How to Audit Access to Files
How to Audit Access to Files
To enable auditing for a file (or folder), you need to edit the security descriptor (WhatIsASecurityDescriptor) for it and give it a SACL (WhatIsAnAccessControlList). This is easy to do with Explorer. Just find the file you want, bring up its property sheet, and choose the Security tab. From there, press the Advanced button. The dialog that pops up will have an auditing tab that you can use to edit the SACL. If you normally run with least privilege as I do, note that Explorer will hide this tab unless you have the SeSecurityPrivilege, which administrators have by default. Therefore, log in as an administrator (or run another copy of Explorer, as I suggested in HowToDevelopCodeAsANonAdmin) before you attempt this.
When you edit the SACL you're specifying the conditions for an audit to be generated. Take Figure 11.1 as an example. In this case, an audit will be generated if someone attempts to open the file called sensitive.txt for read permissions and fails. If the request to open the file for read access succeeds, no audit will be generated. It's possible for someone to try to open the file for write-only permission; even if the request fails, no audit will be generated because you didn't say you wanted to audit the write permission. For this reason, think carefully about the permissions you want to audit. It's safest to start by auditing all of them—that way you won't miss anything—but your signal-to-noise ratio in the audit log may suffer if you cast too wide a net.
You can enable auditing of registry keys the exact same way: Just use regedit to bring up the security dialog via the Edit menu. It will look similar to the file dialog although the types of permissions listed will be registry related as opposed to file related.
For both registry keys and files (and directory service objects, while we're at it), you can audit entire trees using ACL inheritance, which I cover in more detail in WhatIsACLInheritance. So, if you've got a directory full of sensitive files, you can enable auditing on the entire directory by bringing up this same property sheet on the directory itself. Just make sure that, when you add any audit entries, the "Apply onto" selection is set to enable inheritance (see Figure 11.2). It should be set this way by default: "This folder, subfolders and files," which is usually your safest bet.
If you want to audit anything at all, you'll need to throw a switch in security policy because auditing is completely disabled by default. See HowToEnableAuditing for more detail, but the type of auditing you'll want to turn on in this case is "Object Access." This covers not only the file system but the registry and any secured object in Windows that has auditing support, even transient kernel objects like processes and mutexes, although these don't have a user interface for setting up auditing (you must programmatically set the SACL for these more obscure auditing scenarios).
To audit access to a registry key, just select a key in the registry to bring up the permissions editor (Edit:Permissions) and follow the same procedure. Just as with a folder in the file system, you can audit an entire tree of registry keys by using inheritance.
Auditing Active Directory objects works similarly. From the Active Directory console, bring up the property sheet for the object and flip to the Security tab. You'll find that process is very similar, although in Active Directory it is possible to audit access to individual properties of an object as well as the object as a whole.