Join Mike Danseglio for an in-depth discussion in this video Storage optimization: File access auditing, part of Windows Server 2012 Active Directory: File System and Storage.
- In previous versions of our server products we've always had the ability to audit access to files and folders on a server running out in the environment or even on a Windows client operating system. As long as it was running in TFS we could always go out and audit, but the only thing I could really audit was who accessed it, what time they accessed it, did they access it locally, or did they access it remotely? In server 2012, Microsoft has given us some more advanced auditing capabilities with our environment.
If I take a look here real quick at what it can do for us and then how. First of all, now when I audit, now I can audit at a shared folder level. There is no access control setting for auditing in a shares, but through group policies I can now audit a share, so when a user goes to access the share I can get an audit report or a security entry that someone accessed the share. I can either do it as a detailed level, which gives me date, time of day, the user that accessed it.
If I'm using a dynamic access control I can even get more data by looking at what the claim is that accessed it, whether it be a users claim or a computer claim. I can also go on and even audit to the point of what attributes did they go in and do? Did they look at the folder? Did they look at files in the folder? Did they open files in the folder? Did they modify files in the folder? Did they look at properties of files in the folder? So it gives me a lot more capabilities of auditing then I had in the previous operating systems.
So let's take a quick look at how we can configure auditing. If we go into our server manager on a 2012 server, now I'm gonna go ahead and bring up my group policy management console because auditing has to be turned on either at the domain level, at an OU level, or through the local security policy on a machine. So I got this policy down here I've been playing with all along called the demo deploy and I'm just gonna go ahead. Actually, I'll create a new policy. I'll call this my auditing GPO.
If I come in and I look at the auditing GPO's properties and I'll expand policy. I'll expand Windows settings, security settings. If I go in under a local policy we still have the traditional audit settings that have been there since active directory first came out with server 2000. So if I want to just audit basic access to a file or basic access to a folder or even basic access to a printer, I can come in and I would just enable object access.
I would just simply turn this on. Then it would audit that folder and that file being accessed or the printer being accessed, but if I want to get more detailed information about who's accessing, what their doing, when their accessing? If I come down to advanced audit policies ... I'll scroll this over a little bit. Audit policies, I now have a section down here called object access and if I expand object access notice I can get much more granular in auditing.
The first thing I'm gonna look at here is auditing detailed file shares. What this does is I can ... I basically can just turn it on and I'll configure what I want to audit successes or failures and normally we're gonna audit both, but if I go over to the explain tab one of the things I wanted to point out off the bat is again there is no access control list for auditing shares. What this will allow us to do is turn on auditing of shares outside of the access control list. What this will do is unlike if someone were accessing a folder through the typical auditing process, you'd make the connection to the server.
If they hit that folder six, seven, eight, 10 times and they don't have access I will only see one access denied in my audit log because this doesn't audit based off of the connection to the server. It's gonna audit every single time that person tried to hit the folder. So if they're being access denied, this would audit every single time they attempted to click on that folder and I would get an audit. Again, this would be stored in the audit log or in the security log on the machine. The other auditing capabilities we have is on a file share, this is just turning on auditing to file share or again, successes and failures, but this is not gonna give us as much detailed information.
This is gonna tell us who connected, when they connected, what machine they were coming from, and again, what machine they were attempting or what folder they were attempting to access. I also have the ability to audit the file system and this is going outside the shares. This would be implemented on the server at the server level and then it would audit every access to every file that a person attempted to access at their machine. Again, I don't have to go in and actually turn on auditing at the file level or the folder level.
This would be turned on at the machine level unlike the traditional audits. What I mean by that, don't have me turn on at the machine. If I bring up my Windows Explorer on this machine, and I go into just any folder here. Whoops, I don't want to go that far. And I bring up the folders properties, and I come under security and I come under advanced here's where I could configure auditing.
If I come in here and I could add, and this is where I could add who I wanted to audit, what I wanted to audit, at what level I wanted to audit this specific folder and this is where I had to turn it on. If I'm doing basic auditing which was up in the first area I showed you I have to come here and configure it. If I do it as an advanced audit by turning it on at the machine, right? I don't have to come in here and configure. I want to audit this specific folder. It's gonna audit every shared folder that's on that server or every server that's in that environment.
Once I turn auditing on the entries will be stored in our event viewer. Again, they'll be stored in the Windows log under the security log is where the events will be stored. I don't have auditing turned on throughout the machine here and this was on from a previous environment, but this is where auditing would be allowed and where I go see the entries of what users were doing, what they were accessing on the machine.
Again, because I can do claims based authentication now in server 2012, this can all be based off of claims based content also, who's connecting to it. I forgot to go ahead on my slide here. That's the how. How we can actually configure it and we can go look. One of the cool things here is now if you're using system centers configurations manager in your environment, system center now has the ability to go out and query machines and query logs looking for specific types of events. So that now we don't have to go to the machine and capture information. We also have the ability to create a subscription.
So I could actually have on my Windows 7 computer and my Windows 8 computer, I can create an event subscription service to the security logs that maybe my servers that are in a given OU or my files that are in a given department. So I can manage that stuff there and take a look at who's accessing what, when are they accessing it? Determine the time of day they are accessing it and also looking for those security breaches if we're look at sensitive data. What have we looked at in this session? We looked at how auditing has changed in server 2012 and we can get a lot more information, a lot more granular information about who's accessing resources, when they're accessing it and what are they actually doing when they do access.