Applicable to:
- Plesk for Windows
Information
Note: Security configuration and events audits fall out of scope of Plesk Technical Support and should be performed by your company's Security Administrator.
Anyway, there are some recommendations for Microsoft Windows built-in tools that will allow you to perform audits on files and folders and protect your server from unauthorized use. In some cases it is necessary to know who modified or deleted a file or folder and when.
Microsoft Windows allows you to monitor several event types for security purposes.
This article describes how to set up a files audit on a Windows 2022 server and how to obtain Audit log data from the Event Viewer.
Steps
-
Enable Audit process tracking for Success and Failure results:
- Open Start -> Run
- Type
secpol.msc
and hit Enter- Navigate to Security Setting -> Local Policies -> Audit Policy
- Edit Audit process tracking key and enable both Success and Failure events auditing
Resulting settings should look similar to this picture:
-
Propagate policy changes:
- Open Start -> Run
- Type in
gpupdate /force
and hit Enter. -
Set up auditing on required files and folders for needed event types:
- Open Windows Explorer and navigate to the file (folder) in question.
- Right-click the file and select Properties
- On the tab Security, click on Advanced button
- Switch to the Auditing tab
- Click Add to choose users and groups for monitoring. The common practice is to add Authenticated Users group on Principal.
- Select in Type for the required events (Success or Failure) . For an explicit audit, select all. As well as for the permissions.
Resulting settings should look similar to this picture:
Now all access attempts will be tracked in the Security log of Event Viewer.
-
Open the Event viewer
- Open Start -> Run
- Type
eventvwr
and hit Enter -
Select the Security section.
-
On the right-side, click on Find, and type the filename that should be audit. In this example: FileToTrackAccess.txt
-
At the Details of the found Audit registry, look for the Logon ID, and remember it.
-
Again on the right-side, click on Find, and type the Logon ID we're looking for.
-
The IP address will be shown on the Details.
-
Export Security log from Event Viewer :
- Open Start -> Run.
- Type Powershell and hit Enter. Then enter:
CONFIG_TEXT: Get-WinEvent @{Logname='Security'} | ConvertTo-HTML -head '' -pre '<h2>Security audit log</h2>' | Out-File C:\\SecurityLog.htm
-
Open the resulting HTML file in your web browser (located at
C:\SecurityLog.htm
)- Open context search with Ctrl+F.
- Search for the required file name to find out what access attempts have been made. For example: we found that FileToTrackAccess.txt was opened with notepad.exe:
Once found, remember the Logon ID to find the IP address from where the user was logged in.
-
Find the corresponding login event in the HTML file using the Logon ID from the previous step:
As seen in the picture, notepad.exe edits were performed by the user Administrator (who logged on remotely from IP 192.0.2.2) .
Note: This procedure may not work as expected if the server is the member of an Active Directory domain with group policies assigned. Consult with your network administrator if needed to clarify this aspect.
Additional information
The above steps represent one of many possible ways to audit access to files and folders on your server. It is suggested that you provide this information to your company's Security Administrator to perform the task more efficiently.
Comments
0 comments
Please sign in to leave a comment.