mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-22 22:03:46 +00:00
Edit Pass: Windows Security articles
This commit is contained in:
tiburd
@ -23,25 +23,26 @@ ms.date: 07/25/2018
|
||||
- Windows 10
|
||||
|
||||
You can apply audit policies to individual files and folders on your computer by setting the permission type to record successful access attempts or failed access attempts in the security log.
|
||||
To complete this procedure, you must be logged on as a member of the built-in Administrators group or you must have been granted the **Manage auditing and security log** right.
|
||||
|
||||
To complete this procedure, you must be signed in as a member of the built-in Administrators group or have **Manage auditing and security log** rights.
|
||||
|
||||
**To apply or modify auditing policy settings for a local file or folder**
|
||||
|
||||
1. Right-click the file or folder that you want to audit, click **Properties**, and then click the **Security** tab.
|
||||
2. Click **Advanced**.
|
||||
3. In the **Advanced Security Settings** dialog box, click the **Auditing** tab, and then click **Continue**.
|
||||
1. Select and hold (or right-click) the file or folder that you want to audit, select **Properties**, and then select the **Security** tab.
|
||||
2. Select **Advanced**.
|
||||
3. In the **Advanced Security Settings** dialog box, select the **Auditing** tab, and then select **Continue**.
|
||||
4. Do one of the following:
|
||||
- To set up auditing for a new user or group, click **Add**. Click **Select a principal**, type the name of the user or group that you want, and then click **OK**.
|
||||
- To remove auditing for an existing group or user, click the group or user name, click **Remove**, click **OK**, and then skip the rest of this procedure.
|
||||
- To view or change auditing for an existing group or user, click its name, and then click **Edit.**
|
||||
- To set up auditing for a new user or group, select **Add**. Select **Select a principal**, type the name of the user or group that you want, and then select **OK**.
|
||||
- To remove auditing for an existing group or user, select the group or user name, select **Remove**, select **OK**, and then skip the rest of this procedure.
|
||||
- To view or change auditing for an existing group or user, select its name, and then select **Edit.**
|
||||
5. In the **Type** box, indicate what actions you want to audit by selecting the appropriate check boxes:
|
||||
- To audit successful events, click **Success.**
|
||||
- To audit failure events, click **Fail.**
|
||||
- To audit all events, click **All.**
|
||||
- To audit successful events, select **Success.**
|
||||
- To audit failure events, select **Fail.**
|
||||
- To audit all events, select **All.**
|
||||
|
||||
|
||||
|
||||
6. In the **Applies to** box, select the object(s) that the audit of events will apply to. These include:
|
||||
6. In the **Applies to** box, select the object(s) to which the audit of events will apply. These include:
|
||||
|
||||
- **This folder only**
|
||||
- **This folder, subfolders and files**
|
||||
@ -55,16 +56,20 @@ To complete this procedure, you must be logged on as a member of the built-in Ad
|
||||
- **Read and execute**
|
||||
- **List folder contents**
|
||||
- **Read**
|
||||
- Additionally, you can choose **Full control**, **Modify**, and/or **Write** permissions with your selected audit combination.
|
||||
- Additionally, with your selected audit combination, you can select any combination of the following permissions:
|
||||
- **Full control**
|
||||
- **Modify**
|
||||
- **Write**
|
||||
|
||||
|
||||
|
||||
> **Important:** Before setting up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md) by defining auditing policy settings for the object access event category. If you do not enable object access auditing, you will receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
|
||||
> [!IMPORTANT]
|
||||
> Before you set up auditing for files and folders, you must enable [object access auditing](basic-audit-object-access.md). To do this, define auditing policy settings for the object access event category. If you don't enable object access auditing, you'll receive an error message when you set up auditing for files and folders, and no files or folders will be audited.
|
||||
|
||||
## Additional considerations
|
||||
|
||||
- After object access auditing is enabled, view the security log in Event Viewer to review the results of your changes.
|
||||
- After you turn on object access auditing, view the security log in Event Viewer to review the results of your changes.
|
||||
- You can set up file and folder auditing only on NTFS drives.
|
||||
- Because the security log is limited in size, select the files and folders to be audited carefully. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
|
||||
- Because the security log is limited in size, carefully select the files and folders to be audited. Also, consider the amount of disk space that you want to devote to the security log. The maximum size for the security log is defined in Event Viewer.
|
||||
|
||||
|
||||
|
||||
@ -22,38 +22,39 @@ ms.date: 04/19/2017
|
||||
**Applies to**
|
||||
- Windows 10
|
||||
|
||||
This topic for the IT professional describes how to monitor changes to the central access policies that are associated with files and folders when you are using advanced security auditing options to monitor dynamic access control objects.
|
||||
This article for IT professionals describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects.
|
||||
|
||||
This security audit policy and the event that it records are generated when the central access policy that is associated with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential changes on some, but not all, files and folders on a file server.
|
||||
This security audit policy and the event that it records are generated when the central access policy that's associated with a file or folder is changed. This security audit policy is useful when an administrator wants to monitor potential changes on some, but not all, files and folders on a file server.
|
||||
|
||||
For info about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md).
|
||||
For information about monitoring potential central access policy changes for an entire file server, see [Monitor the central access policies that apply on a file server](monitor-the-central-access-policies-that-apply-on-a-file-server.md).
|
||||
|
||||
Use the following procedures to configure settings to monitor central access policies that are associated with files. These procedures assume that you have configured and deployed Dynamic Access Control in your network. For more information about how to configure and deploy Dynamic Access Control, see [Dynamic Access Control: Scenario Overview](https://technet.microsoft.com/library/hh831717.aspx).
|
||||
|
||||
>**Note:** Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
|
||||
> [!NOTE]
|
||||
> Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings.
|
||||
|
||||
**To configure settings to monitor central access policies associated with files or folders**
|
||||
|
||||
1. Sign in to your domain controller by using domain administrator credentials.
|
||||
2. In Server Manager, point to **Tools**, and then click **Group Policy Management**.
|
||||
3. In the console tree, right-click the flexible access Group Policy Object, and then click **Edit**.
|
||||
2. In Server Manager, point to **Tools**, and then select **Group Policy Management**.
|
||||
3. In the console tree, right-click the flexible access Group Policy Object, and then select **Edit**.
|
||||
4. Double-click **Computer Configuration**, double-click **Security Settings**, double-click **Advanced Audit Policy Configuration**, double-click **Policy Change**, and then double-click **Audit Authorization Policy Change**.
|
||||
5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then click **OK**.
|
||||
6. Enable auditing for a file or folder as described in the following procedure.
|
||||
5. Select the **Configure the following audit events** check box, select the **Success** check box (and the **Failure** check box, if desired), and then select **OK**.
|
||||
6. Turn on auditing for a file or folder as described in the following procedure.
|
||||
|
||||
**To enable auditing for a file or folder**
|
||||
**To turn on auditing for a file or folder**
|
||||
|
||||
1. Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit.
|
||||
2. Right-click the file or folder, click **Properties**, and then click the **Security** tab.
|
||||
3. Click **Advanced**, click the **Auditing** tab, and then click **Continue**.
|
||||
1. Sign in as a member of the local administrator's group on the computer that contains the files or folders that you want to audit.
|
||||
2. Right-click the file or folder, select **Properties**, and then select the **Security** tab.
|
||||
3. Select **Advanced**, select the **Auditing** tab, and then select **Continue**.
|
||||
|
||||
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
|
||||
If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then select **Yes**.
|
||||
|
||||
4. Click **Add**, click **Select a principal**, type a user name or group name in the format **contoso\\user1**, and then click **OK**.
|
||||
4. Select **Add**, select **Select a principal**, type a user name or group name in the format **contoso\\user1**, and then select **OK**.
|
||||
5. In the **Auditing Entry for** dialog box, select the permissions that you want to audit, such as **Full Control** or **Delete**.
|
||||
6. Click **OK** four times to complete the configuration of the object SACL.
|
||||
7. Open a File Explorer window and select or create a file or folder to audit.
|
||||
8. Open an elevated command prompt, and run the following command:
|
||||
6. To complete the configuration of the object SACL, select **OK** four times.
|
||||
7. Open a File Explorer window, and then select or create a file or folder to audit.
|
||||
8. Open an elevated command prompt, and then run the following command:
|
||||
|
||||
`gpupdate /force`
|
||||
|
||||
@ -61,15 +62,16 @@ After you configure settings to monitor changes to the central access policies t
|
||||
|
||||
**To verify that changes to central access policies associated with files and folders are monitored**
|
||||
|
||||
1. Sign in as a member of the local administrators group on the computer that contains the files or folders that you want to audit.
|
||||
2. Open a File Explorer window and select the file or folder that you configured for auditing in the previous procedure.
|
||||
3. Right-click the file or folder, click **Properties**, click the **Security** tab, and then click **Advanced**.
|
||||
4. Click the **Central Policy** tab, click **Change**, and select a different central access policy (if one is available) or select **No Central Access Policy**, and then click **OK** twice.
|
||||
>**Note:** You must select a setting that is different than your original setting to generate the audit event.
|
||||
1. Sign in as a member of the local administrator's group on the computer that contains the files or folders that you want to audit.
|
||||
2. Open a File Explorer window, and then select the file or folder that you configured for auditing in the previous procedure.
|
||||
3. Right-click the file or folder, select **Properties**, select the **Security** tab, and then select **Advanced**.
|
||||
4. Select the **Central Policy** tab, select **Change**, select a different central access policy (if one is available) or select **No Central Access Policy**, and then select **OK** twice.
|
||||
> [!NOTE]
|
||||
> You must select a setting that is different than your original setting to generate the audit event.
|
||||
|
||||
5. In Server Manager, click **Tools**, and then click **Event Viewer**.
|
||||
6. Expand **Windows Logs**, and then click **Security**.
|
||||
7. Look for event 4913, which is generated when the central access policy that is associated with a file or folder is changed. This event includes the security identifiers (SIDs) of the old and new central access policies.
|
||||
5. In Server Manager, select **Tools**, and then select **Event Viewer**.
|
||||
6. Expand **Windows Logs**, and then select **Security**.
|
||||
7. Look for event 4913, which is generated when the central access policy that's associated with a file or folder changes. This event includes the security identifiers (SIDs) of the old and new central access policies.
|
||||
|
||||
### Related resource
|
||||
|
||||
|
||||
Reference in New Issue
Block a user