Share via

How to Detect Who Read a File on a File Server

  • Article

Why It Is Important

Sometimes users are granted access rights that enable them to read files containing sensitive data they shouldn’t have access to. For example, an office manager might mistakenly have permissions to read documents of the Accounting department, which could lead to a security breach. In addition, a user might attempt to read a file containing sensitive data but be denied for lack of proper permissions. Continuous monitoring of users who read or attempt to read files can help you keep access to sensitive information under control, thereby minimizing the risk of data exfiltration.

Native Auditing

1. Navigate to the required file share, right-click it and select "Properties".

**2. **Select "Security" tab → "Advanced" button → "Auditing" tab → Click "Add" button.

**3. **Configure the following settings:

  • Principal: "Everyone"; 
  • Type: "All"; 
  • Applies to: "This folder, subfolders and files"; 
  • Advanced Permissions: "List folder / read data" → Click "OK" three times.

**4. **Run gpmc.msc on your domain controller → Create a new GPO → Edit it: Go to Computer Policy → Computer Configuration → Windows Settings → Security Settings:

  • Local Policies → Audit Policy → Audit object access → Define → Success and Failures
  • Advanced Audit Policy Configuration → System Audit Policies → Object Access → Audit File System → Define → Success and Failures
  • Advanced Audit Policy Configuration → System Audit Policies → Object Access → Audit Handle Manipulation → Define → Success and Failures.

**5. **Go to Event Log → Define:

  • Maximum security log size to 4gb
  • Retention method for security log to Overwrite events as needed.

6. Link the new GPO to OU with File Servers: Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the GPO that you’ve created.

**7. **Force the group policy update: Go to "Group Policy Management" → Right-click the defined OU → Сlick "Group Policy Update".

**8. **Open Event Viewer and search security log for event ID 4663 with "Accesses: ReadData (or ListDirectory)" string.

https://img.netwrix.com/landings/howtofriday/25/Native-Auditing.png
9. Real Life Use Case Video:
View

10. Credits: Originally posted -https://www.netwrix.com/how_to_detect_who_read_file_on_windows_file_server.html