When IT admins receive a file restore request after an “accidental” file deletion, there may be no answer available as to who deleted the file. The file is typically restored from last night’s backup and the ticket is closed. The root cause of the issue is never found out: Who deleted the file (and Why)?
How do we fix this operational and security issue and prevent it from happening in the first place?
Windows servers have included built-in file system auditing features for years.
However, configuring, monitoring and maintaining these raw event logs is time consuming with minimal benefit, in practice.
- Windows file system auditing first requires that auditing of object access attempts be enabled, via the local or domain security policy settings:
- Next, each folder's auditing settings must be modified to include the users you wish to audit. For example, the image below shows that "everyone" who accesses the finance folder will be audited.
- Once auditing is enabled, events will appear in the security event container on that local server.
- The file system auditing events must be opened up individually to inspect their contents (the interface is a bit better in Server 2008 and 2012).
- There are some filtering capabilities available if you know which user you're interested in, but there is nothing for directory name, file type, and "delete" events. This shows the limited return on time invested.
For organizations that are serious about network security and file system auditing, a third party solution is a must. This will allow an organization to collect and manage the logs effectively as well as leverage intelligence, reports and altering.
Of the solutions available on the market, Varonis' DatAdvantage has been recognized by Gartner in the category of file system auditing category. This software helps in IT areas such as help desk troubleshooting, security forensics, recurring account reviews and annual formal audits.
With Varonis, you will be able to easily answer the following questions:
- Who has been accessing this folder?
- What data has this user been accessing?
- Who sent emails to whom?
- Who deleted these files?
- Where did those files go?
Below is a screenshot of the interface with the tree of folders on the left (click to zoom):
To learn more about Varonis, download their whitepaper: Accelerating Audits with Automation.
Author: Todd Bey