Technology
Audit
FileAudit uses the Microsoft NTFS audit integrated in all Windows systems. This NTFS audit, as with the object access audit, can be enabled in the Local security policy of your Windows system or through the Microsoft Group Policies.
When a folder is set to audit, FileAudit will propose that you enable this required feature, and will also set the audit configuration on all objects of your target path. If, for any reason, you prefer not to allow FileAudit to auto-configure its own audit policies, the wizard function permits direct manual configuration from the Security Properties of the target folder. Take note that the FileAudit auto-configuration is optimized to generate the necessary and pertinent events for an exhaustive audit.
When the audit is enabled and configured on a folder, the I.D. of the generated events is:
- 560
- 4656 & 4663 for Windows Vista and higher.
FileAudit additionally use events with the ID 5145 on Windows 2008 R2 and higher File Servers.
FileAudit will scan the Microsoft Security log of the audited system to acquire these specific events. All events will be saved in a database and displayed in the Console such that the filter set will match even if they are overwritten later in the Microsoft Security log.
The ReFS file system, which it is compatible with NTFS, is also supported by FileAudit.
Architecture
Installation of FileAudit on the system to be audited is not mandatory. Any machine meeting the system requirements can be used as a remote host for FileAudit, and the system to be remotely audited requires no further installations.
The complete installation mode installs the FileAudit Console and FileAudit Windows Service. The Console allows you to set all FileAudit parameters and to define the paths-to-audit, reports and alerts. The FileAudit service scans the events generated on the audited system and reacts in real-time. It will also manage the automatic reports that are created.
FileAudit will store all detected events in a database. FileAudit supports the following database systems:
- Microsoft Access database file (mdb)
- Microsoft SQL Server Express 2008/2008 R2/2012/2014/2016
- Microsoft SQL Server 2008 and newer
- MySQL 5.6 and higher
- SQLite
The FileAudit package also provides a free Microsoft Access database facility.
Take note that in custom installation mode, you can choose not to install the FileAudit Service, allowing the installation of the Console alone on an administrative workstation that can be connected remotely to a FileAudit Service.
Known limitations
FileAudit is an agentless solution based on the Microsoft NTFS audit. Certain specific actions are not detected by the Microsoft audit, which instead decomposes them into basic native events. The actions ‘Copy/paste’, ‘Cut/paste’, ‘Create file/folder’ are not available as native Microsoft audit events and are decomposed in several basic events.
Retrieving the IP address of the computer from which the access try has been performed through the network is supported for Windows 2008 R2 or higher File servers.
Another limitation concerns the Microsoft Explorer, which may access files in a folder during a simple browsing operation. The Explorer retrieves information even where files were not actually opened but where a mouse rollover was performed to reveal their names. This is particularly true where shell extensions are installed. For example, if WinZip is installed, the WinZip shell extension may read the header of any .zip file in a folder to determine the number of files in the archive, an action that will occur upon simply selecting a .zip file name.
Consequently, a read operation may be involuntary. Thus, a read operation detected by FileAudit does not prove that the file was accessed, but merely signals a strong probability that the file was (or was close to being) accessed.
The Move access type can evoke false negatives in certain cases. When executed from one server to another, the file or folder will be noted as" deleted" from the source and as "written" to the target server. False positives can also be generated when moving empty files and folders, or when the execution time of the move is too long.