Windows File Share Auditing – Best Practices

Windows file share auditing helps organizations secure their most sensitive files, folders and file shares and simplifies adherence to compliance standards. When successful file auditing is in place it can help both identify a data breach as well as to potentially stop a breach.

File share security best practices

Across almost all industries, file servers remain the primary asset of choice for attacks (Verizon, Data Breach Investigations Report 2017). On Windows-based networks, protected data is most likely hosted on server-based file systems, making these servers a primary target for attacks.

Organizations want to keep these files secure, only allowing access to those who need it. To both know and demonstrate that this is the case (think compliance) requires visibility into who has access, who is using access, and what actions are being taken upon the files.

‘Windows File Share Auditing – Best Practices’ highlights how Windows system administrators can do this best with FileAudit.

1. File share auditing is more than just information

Windows File Share Auditing

Firstly, why use a third party file auditing solution? The answer lies in the gaps in functionality, performance, and detail provided by native tools.

It’s important to remember, Microsoft didn’t design Event Viewer to be an auditing solution; it was designed to simply provide IT pros a centralized application in which to view event data. So, in a scenario where a given file server needs to be audited, there are a few shortcomings.

To find out something as simple as “Who accessed your protected files today and what did they do?” requires much more work than just skimming through the event log data; it requires meticulous research into specific field values within multiple log entries, all to “puzzle piece” your way to a potential answer. It’s time-consuming and overwhelming. File auditing should be more than just about information. Look for intelligence and insight.

Read more about the shortcomings of native Windows Event Viewer for auditing file servers.

2. Get alerts to abnormalities in file activity and respond

 Receive Alerts to Access Events

When protected data resides on a file server, obvious leading indicators of a breach will exist. By watching the access and usage of protected data on file servers, it’s possible to detect a data breach based on unusual activity. Examples include:

  • Frequency – Normal user access can likely revolve around an average daily use. The presence of a mass copying or bulk deletion or movement of data is worth looking into.
  • Amount – Are files being accessed multiple times more than is normal? An unsure insider having second thoughts about stealing data may make several access attempts before finally taking data.
  • Day/Time – A user accessing data at 10pm on Friday night who normally only accesses files Monday – Friday during business hours seems suspect.
  • Endpoint/IP Address – Access from a machine outside the company network, or one that doesn’t normally access a given set of files can be a clear sign of improper use.
  • Processes – Attackers may use their own tools to exfiltrate data, so seeing processes other than Explorer, Word, etc. accessing files can indicate a problem.

FileAudit allows you to give proper attention to what may equate to a data breach AND allows you to take action immediately.

respond to file share alert execution script

A script can be created and run (for example to shut down a machine or logoff a user), whenever a specific alert is triggered.

For more information on how to identify unusual file activity and impede data breaches read the whitepaper The role of File Auditing to Spot and Stop a Data Breach.

3. Use powerful filtering capabilities to improve your audit

file auditing file access filtering

Finding answers about file access activity can be time consuming and challenging. Exclude irrelevant data and focus only on insightful and actionable information.

4. Accurately identify where file or folder access is from

file access viewer

Only by identifying the name and IP address of the machine from which the file/folder access has been performed can you indicate exactly where the user has accessed the file from. Shine a light on suspicious activities, such as a user accessing a sensitive file from a different workstation than normal.

5. Audit NTFS Permissions

NTFS Permissions

FileAudit allows you to have a centralized view of the NTFS permissions (simple and advanced) of your files and folders. To do so, it scans all the audited paths you have defined and saves the information in a snapshot.

You can set up alerts on permission changes. The alert gives you the name of the user and the name of the file/folder affected by the change. By scheduling regular snapshots, you can then compare two snapshots (one before the alert and one after) to see what changes have been made.

6. Secure the whole organization, not just a single server

centralized file auditing

FileAudit provides the centralized monitoring and analysis of file activity data necessary to quickly and intelligently identify and report on potential breach activity. The ability to monitor activity across the whole organization (not just a single server) means quick and accurate answers can be given to who did what, when and from where.

7. Exclude irrelevant data & focus on insightful information

 Focus on insightful information by excluding irrelevant data

Filtering out program access events (such as backup tool, anti-virus or search engine) or files with specific extensions (e.g. temporary files with .tmp extension) stops your data becoming polluted.

Also an audit tool that discards meaningless events and keeps only the relevant access events (approx. 30% for FileAudit) for monitoring improves performance and scalability.

8. Ensure file auditing is intuitive and easy to use

File System Auditing Tutorials

Unlike native tools, which simply address the task of consolidating and presenting event data, FileAudit is purpose-built, improving the audit experience by focusing on the specific needs around compliance audits, the use of solutions by IT and auditors alike, and the detail necessary to ensure compliance.

Simple to install and easy to use It makes file auditing faster, smarter and more efficient – regardless of whether IT are working on PCs, laptops or tablets.

Watch how to install FileAudit in less than 3 minutes.

9. Use one secret to improve file security – user delegation

User Specific Rights Management

The reality is, those closest to the files have a much better sense of whether someone’s access – or use of permissions – is proper. IT are somewhat out of touch with which users need what access, and whether use of files is appropriate – and how all that changes over time.

For a Windows System domain, company executives outside of IT or external auditors can take advantage of FileAudit features and ease-of-use to perform audits and controls autonomously without breaching security protocols.

Read more about security through delegation with FileAudit.

10. Include the auditing of files in the cloud

monitor both on-premises and cloud storage

If your files aren’t already in the cloud, they will be soon.  Organizations must achieve the same levels of visibility and control over access to and usage of file data in the cloud. A single consolidated view of all file activity – both in the cloud and on-premise –will reduce the risk associated with allowing users anytime, anywhere, any device access to cloud-based file data.

More on how FileAudit can extend file auditing with cloud-based services.


Windows file share auditing need not be time-consuming or overwhelming. If managed carefully and correctly your chosen file auditing tool should do the work for you, so you can focus on more strategic IT issues and initiatives.


A Free Fully Functional 20 Day FileAudit Trial

Don’t take our word for it, download now the fully functional free trial
and see for yourself how easily FileAudit can help you
with Windows file share auditing.

Share this post :


Chris Bunn is the Directeur Général Adjoint of IS Decisions, a global cybersecurity software company, specializing in access management and multi-factor authentication for Microsoft Active Directory environments and the cloud.

Secured By miniOrange