Documente Academic
Documente Profesional
Documente Cultură
o that I don’t log more events than necessary, I’m going to enable success and failure for Audit
File System events under Computer Configuration > Windows Settings > Security Settings >
Advanced Audit Policy Configuration > System Audit Policies > Object Access.
And now for the second part of the configuration. There are two ways you can
configure SACLs. I have a folder (c:\accounts) that I want to monitor on my file
server. I can add a SACL directly to the folder using File Explorer.
I’m only interested in when permissions change, regardless of what those permissions
are, but you could decide to log specific actions. For example, checking List
folder / Read data would log an event whenever data is read.
Click OK.
Click OK again in the Advanced Security Settings dialog.
Click OK in the Properties dialog.
Setting up and managing SACLs across many file servers isn’t so easy if you do it
manually using the steps above. But Global Object Access Auditing lets
administrators set file and registry SACLs configuration per computer, rather than at
the file system level. This makes it easier to track the settings across servers on your
network. For more information on how to set up Global Object Access Auditing
Use the Event Log to Check for Permission Changes
Now whenever somebody changes permissions on the accounts folder, or any child
object, EventID 4670 will be logged in the Windows Security event log. In the
screenshot below, you can see that I’ve created a custom view to see only events with
the ID 4670. Each event records the user who made the permission change, the path of
the object on which permissions where changed, and before and after values. I.e.
the old and new permissions.