|
|
|
|
To audit access to files, you must perform two tasks:
To enable the "Audit Object Access" policy, do the following: (Note: this procedure shows how to setup Auditing using "Local Security Policy". If your computer is a member of a domain, you can perform the same tasks using Group Policy. Be aware that Group Policy settings will override Local Policy Settings). 1.) Click on "Start" -> "Programs" -> "Administrative Tools" -> "Local Security Policy". 2.) Navigate to "Audit Policy" in the left pane. 
3.) In the left pane of "Local Security Settings" window, double click on the "Audit Object Access" entry. 4.) Click on the "Success" and "Failure" checkboxes to enable auditing for files. 
5.) Click on the OK Button. To enable auditing of an individual file or folder, do the following: 1.) Right click on the file in Explorer, and choose "Properties", as shown in the figure. 
2.) Click on the Security tab, and then click on the "Advanced" button as shown in the figure. If you don't have a Security tab, your are probably not using NTFS. If so, it is strongly recommended that you upgrade to NTFS (using the convert /FS:NTFS command) so that you can use file permissions. 
3.) Click on the "Auditing" tab, and then click on the "Add" button, as shown in the figure. 
In the Empty box provided, type Everyone and then click "Check Names", once Everyone is underlined click on the OK button. 
4.) Click on the actions you wish to Audit, and then click on "OK". 
5.) To verify that AUDIT is working on your specified file (in this case it was CMD.EXE, click start/RUN and type CMD), right click on My Computer, choose "Manage", and browse to the Security section of Event Viewer. You should now see an 'Object Access' error similar to below. 
|