FileAudit – Easy-to-use file and folder auditing

• Author
• Recent Posts

Timothy Warner

Timothy Warner is a Microsoft Cloud and Datacenter Management Most Valuable Professional (MVP) who is based in Nashville, TN. Check out his Azure and Windows Server video training at Pluralsight, and feel free to reach out to Tim via Twitter.

Latest posts by Timothy Warner (see all)

• Use Azure Bastion as a jump host for RDP and SSH - Tue, Apr 18 2023
• Azure Virtual Desktop: Getting started - Fri, Apr 14 2023
• Understanding Azure service accounts - Fri, Mar 31 2023

How do you approach object auditing on your Windows Server file servers in an Active Directory domain environment? It isn’t fun, is it? The file system auditing workflow involves the following steps:

• Deploy a Group Policy Object (GPO) on your file servers that enables the Audit Object Access policy
• Configure NTFS audit policy on relevant file system objects
• Review audit entries in the Windows Server Security Log on each file server

Without adding a management layer on top, it is inefficient and painful to manage file server auditing in Windows Server. IS Decisions addresses this weakness with FileAudit 5.2, an easy-to-use reporting and alerting tool. Let's learn how the product works.

FileAudit vs. native Windows Server auditing

FileAudit has a number of value propositions that give you, the busy administrator, a better experience with file and folder auditing. First, there's the nice user interface, shown in the following screenshot.

FileAudit console user interface

As you know, the Event Log is your only in-box reporting tool for object auditing in Windows Server. Second, FileAudit monitors your file system resources continuously and alerts you in real time on access or access attempts. By contrast, Windows Server auditing generates multiple Security Log entries for each single access event. That's a low signal-to-noise ratio, and it's annoying to have to work with it.

Third, FileAudit can send e-mail-based alerts to administrators. Windows Server auditing has no alert system whatsoever. Fourth, FileAudit consolidates access events from multiple file servers. Windows Server itself can produce object access audit events only one file server at a time.

Fifth and finally, FileAudit embraces a role-based access control (RBAC) model in which you can delegate sub-administrative access to the FileAudit management console. This may be useful, for example, when your security compliance officers need read-only access to the audit data. In Windows Server, only the local administrators of each file server can configure object access auditing.

Okay, now that we've established the market need for FileAudit, let's review its setup and usage workflow.

Installation and configuration overview

IS Decisions makes FileAudit 5.2 available as a fully functional 30-day demo that supports a maximum of two monitored file servers. Installation on my Windows 10 Enterprise Edition administrative workstation took all of two minutes.

By default, FileAudit uses a local Access database, but you can scale out the FileAudit infrastructure by storing data in SQL Server, Oracle Database, or any compatible ODBC or OLE DB database.

Before you actually deploy auditing, you need to open the FileAudit desktop application, browse to Tools > Settings, and configure your environment. Study the following screenshot, and I'll point out your main configuration tasks:

FileAudit settings page

• A: Define exclusions from monitored locations
• B: Specify your audit data database
• C: Point the application to your mail server for alerts
• D: Define FileAudit service account identities
• E: View and modify your product license
• F: Create FileAudit access accounts and assign granular permissions
• G: Enable or disable remote access to the local FileAudit host
• H: Personalize the application with your corporate branding elements

File auditing workflow

To define an audit entry, navigate to Audit > Audit Configuration on your FileAudit host and click Add a folder or Add a file. You'll step through a wizard that consists of the following steps:

1. Browse to a file share, local folder, or local file
2. Give FileAudit permission to modify local Group Policy on the server to enable Object access auditing
3. Give FileAudit permission to modify NTFS audit settings for the file system resources
4. Assign a FileAudit usage license to the target server
5. Enable constant monitoring and, optionally, alerting

As you can see in the following screenshot, FileAudit can handle the "get your hands dirty" details automatically, which is a nice convenience!

Configuring auditing in FileAudit

Reporting and alerting

The FileAudit home page Access group shows you how many accesses it has detected in real time. Click File Access Viewer to start your reporting journey. Once again, I'll explain by using an annotated screenshot.

The FileAudit file access viewer

A: Load up the target you need to see

B: These sortable columns answer the "who, what, when, and where" questions security auditors ask

C: Refresh, search, print, or export

FileAudit lets you create reports in any of the following file formats:

• CSV
• HTML
• MHT
• PDF
• RAW
• RTF
• TXT
• XLS

Navigating to Audit > Alerts in the FileAudit console allows you to set alerts for file- or mass-access-related events. Here's a screen capture showing the interface:

Configuring an alert

An alert consists of the following properties:

• Main: Which operations you need to monitor, access from whom, and so forth
• Monitored paths: You can define multiple paths here, which is cool
• Excluded hours: Disable alerting between certain timeframes
• Recipients: Who should receive alerts
• Mail message: How the alert email messages should be structured

Before we wrap up, I want to teach you how you can connect to different FileAudit-enabled servers from your administrative workstation. Check out the following composite screen capture that sums it up.

Connecting to a remote FileAudit server

Remember that you set the FileAudit service connection port in the application settings; TCP 2000 is the default port. If you do change the port ID, be sure to restart the FileAudit service.

Wrap-up

FileAudit pricing is on a per-machine basis. As you would expect, the unit price decreases when you purchase licenses for higher numbers of audited systems. You get one year of support, and annual license renewals are 20 percent of the total license cost.

For businesses subject to security compliance requirements, FileAudit may be just the tool you need to stay on top of file system access and reporting.