What are audit files in auditing?

Skip to main content

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Audit File System

• Article
• 10/26/2022
• 2 minutes to read

In this article

Note

For more details about applicability on older operating system versions, read the article Audit File System.

Audit File System determines whether the operating system generates audit events when users attempt to access file system objects.

Audit events are generated only for objects that have configured system access control lists (SACLs), and only if the type of access requested (such as Write, Read, or Modify) and the account making the request match the settings in the SACL.

If success auditing is enabled, an audit entry is generated each time any account successfully accesses a file system object that has a matching SACL. If failure auditing is enabled, an audit entry is generated each time any user unsuccessfully attempts to access a file system object that has a matching SACL.

These events are essential for tracking activity for file objects that are sensitive or valuable and require extra monitoring.

Event volume: Varies, depending on how file system SACLs are configured.

No audit events are generated for the default file system SACLs.

This subcategory allows you to audit user attempts to access file system objects, file system object deletion and permissions change operations and hard link creation actions.

Only one event, “4658: The handle to an object was closed,” depends on the Audit Handle Manipulation subcategory (Success auditing must be enabled). All other events generate without any additional configuration.

Events List:

• 4656(S, F): A handle to an object was requested.

• 4658(S): The handle to an object was closed.

• 4660(S): An object was deleted.

• 4663(S): An attempt was made to access an object.

• 4664(S): An attempt was made to create a hard link.

• 4985(S): The state of a transaction has changed.

• 5051(-): A file was virtualized.

• 4670(S): Permissions on an object were changed.

Download as PDF

Meeting Compliance Objectives

Nothing is more confusing than trying to meet compliance objectives. They are generally written in order to be applicable to any operating system, any network, and any infrastructure. While it makes sense that it’s impractical to write standards that apply specifically to the way your organization operates, authors have had to be more technically specific in recent years to hone in on what’s required of regulated businesses.

Most compliance standards revolve around a particular protected data set – health records, credit card details, personal information, and more – providing guidance around both optional and mandatory controls used to ensure proper access to, and usage of, that data.

Some standards remain “ancient” by IT standards, being even a few years old. With controls as unhelpful as “establish and maintain levels of security”, it’s no wonder IT organizations are left wondering if they’re meeting the requirement or not. The best examples of compliance mandates with easily applicable standards are the Payment Card Industry Data Security Standard (PCI DSS) v3.0 and the European Union’s forthcoming General Data Protection Regulation (GDPR).

But even with well-written standards, there’s still no way for the author to know exactly where each organization is storing its protected data. Thus, the standards, while written with technical specifications around the use of encryption, authentication methods, levels of access, and more, still require IT to determine the best way to ensure the intent of the standard is met.

Where’s Your Protected Data?

To determine how to tactically best meet a given compliance standard, IT needs to look at what systems, applications, and platforms are used to store protected data.

Many Windows-based networks continue to host protected data server-based file systems, making these servers a primary target for external attackers resolved to exfiltrate data. And for those of you keeping protected data within a database, keep in mind those databases, at the end of the day, are still files – files that can be stolen and accessed offsite.

And, that’s where File Auditing comes into play.

Defining File Auditing

Let’s first look at what capabilities should be a part of file auditing that can apply to both native Windows tools, as well as 3rd-party solutions.

1. Logging – all access and changes to files and folders, including data and permissions should be logged.
2. Visibility – all audit log data should be easily accessible to be reviewed, filtered, searched, etc.
3. Alerting – notifications should be sent based on matching criteria to actions deemed suspect.
4. Reporting – this gets a bit tricky, but even native tools have the ability to export log data. So, even if it’s not pretty, the ability to generate sharable “reports” should be a part of file auditing.

In many cases, compliance requirements establish the security objective, and then provide detail on how to test that the objective is being met. File Auditing is your testing method to ensure the security you think you have around your protected data is actually doing its job.

So, how can you use File Auditing to help meet your compliance objectives?

Using File Auditing in Compliance

The activity detail collected and monitored, as part of ongoing file auditing, is useful to meet several kinds of compliance objectives. Because this paper is not being written to demonstrate file auditing’s application to a specific mandate, let’s cover four generic use cases, discussing the role File Auditing plays in each.

1. Monitor Assignment of Secure Access Controls

Nearly every compliance mandate starts with putting protection in place around files containing protected data. Tactically this includes scrutinizing the establishment and assignment of least privilege permissions to users and groups. Are the permissions assigned correct for the job function/role? Is the right user or group being chosen during assignment? Is the user making the change approved to do so?

Note: At a time where external attackers seek to enjoy the maximum access possible within your network, one of the many possible steps taken is to create multiple users and assign them elevated permissions. This is done to ensure a level of persistent access within the network – should one account be discovered, there are 20 more accounts behind it the attacker can utilize.

The Role of File Auditing
File Auditing monitors changes – and attempted changes - to file or folder permissions, usually documenting what permissions have been changed, the object path, the user making the assignment, and other identifiable factors like machine name, IP address, etc. Alerting and reporting on changes made can provide both real-time and historical detail.

2. Monitor Access To and Usage of Protected Data

Compliance is not a destination; it’s a continual journey where each day IT must be certain its environment remains compliant. Therefore, IT needs to have constant visibility into what protected data is being accessed, by whom, when, from where, etc. This real-time information is absolutely necessary to remain vigilant against inappropriate access by malicious insiders and external attackers leveraging compromised credentials.

Additionally, some auditors like to follow the audit trail beginning with those that have access all the way down to being shown specifically what actions were taken with the access provided. To provide this information, a historical record of all activity is required to satisfy auditor requirements.

The Role of File Auditing
File Auditing detail is used to demonstrate only approved access has occurred. Alerting and reporting can provide both real-time and historical detail - including identifiable factors like machine name, IP address, etc. Robust filtering capabilities help quickly answer the questions posed by auditors.

3. Measuring Access Control Strength

It’s not unusual for IT to allow Active Directory to organically evolve on its own. Rarely are group memberships attested to, permissions even less so, and nested group memberships checked – all resulting in 71% of users stating they are over-permissioned and have access to data they should not see1.

So, when it comes to assigning access controls, it’s possible that users who aren’t intentionally supposed to have access, actually do. And, given the need for least privilege in an environment housing protected data, it makes sense to identify which users are attempting access.

The Role of File Auditing
File Auditing can provide details of user accounts that have taken steps to access protected data, documenting the actions taken and the files and folders impacted. This can be cross-referenced with the intended security controls to ensure they are correct.

4. Detect Breaches

While no organization wants to experience a data breach (and, therefore, a breach of compliance in the case of protected data being stolen), it remains a definite possibility. Should protected data reside on a file server, obvious leading indicators of a breach will exist. Abnormalities in file activity will occur such as nonstandard access times or large amounts of data accessed.

The Role of File Auditing
By watching the access and usage of protected data on file servers, it’s possible to detect a data breach based on unusual activity. The ability to analyze audit log data allows suspicious actions to be spotted, notifying IT of a potential breach and ensuring a quick reaction when necessary.

3rd-Party Solution vs. Native Tools

Unless you’re new to IT, you already know the ability to audit Windows file systems has been an integrated component of the Windows Server operating system for the last 20 years. The Event Viewer tool provides functionality to centralize, view, filter, and sort file audit data. It even has a rudimentary ability to setup notification.

So, why use a 3rd-party file auditing solution?

The answer lies in the gaps in functionality, performance, and detail provided by native tools.

More Than Just Information – Intelligence and Insight

The native log data provides all the detail needed. In fact, many 3rd-party solutions simply leverage the very same detail you can find in Event Viewer. But Microsoft isn’t in the auditing business, and so the log data is nothing but raw information.

For example, the moving of files from one partition to another takes up between 6-10 event entries and is seen as a copy and a delete – not a “move”. 3rd-party solutions turn information into intelligence, figuring out those 10 or so events are actually a single event – and display or alert on it as such.

Additionally, some solutions don’t just stop with intelligence; they analyze patterns of activity, looking for anything out of the ordinary, taking intelligence, and turning it into insight – empowering IT to make decisions around whether activity is appropriate or not, whether they are in compliance or not, and what actions they need to take next.

(Lots) More Functionality

We previously mentioned “Microsoft isn’t in the auditing business” – and it’s true. They provide tools for those that only need the most basic of functionality. 3rd-party solutions focus on automating much of the auditing work, with augmented capabilities around collection, consolidation, presentation, searching, filtering, alerting, reporting, and even task automation.

All of these enhanced capabilities increase IT productivity, speeding up the auditing process, and assisting with improving the overall security of your protected data.

Ease of Use and Audit-Ready

Unlike native tools, which simply address the task of consolidating and presenting event data, 3rd-party solutions are purpose-built, improving the audit experience by focusing on the specific needs around compliance audits, the use of solutions by IT and auditors alike, and the detail necessary to ensure compliance.

Being easy to use and intuitive, monitoring can even be delegated to non-IT colleagues who hold a better understanding of data across their business line. This helps ensure more effective auditing system.

Meeting Compliance and Avoid Penalties with File Auditing

While no compliance mandate is solely focused on auditing file systems, the fact that your organization hosts protected data on file servers forces you to be able to establish, maintain, and prove that compliance-specific access controls are in place.

Whether you choose to use native tools, or leverage a 3rd-party solution, the need to have the provisioning, access to, and usage of protected data under close watch is critical to meeting relevant compliance objectives. By putting file auditing in place, you place your organization in a proactive stance where the security of your data is upheld, and adhering to compliance standards is simplified.

1 Ponemon, Corporate Data: A Protected Asset or a Ticking Time Bomb? (2014)

Download this White Paper in PDF

I accept to receive news from IS Decisions

What is audit files and its types?

What is audit file in practical auditing?

How many types of audit files are there?

What is the use of audit file?