Steps toconfigure DataSecurity Plus to track file accesses
- Download and install DataSecurity Plus.
- OpentheDataSecurity Plus console.
- Navigate to Admin Console > Admin > Administrative Settings > Domain Settings and click + Add Domain in the top-right corner to add a new domain.
- Provide theDomain Name along with itsusername and password. Addrequired domain controllers and clickSave.
- To add file servers, navigate toFile Audit > Configuration andclick the + Add Serverbuttonlocatedin the top-right corner.
- Selectyour domain andaddserversthat you want to audit.
- Choose the files and folders to be audited fromSelect Objects to Monitor.
- ClickInstall Agent and Finish. The agent is now installed successfully.
Under the File Audit tab, go to Access Audit and click All File/Folder changes report to get details on the who, when, and where of all the changes made to the files. To view all the read accesses made to the file, go to Access Audit under the File Audit tab and generate the Read Events report. You can apply filters here to view the data of a specific file.
Steps totrack access for a particular file
- Go to theFileAudittab.
- Navigate to Configuration > General Settings > Custom Reports.
- Click the Server Specific Reports within Custom Reports tab.
- Provide asuitablereport name and description.
- In theCriteria section,add the following filters:
- Action:All
- File Name: Enter the name of the file that you want to audit. (For this example, we'll name the file Employee data.)
- ClickSave.
- Navigate to Access Audit > Custom Server Reports.
- Choose thecustom report that you just created.
You have now successfully configured DataSecurity Plus to discover all the accesses to the required file. The entry with the most recent time stamp shows who has last accessed the file.
Stepstosetanaudit policy
- LaunchtheGroup Policy Management consolethrough eitherof thesemethods:
- Navigate toServer Manager > Tools > Group Policy ManagementConsole.
- PressWin+R and in theRun dialog box that appears, typegpmc.msc and clickOK.
- TheGroup Policy ManagementConsole windowwillopen. A new Group Policy Object (GPO) can be created, oran existing one can be modified.
- If you want to add the group policy toan existing GPO, go to step 6.
- To create a new GPO,right-click on the domain, site, or OU where you want to apply the policy and clickCreate a new GPOdialog in this domain andLink it here.
- Enter a name for the GPO in theNew GPOdialog box and clickOK.
- Nowright-click on that GPO and chooseEdit.
- In theGroup Policy Management Editor,navigate toComputer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Audit Policy
- From the list ofauditpolicies,double-clickonAudit Object Access to open itsProperties.
- Select theDefine these Policy Settings checkbox and thenchoose bothSuccess andFailureif you need to audit allthe accesses made on the object.
- ClickApply and thenOK to close the window.
- The GPO will be automatically updated.To update it manually,opentheCommand Prompt and typegpupdate/force and pressEnter. Now the GPO is updated.
Steps tosettheauditingproperties for the required file
- Right-clickthefile(Employee_Data) that you want to auditand chooseProperties.
- Go totheSecurity tab and clickAdvanced to open theAdvanced Security Settingswindow.
- Go totheAuditing tab and clickAdd to create a new audit entry.TheAuditing Entry window appears.
- Click onSelect a Principal and theSelect User, Computer, Service Account, or Group dialog box appears.
- SelectEveryoneas the object name andclickCheck Names.
- ClickOK to close the dialog box.
- Choose the type of action you want to audit from the drop-down list.If you want to audit all successful and failed events,chooseAll.
- This folder, subfolders and filesis selected by defaultin theApplies To option.
- Under thePermissions section, selectFull controlandclickOK.
- The new entry is now added. ClickApply andOK to close the window.
- ClickOKin theProperties window.
Steps toview who has accessed the file usingtheEvent Viewer
- OpentheEvent Viewer.
- Navigate toWindows logs > Security.
- Click on theFilter Current Log optionon the rightpane of the windowso theFilter Current Log window appears.
- Under theTask category option, enter the eventID for which you want to view logs. When a file is accessed, theeventIDs 4656 and4663are logged. Enter these event IDs and clickOK.
- Thefile access log is now displayed.
- Tosearch for the access log for a particular file, clickFind...in the rightpane.
- Provide the filenameand clickFind Next.
- The firsthighlightedentryin the list has the latest timestamp.
- Double-click on the highlighted log to view the access details.
You can now view who last accessed the fileusingnativeauditing.
Why isnativeauditing not preferred?
- Theamount of logsincreases rapidly,so they must be archived or clearedfrequently.
- Itdoesn't offer centralized file auditing capabilities across multiple file server environments.
- Thelogscontainexcessivenoise, making it time-consuming toobtain important data fromthem.
- Itdoesn't offer built-in report generating capabilities to meet compliance requirements.
While native auditing records all events, itdoesn't offer much help when it comes to retrieving the required information or proving adherence to compliance standards.
DataSecurity Plus overcomes these shortcomings and providesa comprehensivefile auditing solution that can be configured and installed within minutes.
Download 30-day free trial