Recommended NTFS Audit Policy

Information:

The goal of the following audit policy is to properly report on changes to the NTFS file structure.  This policy will not report on users attempting to make changes they do not have the rights to perform.

 

By reporting on changes to the NTFS file structure we can track mistakes in configuration, creates and deletes of objects, etc. to the appropriate personnel.  This will allow for the training of personnel as needed to prevent future mistakes from happening.  It will also aid in troubleshooting of an issues to see if a suspected change has taken place.

 

Since we are only concerned with changes, the following are excluded.

• Reading information from the NTFS file structure
• Failure to make changes to the NTFS file structure

Recommendation:

The following are the recommended settings for tracking changes to the NTFS file structure.  By using the Everyone group we can guarantee that all changes are properly tracked and that no person is mistakenly excluded from the audit policy.

 

The below instructions are written for a local server.  If using a domain implement a Domain GPO if needed.

1)      Enable Auditing of Object Access on the local server.

a.       Open Local Security Setting MMC

                                                               i.      Go to: Local Policies / Audit Policy

                                                             ii.      Audit Object access

1.      Enable – Success

2)      Go to the root of each drive you wish to enable auditing on.

3)      Remove any existing Auditing Policies

4)      Select the Everyone group

a.       Object Tab

                                                               i.      Apply to: This  folder, subfolder and files

                                                             ii.      Success – Create Files / Write Data

                                                            iii.      Success – Create Folders / Append Data

                                                           iv.      Success – Write Attributes

1.      The common Attributes are: Archive, Read-Only, Hidden, and System.

                                                             v.      Success – Write Extended Attributes

1.      Extended attributes are defined by programs and may vary by program

                                                           vi.      Success – Delete Subfolders and Files

                                                          vii.      Success – Delete

                                                        viii.      Success – Change Permissions

                                                           ix.      Success – Take Ownership

5)      Check : Replace auditing entries on all child objects with entries shown here that apply to child objects.

6)      Click OK

 

 

More Information:

For a more secure environment simply enable the Failure setting on the same policies that have Success enabled.  This will allow you to find potential security threats as well.