How do you approach object auditing on your Windows Server file servers in an Active Directory domain environment? It isn’t fun, is it? The file system auditing workflow involves the following steps:
- Deploy a Group Policy Object (GPO) on your file servers that enables the Audit Object Access policy
- Configure NTFS audit policy on relevant file system objects
- Review audit entries in the Windows Server Security Log on each file server
Without adding a management layer on top, it is inefficient and painful to manage file server auditing in Windows Server. IS Decisions addresses this weakness with FileAudit 5.2, an easy-to-use reporting and alerting tool. Let's learn how the product works.
FileAudit vs. native Windows Server auditing
FileAudit has a number of value propositions that give you, the busy administrator, a better experience with file and folder auditing. First, there's the nice user interface, shown in the following screenshot.
As you know, the Event Log is your only in-box reporting tool for object auditing in Windows Server. Second, FileAudit monitors your file system resources continuously and alerts you in real time on access or access attempts. By contrast, Windows Server auditing generates multiple Security Log entries for each single access event. That's a low signal-to-noise ratio, and it's annoying to have to work with it.
Third, FileAudit can send e-mail-based alerts to administrators. Windows Server auditing has no alert system whatsoever. Fourth, FileAudit consolidates access events from multiple file servers. Windows Server itself can produce object access audit events only one file server at a time.
Fifth and finally, FileAudit embraces a role-based access control (RBAC) model in which you can delegate sub-administrative access to the FileAudit management console. This may be useful, for example, when your security compliance officers need read-only access to the audit data. In Windows Server, only the local administrators of each file server can configure object access auditing.
Okay, now that we've established the market need for FileAudit, let's review its setup and usage workflow.
Installation and configuration overview
IS Decisions makes FileAudit 5.2 available as a fully functional 30-day demo that supports a maximum of two monitored file servers. Installation on my Windows 10 Enterprise Edition administrative workstation took all of two minutes.
By default, FileAudit uses a local Access database, but you can scale out the FileAudit infrastructure by storing data in SQL Server, Oracle Database, or any compatible ODBC or OLE DB database.
Before you actually deploy auditing, you need to open the FileAudit desktop application, browse to Tools > Settings, and configure your environment. Study the following screenshot, and I'll point out your main configuration tasks:
- A: Define exclusions from monitored locations
- B: Specify your audit data database
- C: Point the application to your mail server for alerts
- D: Define FileAudit service account identities
- E: View and modify your product license
- F: Create FileAudit access accounts and assign granular permissions
- G: Enable or disable remote access to the local FileAudit host
- H: Personalize the application with your corporate branding elements
File auditing workflow
To define an audit entry, navigate to Audit > Audit Configuration on your FileAudit host and click Add a folder or Add a file. You'll step through a wizard that consists of the following steps:
- Browse to a file share, local folder, or local file
- Give FileAudit permission to modify local Group Policy on the server to enable Object access auditing
- Give FileAudit permission to modify NTFS audit settings for the file system resources
- Assign a FileAudit usage license to the target server
- Enable constant monitoring and, optionally, alerting
As you can see in the following screenshot, FileAudit can handle the "get your hands dirty" details automatically, which is a nice convenience!
Reporting and alerting
The FileAudit home page Access group shows you how many accesses it has detected in real time. Click File Access Viewer to start your reporting journey. Once again, I'll explain by using an annotated screenshot.
The FileAudit file access viewer
A: Load up the target you need to see
B: These sortable columns answer the "who, what, when, and where" questions security auditors ask
C: Refresh, search, print, or export
FileAudit lets you create reports in any of the following file formats:
Navigating to Audit > Alerts in the FileAudit console allows you to set alerts for file- or mass-access-related events. Here's a screen capture showing the interface:
An alert consists of the following properties:
- Main: Which operations you need to monitor, access from whom, and so forth
- Monitored paths: You can define multiple paths here, which is cool
- Excluded hours: Disable alerting between certain timeframes
- Recipients: Who should receive alerts
- Mail message: How the alert email messages should be structured
Before we wrap up, I want to teach you how you can connect to different FileAudit-enabled servers from your administrative workstation. Check out the following composite screen capture that sums it up.
Remember that you set the FileAudit service connection port in the application settings; TCP 2000 is the default port. If you do change the port ID, be sure to restart the FileAudit service.
FileAudit pricing is on a per-machine basis. As you would expect, the unit price decreases when you purchase licenses for higher numbers of audited systems. You get one year of support, and annual license renewals are 20 percent of the total license cost.
Subscribe to 4sysops newsletter!
For businesses subject to security compliance requirements, FileAudit may be just the tool you need to stay on top of file system access and reporting.