Windows File Services are arguably among the most prevalent and oldest Windows services running in data centers. One area in which Windows File Services has lacked is auditing and controls. You can apply access restrictions at the share and file level, and there is rudimentary auditing around creation dates and last accessed information. Beyond that, Windows File Server is limited. There is no built-in functionality to audit who accessed, moved, or deleted files. There is also no way of detecting and controlling unusual activities.
For example, it may not be unusual for users to encrypt one or two files they have access to during the course of a workday. However, if a user encrypts hundreds of files in a short amount of time, there could be a problem. This could be a sign of ransomware. A standard file server has no way of differentiating between malicious and legitimate file encryption activities.
Similarly, users may have access to hundreds of files but only need to access a relatively small number during the workday. Reading a large number of files in a short time could indicate users are moving them locally for legitimate reasons, such as working remotely for a few days. Or they may have plans to leave the organization and intend to take information with them. This could put intellectual property at risk or risk personally identifiable information by copying it to insecure devices.
PA File Sight can prevent information leaks and ransomware attacks because it detects unauthorized file access. The auditing tool comes in two versions: a Lite version with monitoring, alerting, and information logging and an Ultra version with centralized management, choice of database, advanced alerting, and reporting. File Sight Ultra also integrates with File Sight Endpoints for USB blocking and more granular file use tracking.
Installation and setup ^
Installation is a straightforward process similar to installing other Windows applications. I used the Ultra version with a two-server setup, one as the central administration point running File Sight and a second server running Windows File Services.
The File Sight installer has three components to choose from during installation. I installed the Central Monitoring Service and Console User Interface on the central monitoring server.
The setup process provides the option to add a driver for Microsoft SQL. The following examples use the default SQLite database. Having an option to write data to Microsoft SQL is helpful for environments needing custom retention or those intending to use the data for custom reporting.
After setting up the management server, I moved on to the file server. This required the File Sight Ultra Satellite. A satellite is a small service that runs on each file server and reports back to the central management server. The setup process is similar to the Central Monitoring Service, only select the Satellite Monitoring Service component.
Verify that the Configure the PA File Sight Ultra Satellite service option is selected at the end of the installation and click Finish. This opens the Configure Satellite Monitoring Service window. Add the IP address or domain name of the central monitoring server and port number in the Central monitoring service address box. Test the connection to verify connectivity. It may be necessary to open firewall ports to allow communication between the servers. Click Apply Settings, restart the Satellite Service, and click Exit to finish.
Once connected, accept the remote satellite in the central manager by going to Advanced Services, Satellite Services, right-click on the satellite service, and select Accept Satellite. The server will show up under Servers once accepted.
Configure monitoring and alerting ^
Power Admin File Sight is feature packed, enough so that I can't go over all options available for monitoring and alerting. I am going to demonstrate three scenarios that would benefit most environments. These three examples are: identifying who deleted a file, alerting on suspicious behavior, and blocking activity that may indicate malicious behavior.
Log file delete activity
Have you ever run into a situation where a file or directory is deleted, but no one admits to removing it? A user who unknowingly deleted it could simply have caused this. Or it could indicate a misconfiguration that needs addressing. Either way, it's good to know what happened so you can take the appropriate actions.
Set up the monitor by going into Servers/Devices and selecting the file server. In this case, we'll use FILE01. Right-click on the server and select Add New Monitor.
The Add New Monitor window appears; select File Sight Monitor and click OK.
The File Sight Configuration box will open. Add the directory you will monitor to the Directory to monitor box and select the share directory. Leave File Types as the default and go the File Activities tab. Uncheck File is created and File is renamed to monitor file deletions and moves only. The window should look like the one below.
Next, go to Directory Activities. This will monitor the same type of activity, only on directories. Uncheck Directory is created and Directory is renamed. The tab will look like the window below once finished. Click OK to save.
After setting that, go to the Copy Detection tab and uncheck both boxes. It should look like this once finished:
The system has configured the monitor with the default name. Rename it by right-clicking it and choosing Rename. For this example, we have renamed it to Delete Logging.
After renaming it, click the Actions button to configure a logging action. Existing actions are shown on the right and can be edited. I am using the default action of writing to a text-based log file in this example. There are many other options, such as sending email or SMS alerts, syslogging, executing a script, or sending a desktop notification. A complete list of options is below.
Select Write to ServerEvents.txt log file from the Global Action List and click the << arrows to move it to Error Actions. The Error Actions box will look like the screenshot below. Click Apply to finish configuration.
Now that we've configured the monitor and action, it's time to test. Navigate to the shared directory. I have added test data for the examples in this article. In the example below, I'm going to delete file "File1.txt" and the "2" directory from the file share.
Now let's verify we logged the change. The log file is located on the File Sight server. Open the log file and search for the name of the Delete Logging monitor to locate changes to the directory using a basic text editor. The screenshot below shows the output, modified to fit the screen.
As you can see, the log file gives sufficient data to show who deleted the file, the time, and the source computer. All are extremely helpful for troubleshooting mysteriously removed files.
Alert on suspicious behavior
Logging access information to a file is great for troubleshooting, but what if you want to be alerted on more suspicious activity? For example, it's not unusual for a user to copy a few files during the day, but it may be concerning if someone did a mass copy to a local computer or USB drive. It may be preferable to get an alert and log the access data in that situation. I am going to set up logging and an email alert for a mass copy action in this example.
The first step is to set up the SMTP server. Go to All Actions, E-mail Message, and right-click on E-mail Message. Select Add New Action. Enter the SMTP server information including the server name, port, and any other required authentication information. There is an option for a backup email server in the event the primary one is not available. For this example, I'm using PaperCut installed on the File Sight server. This is an SMTP server and client build for testing email actions without using a real account or email server. Once finished, apply the settings and test.
Now that you've configured the email server, go to Servers, File01, and add a new File Sight Monitor. Rename the monitor this time by going to Advanced Options, Details, and change Monitor Title to Copy Watch.
In File Sight Configuration, add the Directory to monitor at the top of the window. Next, go to User Activities, select the first box, READS more than the following…, and set the number of files to 15. Leave the time range at the bottom of the window at 5 minutes and click OK.
Now that we've configured the monitor, the next step is to set the action. Click Actions on the right side of the monitor tab to define an action. The email information set up previously will show up under Global Action List. Add that and the Write to serverevents.txt log file to the actions. Monitor actions should look like the screen below once finished.
Once the action is set up, it's time to test. Start by copying 14 files from the target directory to a local directory. The trigger is set to fire at 15 or more, so there should be no alert. Copy additional files within five minutes to trigger the email notification.
The file copy triggered the email message (below) alerting on the suspicious copy activity.
Blocking suspicious activity
The last test goes beyond alerting and takes action to prevent or limit malicious activity on a file server. Ransomware, such as CryptoLocker, rapidly interacts with the file system, encrypting and renaming files as it does its damage. This test will monitor for file deletes or file renames and dynamically block a user's access to the file system if activity goes beyond a specified threshold.
Create a new monitor, go to Advanced Options, Details, and change the Monitor Title to something fitting for your environment, such as Virus Lockout.
Click OK and set the Directory to Monitor. At the File Sight Configuration window, go to User Activities and select Deletes and Renames; set the value to 15 for this example. Next, change the Time Range to 2 minutes for a more aggressive monitor. Once finished, the monitor should look like this:
Next, go to Configure Actions for the monitor. This example will block the user and send an email message. Select the Add to Blocked User List - 3h and E-mail Message actions and add them to the Error Action list. Click on Apply to set the configuration.
To test, I'll run a simple PowerShell script to rename files in the watched directory. This quickly triggered the alert email below.
Attempting to browse the directory gives me a permission error.
The user will stay locked out until the time restriction has passed. Alternatively, removing users from the Global Blocked User List will manually unblock them to let them regain their access.
Subscribe to 4sysops newsletter!
PA File Sight is a feature-rich utility that fills gaps left by Windows File Services. File Sight is a good option for environments with tight regulatory requirements where access to files requires tight control and auditing. It can augment a traditional antivirus service by blocking zero-day attacks based on file access patterns. It also has endpoint management that will manage the use of USB devices and aid in data loss prevention.