Auditing Access to Files
To audit access to files, you must perform two tasks:
- 1.) Enable the Audit Policy called "Audit Object Access".
- 2.) Enable auditing on the individual files and folders you wish to audit.
Both of these procedures are outlined below.
To enable the "Audit Object Access" policy, do the following:
(Note: this procedure shows how to setup Auditing using "Local Security Policy".
If your computer is a member of a domain, you can perform the same tasks using
Group Policy. Be aware that Group Policy settings will override Local Policy Settings).
1.) Click on "Start" -> "Programs" -> "Administrative Tools" -> "Local Security Policy".
2.) Navigate to "Audit Policy" in the left pane.
3.) In the left pane of "Local Security Settings" window, double click on the "Audit Object Access" entry.
4.) Click on the "Success" and "Failure" checkboxes to enable auditing for files.
5.) Click on the OK Button.
To enable auditing of an individual file or folder, do the following:
1.) Right click on the file in Explorer, and choose "Properties", as shown in the figure.
2.) Click on the Security tab, and then click on the "Advanced" button as shown in the figure.
If you don't have a Security tab, your are probably not using NTFS. If so, it is strongly
recommended that you upgrade to NTFS (using the convert /FS:NTFS command) so that you
can use file permissions.
3.) Click on the "Auditing" tab, and then click on the "Add" button, as shown in the figure.
4.) Double click on the "Everyone" group.
5.) Click on the actions you wish to Audit, and then click on "OK".