File/Folder Monitoring

Monitoring File and Folder Access: Enhancing Data Security

Monitoring file and folder access is vital for safeguarding sensitive data, identifying unauthorized activities, and preventing data breaches. This guide covers how to configure monitoring and analyze key event logs for effective security management.

Configuring File/Folder Monitoring

Step 1: Enable Object Access Auditing

  1. Open Group Policy Editor:

    • Search for Edit Group Policy in the Windows search bar.

  2. Navigate to: Computer Configuration > Windows Settings > Security Settings > Local Policies > Audit Policy > Audit Object Access.

  3. Enable Success and Failure Events:

    • Set Audit Object Access to log both successful and failed access attempts.

Step 2: Configure Folder/File Auditing

  1. Select Target Folder/File:

    • Right-click the folder or file you want to monitor.

    • Go to Properties > Security tab > Advanced.

  2. Set Auditing for Specific Users/Groups:

    • Under the Auditing tab, click Add.

    • Select a Principal: Choose Everyone to monitor all users.

  3. Set Audit Permissions:

    • In the Type dropdown, select All to audit all actions.

    • Under Basic Permissions, select Full Control.

    • Ensure Applies to includes subfolders and files, if necessary.

Analyzing File Access Logs

Once configured, Windows logs events when monitored files or folders are accessed. Below are the key event IDs to focus on.

Key Event IDs

Event ID 4656: Handle Requested

Logs when a user or process requests access to a monitored object.

Key Fields:

  • Subject: The user who attempted access.

  • Object Name: The name of the accessed file or folder.

  • Process Name: The process initiating the access.

Example:

  • Event ID: 4656

  • Object Name: C:\Top Secret\Secret.txt

  • Process Name: explorer.exe

Event ID 4663: Access Attempted

Indicates whether access was successful or failed.

Key Fields:

  • Access Mask: The type of access requested.

  • Keywords: Indicates Audit Success or Audit Failure.

Example:

  • Event ID: 4663

  • Object Name: C:\Top Secret\Secret.txt

  • Process Name: notepad.exe

  • Keywords: Audit Success

Correlation of Event IDs

  • Event ID 4656: Logs the intent to access a file.

  • Event ID 4663: Confirms whether the access succeeded or failed.

Analyzing these events together provides a comprehensive view of file access behavior.

Detecting Suspicious Access

Analyzing the Process Name Field

  • Legitimate Processes:

    • explorer.exe

    • notepad.exe

  • Suspicious Processes:

    • cmd.exe

    • powershell.exe

    • Custom scripts

Example: If powershell.exe accesses Secret.txt, it could indicate unauthorized script-based file operations, which require immediate investigation.

Key Points

File and folder monitoring is a critical aspect of data security. By enabling Audit Object Access and analyzing Event IDs 4656 and 4663, organizations can:

  • Detect unauthorized or suspicious activities.

  • Investigate potential data breaches efficiently.

  • Maintain a secure and compliant environment.

Regular log reviews and proactive monitoring ensure sensitive data remains protected against threats.

PreviousDNS ActivityNextBITS Client Event Log

Last updated