But once you enable native file access logging, be ready to be swamped by the enormous number of read events generated by your users. In order to track object access events, you need to enable specific Group Policy settings in Active Directory or local security policy settings on your Windows file server also, don’t forget to apply NTFS access auditing settings to check that file auditing is properly recorded in the security event log. Making sure to log file access attempts and regularly reviewing those events helps you keep access to sensitive information under control, thereby minimizing the risk of data exfiltration.
In addition, users sometimes try to read files containing sensitive data they don’t have access to. For example, an office manager might mistakenly have permissions to read documents of the Accounting department, which could lead to a security breach. Sometimes users are granted access rights that enable them to read files containing sensitive data they shouldn’t see. Open Event Viewer → Search the Security Windows Logs for event ID 4663 with the string "Accesses: ReadData (or ListDirectory)" and review who read or attempted to read files on your file servers.Force a Group Policy update on the selected OU: Go to "Group Policy Management" → Right-click the OU → Сlick "Group Policy Update".Link the new GPO to an OU with file servers as follows: Go to "Group Policy Management" → Right-click the OU → Click "Link an Existing GPO" → Select the GPO that you created.Retention method for security log: “Overwrite events as needed”.Go to Event Log → Define and specify the following settings:.Advanced Audit Policy Configuration → System Audit Policies → Object Access → Audit Handle Manipulation → Define → Success and Failures.Advanced Audit Policy Configuration → System Audit Policies → Object Access → Audit File System → Define → Success and Failures.
Local Policies → Audit Policy → Audit object access → Define → Success and Failures.Log on to your domain controller and run gpmc.msc → Create a new GPO and define its name → Go to “Computer Policy” → Click “Computer Configuration” → Choose “Windows Settings” → Click “Security Settings” and enable the following settings:.Configure the following settings: Principal: "Everyone" Type: "All" Applies to: "This folder, subfolders and files" Advanced Permissions: "List folder / read data" → Click "OK" three times.Switch to the "Security" tab → Click the "Advanced" button → Go to the "Auditing" tab → Click the "Add" button.Navigate to the required file share → Right-click it and select "Properties".How to Detect Who Read a File on Windows File Servers.
0 kommentar(er)
