How to set up file audit on Windows server?


2016-11-16 12:48:24 UTC


2017-08-16 18:26:18 UTC


Was this article helpful?

Have more questions?

Submit a request

How to set up file audit on Windows server?

Applicable to:

  • Plesk 12.0 for Windows
  • Plesk 12.5 for Windows


Security configuration and events audits fall out of scope of Plesk Technical Support and should be performed by your company's Security Administrator. However, there are some recommendations for Microsoft Windows built-in tools that will allow you to perform audits on files and folders and protect your server from unauthorized use.

In some cases it is necessary to know who modified or deleted a file or folder and when. Microsoft Windows allows you to monitor several event types for security purposes.

This article describes how to set up a files audit on a Windows 2008 R2 server and how to obtain log data.

1. Enable Audit process tracking for Success and Failure results:
- Open Start -> Run

- Type secpol.msc and hit Enter

- Navigate to Security Setting -> Local Policies -> Audit Policy

- Edit Audit process tracking key and enable both Success and Failure events auditing

Resulting settings should look similar to this picture:

2. Propagate policy changes:

- Open Start -> Run

- Type in gpupdate /force and hit Enter.

3. Set up auditing on required files and folders for needed event types:

- Open Windows Explorer and navigate to the file (folder) in question.

- Right-click the file and call Advanced menu on Security tab of the file's Properties.

- Switch to the Auditing tab and hit the Edit button.

- Click Add to choose users and groups for monitoring. The common practice is to add Authenticated Users group.

- Select checkboxes on required events for both Success and Failure in Auditing Entry . For an explicit audit, select all checkboxes.

Resulting settings should look similar to this picture:

Now all access attempts will be tracked in the Security log of Event Viewer. If the Security Administrator wants to check whether the file was accessed or not, the simplest way is to export the Event Viewer Security log to text or a HTML file and find the corresponding logon and access events:

4. Export Security log from Event Viewer :

- Open Start -> Run.

- Type in the below line and hit Enter:

wmic ntevent where log='Security' get LogFile, SourceName, EventType,Message, TimeGenerated /format:htable > C:\\SecurityLog.htm

5. Find the corresponding log entries in the resulting HTML file:

- Open the resulting HTML in your web browser.

- Open context search with Ctrl+F.

- Search for the required file name to find out what access attempts have been made.

- In this example, we found that FileToTrackAccess.txt was opened with notepad.exe:

Once found, remember the Logon ID to find the IP address from where the user was logged in.

6. Find the corresponding login event in the HTML file using the Logon ID from the previous step:

As seen in the picture, notepad.exe edits were performed by the user Administrator _who logged on remotely from IP _192.0.2.2 .NOTE: This procedure may not work as expected if the server is the member of an Active Directory domain with group policies assigned. Consult with your network administrator if needed to clarify this aspect.

Additional information

The above steps represent one of many possible ways to audit access to files and folders on your server. It is suggested that you provide this information to your company's Security Administrator to perform the task more efficiently.

Additional sources:\_policy\_security\_audit.htm\_policy.html

Have more questions? Submit a request
Please sign in to leave a comment.