Auditing is yet another component of Dynamic Access Control that, while not
new to Windows Server, has undergone a refresh. Windows Server 2008 and
2008 R2 will create audit events anytime a file is accessed, but auditing
in Server 2012 is centralized and more sophisticated.
With file access auditing in Server 2012, you can track changes to
central access rules and policies, claims definitions, file attributes,
and, of course, data access.
If you have been or currently are a Windows server administrator,
you already understand the importance of auditing. Auditing is critical
for those aforementioned compliance regulations, where federal rules
demand that certain organizations know who is accessing what. Auditing is
also important for internal security—to protect a company’s intellectual
property and to prevent data leakage.
While Microsoft has strengthened auditing with Windows Server 2012,
the company is going even further, working with partners on solutions for
powerful interpretation and analysis of audits. Microsoft’s own System
Center Operations Manager (SCOM) will work with Server 2012 in providing audit analysis
tools.
There are a couple of steps required for configuring auditing in a
domain. First, you have to configure a Global Object Access
Policy. Launch Group Policy Management and
navigate to Computer Configuration→Policies→Windows
Settings→Security Settings→Audit Policies→Object Access→Audit File System Properties.
Check the boxes to enable “Configure the following audit events,”
Success, and Failure. (See Figure 1.)
From the navigation pane, under “Audit policies,” double-click
Global Object Access Auditing. Check the box next to “Define this policy
setting,” and then click Configure.
The resulting window is the Advanced Security Settings for Global
File SACL (security access control lists). Click Add, then
“Select a principal.” For a global policy, you will typically select
Everyone, Full Control, and then Permissions.
Here’s where you set the conditions you want to audit. For example,
if you want to audit what’s happening with Payroll shares and files, you
would set:
| [Resource][Department][Any of][Value][Payroll] |
Now, click OK three times and return to the navigation pane. From
there, to finish configuration, click Object Access, double-click Audit
Handle Manipulation, and make sure that “Configure the following audit
events,” Success, and Failure are all checked.
Once you set up an audit policy for the domain, it’s good practice
to force a Group Policy update. To verify whether your audit settings are
correct—for example, on a shared folder you may have applied against—you
modify a file in the share and check the Event Viewer for events
4656 and 4663.
