✈ File System Auditing : For Delete Operations

This will guide you on how to setup audit events for people deleting files of servers, these events will be logged to the "Security" log as Event ID "4656", lets get started.....

Setting up file system auditing

Start secpol.msc → Select the "Security Settings"  → Select "Advanced Group Policy Auditing" button → Go to the "Global Object Access Auditing" options, then select the "File System" then double click this.....

Then you need  File System, click the "Define" option and click properties.....

Then you need the options below, its for Everyone with "All" as the type, as a delete will usually be successful for administrators, then click the "Clear All" and only select "Delete" and "Delete subfolders and files"

Add the Policy to AGPM

AGPM replaces legacy audit policy, so you do not need to enable it in the legacy location, however, if this is required, for backwards compatibility purposes, you will need to set it in both locations, however, you should NOT be running servers pre-server 2008

Run the Group Policy editor (gpedit.msc) and create and edit a new GPO. Specifically, go to → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → "Advanced Audit Policy Configuration" → Audit Policies → Object Access, and setup as following:

Audit File System → Define → Success and Failures

Audit Handle Manipulation → Define → Success and Failures

Link the new GPO to the server - it will not work without this......

Apply your change by forcing a Group Policy update with this:

gpupdate /force

Reviewing events

Open the Event Viewer and search the security log for event ID 4656 with a task category of "File System" or "Removable Storage" and the string "Accesses: DELETE". 

You will notice that is a Failure as when you do a file operation with UAC enabled you get the shield right there, however once you approve that the file is deleted.

This is the event being logged as you can see here, you get the file delete and the program used to delete it, here we can see 1234.txt was deleted with Explorer, however you get more than that, this is the full event....that will tell you the person as well......

A handle to an object was requested.

Security ID: bear.local\Sneeky.Bear
Account Name: Sneeky.Bear
Account Domain: BEAR
Logon ID: 0x1D6E283

Object Server: Security
Object Type: File
Object Name: C:\temp\auditreport1234.txt
Handle ID: 0x0
Resource Attributes: -

Process Information:
Process ID: 0x2970
Process Name: C:\Windows\explorer.exe

Access Request Information:
Transaction ID: {00000000-0000-0000-0000-000000000000}
Accesses: DELETE
Access Reasons: DELETE: Not granted
SYNCHRONIZE: Granted by D:(A;ID;0x1200a9;;;BU)
ReadAttributes: Granted by ACE on parent folder D:(A;OICIID;0x1200a9;;;BU)
Access Mask: 0x110080
Privileges Used for Access Check: -
Restricted SID Count: 0

Previous Post Next Post

Ω†Ω…ΩˆΨ°Ψ¬ Ψ§Ω„Ψ§ΨͺΨ΅Ψ§Ω„