Change Permissions' Successful
9) Click OK
10) Clear the checkbox on "Allow inheritable auditing entries from parent to propagate to this object"
11) Click OK then OK again to exit



The Security Event log will reflect the following:
=====================================
Event ID of 560 and 562 detailing User audits
Event ID of 592 and 593 detailing Process audits



James Chong
MCSE M+, S+, MCTS, Security+
msexchangetips.blogspot.com


How useful was this article? Want to see a tip not listed? Please leave a comment.

6 Comments:

Anonymous Anonymous said...

This way each time you need to browse countless eventlog and search for necessary event. I think it's very complicated. Have you heard about special reporting tools that can trace all such changes ? I can suggest you implement enterprise security reporter. I use this tool very frequently for reporting on enterprise permissions, security, policies, group ownership, registry or files changes and many other things.

7:25 AM  
Anonymous Anonymous said...

It seems that every time I opened the Sunday paper, there will be several flyers advertising sales on the scarpe Hogan of different kinds. I suggest you look online to compare prices and have a good idea of what type of hogan donna will best suit your needs. There are certain types of Hogan scarpe uomo in general, and there should be a good idea of what you need to buy more. For those who are running the road or running in all different types of weather the best type of Hogan uomo is the way of the shoe which will give you a combination of stability and durability and excellent traction.

6:02 PM  
Anonymous oem software legal said...

Big to you thanks for the help in this question. I did not know it.

2:24 AM  
Blogger Unknown said...

Nice Post, thanks for sharing these steps to audit changes made to file and folders. I found good information about this from http://www.lepide.com/file-server-audit/ which helps to audit file and folders access like who made, what changes and where. This tool track unauthorized access and critical modification occurred in a network and get real time alerts on every access to files and folders on windows file servers.

4:42 AM  
Blogger Leonie Daecher said...

Use WWE betting tips from OddsDigger's experts and take your life into your own hands . Feel a sense of joy and relief with our platform.

3:47 AM  
Blogger smithjake said...

Great blog post, I am pleased to read this post related to auditing share folder I found file access auditing solution which assists to monitor unauthorized file server accessing in a specific date and time on windows server and know who accessed all files and folders from which location by whom.

10:49 AM  

Post a Comment

<< Home

xml:lang="en" lang="en"> MS Exchange Tips: Windows: Audit Changes Made to File Folders or Registry