Auditing File Access on File Servers
Why you should consider auditing file access activity
File activity monitoring solutions are designed to monitor the patterns of users accessing file shares. From a network operations point of view there are a few important reasons why you should look at file activity logging:
- Quickly track down when a file was deleted and by whom.
- Find the source of Ransomware or other Malware which targets file stores.
- Identify who accessed a specific file or folder for a given time period.
Compliance standards which mandate some form of file access logging include:
How to enable file access logging
There are two main approaches when it comes to file access logging. You can install an agent or enable file auditing on the file servers. The other approach is to passively capture the activity from network traffic using deep packet inspection.
If you install an agent or enable auditing on your file servers you also need a log file collector. A SIEM would be the most popular choice for storing the events.
Using log files on servers
In order to track file and folder access on a Windows Server using log files you need to enable file and folder auditing and then identify the files and folders that are to be audited. Once correctly configured, the server security logs will then contain information about attempts to access, delete or change the designated files and folders.
The image below shows a typical deployment. File access logs are generated when (1) a user logged onto wired or wireless devices accesses file shares across the network. The server (2) will log this activity in a database or in the Windows event log. The log collector (3) will read these records at regular intervals and store them within its own database. A log collector is required as server event logs can fill up very quickly.
A sample event is shown below. Hundreds of these are created when a user accesses a single file which is why log files can fill up very quickly.
Log Name: Security
Date: 8/14/2015 5:51:48 AM
Event ID: 4663
Task Category: File System
Keywords: Audit Success
An attempt was made to access an object.
Security ID: GLOBAL1\jjbloggs
Account Name: jjbloggs
Account Domain: GLOBAL1
Logon ID: 0x17235b
Object Server: Security
Object Type: File
Object Name: C:\Shares\Finance\Budgets\BusinessBudget2016.xls
Handle ID: 0x1b4
Process ID: 0x2f8
Process Name: C:\Windows\System32\dllhost.exe
Access Request Information:
Access Mask: 0x20000
Using network traffic to monitor file share activity
The most popular file sharing protocols are SMB (Windows file shares) and NFS (UNIX file shares). These protocols handle the file and folder transactions between the clients and servers. What you need to do is captures this traffic as it flows around the network and extract the file activity data from the packet payloads.
The image below shows a typical way this can be done. Users (1) connect to file servers (2) using wired or wireless devices. This traffic flows through a network switch where a SPAN or mirror port is configured. This SPAN port sends a copy of the traffic to the network traffic analyzer where the file names and actions (metadata) are extracted from the packet payloads.
Other information like IP addresses, usernames and data volume associated with the file transfer can also be extracted so that you end up with a proper audit trail of file access activity.
Should you choose traffic or logs?
Both methods mentioned for auditing file access have their advantages and disadvantages. Log files may be fine for monitoring specific folders on certain servers. You can also monitor activity if administrators log onto the server directly.
Network traffic monitoring is ideal if you don’t want to make any changes to the configuration of the file servers or if logging is not available. Traffic monitoring will passively capture the file access activity as users access the file shares across the network.
Traffic monitoring won’t include activity where administrators log directly onto servers. In this case you may want to consider a hybrid approach where you capture most of the audit information from network traffic and use local auditing for really sensitive data. This hybrid approach will avoid over loading log files with millions of entries for less sensitive data.