IS Decisions logo

IS Decisions Blog

How to make Windows server file and folder access auditing easy

Windows file server auditing can be tedious (at best). Here's how FileAudit makes it easier with real-time access monitoring, alerts and responses.

Published Sep 26, 2018
Path accesses Folder

Native Windows tools have limitations. FileAudit is a software solution that enhances Windows file server auditing. So IT can meet compliance requirements and boost security, without spending hours pouring over logs.

Windows file server auditing software

When native Windows tools don’t cut it, admins turn to third party software to enhance security and ease regulatory compliance. Although Windows Active Directory includes native policies to audit file and folder access, it creates tedious and time consuming tasks.

Decrypting hundreds or even thousands of events, and attempting to retrieve those of interest generates endless hours of non value added work and creates a significant risk of error. Other limitations with native auditing include no reporting, alerting or long term storage of data.

FileAudit overcomes these security limitations.

Designed to make auditing faster, smarter and more efficient, FileAudit leverages existing Windows Platform technologies to create a real-time monitoring and alerting solution on all access or access attempts. This gives IT professionals the optimal visibility into what is happening with their files, folders and file shares and the opportunity to react quickly to potential abuse.

Real-time Windows file auditing

Using the Microsoft NTFS audit integrated in all Windows systems, the FileAudit service constantly scans the security logs of all audited machines in real-time to capture all relevant access events and access attempts across one or several Windows systems. Intelligent alerts are specified for specific access events.

An agentless, remote and non-intrusive deployment, FileAudit can be installed in less than 3 minutes. Any machine (meeting the system requirements) can be used as a remote host for FileAudit. No further installation is required.

FileAudit service

Performance and scalability

FileAudit optimizes the NTFS audit to keep only relevant access events (approx. 30%) for monitoring. No useful information is lost, only meaningless events are discarded. You can also choose to exclude additional file events such as temporary documents and events generated with executables such as antiviruses or backups.

File access auditing to exclude access events

Automated audit configuration

Files and folders selected for auditing can then be automatically configured for access auditing with the FileAudit wizard easy even for the most novice tech user.

automated audit configuration

Centralized auditing and long term archiving

To store all collected events, FileAudit requires the use of a database (SQLite, Microsoft Access File, Microsoft SQL Server or Microsoft SQL Express). It will archive all file access events occurring on one or several Windows systems to generate an always-available, searchable and secure audit trail. Customized reporting consolidates access events from multiple file servers.

File access scheduled report

Powerful filtering

Better control and management of your auditing can be offered by filtering access events by type, user account or time range.

FileAuditing File Access Filtering

FileAudit® vs. Native Windows® Server



Windows Server

Intuitive, User-Friendly Interface

Yes. FileAudit comes with a fluid, touch-ready, “Windows 8” UI.

No. Limited to an Event Log that typically lists thousands of entries per day.

File and Folder Activity Real-Time Monitoring

Yes. FileAudit monitors and shows in real-time, access (or access attempts) to sensitive files, folders and sensitive shares.

Practically no. Native Windows file auditing generates multiple entries for a single access event.

File and Folder Activity Alerts

Yes. Email alerts can be automatically and immediately triggered when specific access events are detected.

No. There is no email alert system to notify specific access events.

File and Folder Activity Recording

Yes. FileAudit automatically records all access events into a centralized, queryable SQL Server database.

No. Windows Security Event Logs can be exported, but only in EVT/EVTX format and on a per file server basis.

Schedulable, Automated Multi-criteria Reporting

Yes. FileAudit consolidates access events from multiple file servers into a single SQL Server database.

No. Access events can only be viewed one file server at a time.

File and Folder Activity Long-term Archiving

Yes. FileAudit saves access events into an SQL Server database. Several years of data can be held with no performance issues.

Practically no. Access events can only be stored in several EVT or EVTX files, making it hard to use and exploit the data within.


Yes. FileAudit offers detailed and customizable graphical statistics on file and folder activity.

No. Windows native features provide no statistical reporting on file and folder activity.

Delegation to non-IT auditors

Yes. Specific accounts can be created for people without administrative rights.

No. Local administrative rights are required to perform file access auditing.

Download an overview of FileAudit vs Native Windows Server Auditing

Windows file servers access auditing

FileAudit also implements sophisticated contextual functions to help detect and combat malicious access and alteration of sensitive information on Windows Servers.

  • Alerts can be sent when mass access, copying, deletion or moving of bulk files is detected a strong indication of a potential breach.

    Windows file server mass access alerts

  • By tracking and identifying the source IP address and machine name, FileAudit will indicate where the user has accessed the file from, including if the user accessed the file from a different workstation, or remote data access.

    Real-time IP address access monitoring

  • Granular time and date alterting parameters help minimise the risk from access at unusual or unexpected times.

    Alerts irregular time file access

  • You can then trigger a specific action when something unusual is detected by one of your FileAudit alert rules. Create a script and allow it to run whenever the alert is triggered.


These features go further than ever in providing IT security professionals a complete picture of the access events on their organizations sensitive data.

Effective, easy file server security

Today’s move to a digital workforce means there are more and more reasons for employees (and business partners) to require access to information assets to perform their job. This poses a serious challenge for IT administrators everywhere. It can be a daunting task trying to identify suspicious access behavior and stop the theft, alteration or deletion of an organization’s most sensitive information.

Whilst all industries suffer from the risk from intellectual property, it’s not only corporate data at risk.

  • In healthcare the need to safeguard sensitive patient data, electronic health records, is driving better security practice.

Add to that, all businesses that process and control personal data within the EU need to monitor any access to comply with the General Data Protection Regulation (GDPR).

Enhancing the monitoring and auditing of all file access and actions is a critical need  for organizations across all sectors.