Windows file share auditing helps organizations secure their most sensitive files, folders and file shares and simplifies adherence to compliance standards. When successful file auditing is in place it can help both identify a data breach as well as to potentially stop a breach.
File share security best practices
Across almost all industries, file servers remain the primary asset of choice for attacks (Verizon, Data Breach Investigations Report 2017). On Windows-based networks, protected data is most likely hosted on server-based file systems, making these servers a primary target for attacks.
Organizations want to keep these files secure, only allowing access to those who need it. To both know and demonstrate that this is the case (think compliance) requires visibility into who has access, who is using access, and what actions are being taken upon the files.
1. File share auditing is more than just information
First, why use a third-party file auditing solution? Simple. Native Windows tools have gaps in functionality, performance, and detail. They make file auditing a headache, and it takes an insane amount of time.
Remember, Microsoft didn’t design Event Viewer to be an auditing solution. Actually, they designed it to simply provide IT pros with a centralized application in which to view event data. So, in a scenario where a given file server needs to be audited, there are a few shortcomings.
It's complicated to figure out something as simple as “Who accessed your protected files today and what did they do?” Answering that question means more work than just skimming through the event log data. You have to do meticulous research into specific field values within multiple log entries, all to “puzzle piece” your way to a potential answer. It’s time-consuming and overwhelming. File auditing should be more than just about information. Look for intelligence and insight.
Read more about the shortcomings of native Windows Event Viewer for auditing file servers.
2. Get alerts to abnormalities in file activity and respond
When protected data resides on a file server, obvious leading indicators of a breach will exist. By watching the access and usage of protected data on file servers, it’s possible to detect a data breach based on unusual activity. Examples include:
Frequency: Normal user access can likely revolve around an average daily use. The presence of a mass copying or bulk deletion or movement of data is worth looking into.
Amount: Are files being accessed multiple times more than is normal? An unsure insider having second thoughts about stealing data may make several access attempts before finally taking data.
Day/Time: A user accessing data at 10 p.m. on Friday night who normally only accesses files Monday – Friday during business hours seems suspect.
Endpoint/IP Address: Access from a machine outside the company network, or one that doesn’t normally access a given set of files can be a clear sign of improper use.
Processes: Attackers may use their own tools to exfiltrate data, so seeing processes other than Explorer, Word, etc. accessing files can indicate a problem.
FileAudit allows you to give proper attention to potential data breach indicators AND allows you to take action immediately to stop threats.
A script can be created and run (for example to shut down a machine or logoff a user), whenever a specific alert is triggered.
For more information on how to identify unusual file activity and impede data breaches read how file auditing helps spot and stop a data breach.
3. Use powerful filtering capabilities to improve your audit
Finding answers about file access activity can be time consuming and challenging. Exclude irrelevant data and focus only on insightful and actionable information.
4. Accurately identify where file or folder access is from
Only by identifying the name and IP address of the machine from which the file/folder access has been performed can you indicate exactly where the user has accessed the file from. Shine a light on suspicious activities, such as a user accessing a sensitive file from a different workstation than normal.
5. Audit NTFS permissions
FileAudit allows you to have a centralized view of the NTFS permissions (simple and advanced) of your files and folders. To do so, it scans all the audited paths you have defined and saves the information in a snapshot.
You can set up alerts on permission changes. The alert gives you the name of the user and the name of the file/folder affected by the change. By scheduling regular snapshots, you can then compare two snapshots (one before the alert and one after) to see what changes have been made.
6. Secure the whole organization, not just a single server
FileAudit provides the centralized monitoring and analysis of file activity data necessary to quickly and intelligently identify and report on potential breach activity. The ability to monitor activity across the whole organization (not just a single server) means quick and accurate answers can be given to who did what, when and from where.
7. Exclude irrelevant data to focus on the information you need
Filtering out program access events (such as backup tool, anti-virus or search engine) or files with specific extensions (e.g. temporary files with .tmp extension) stops your data becoming polluted.
Also an audit tool that discards meaningless events and keeps only the relevant access events (approx. 30% for FileAudit) for monitoring improves performance and scalability.
8. Ensure file auditing is intuitive and easy to use
Unlike native tools, which simply address the task of consolidating and presenting event data, FileAudit is purpose-built, improving the audit experience by focusing on the specific needs around compliance audits, the use of solutions by IT and auditors alike, and the detail necessary to ensure compliance.
Simple to install and easy to use It makes file auditing faster, smarter and more efficient – regardless of whether IT are working on PCs, laptops or tablets.
9. Use one secret to improve file security: user delegation
The reality is, those closest to the files have a much better sense of whether someone’s access — or use of permissions — is proper. IT are somewhat out of touch with which users need what access, and whether use of files is appropriate — and how all that changes over time.
For a Windows System domain, company executives outside of IT or external auditors can take advantage of FileAudit features and ease-of-use to perform audits and controls autonomously without breaching security protocols.
Read more about security through user delegation with FileAudit.
10. Include the auditing of files in the cloud
If your files aren’t already in the cloud, they will be soon. Organizations must achieve the same levels of visibility and control over access to and usage of file data in the cloud. A single consolidated view of all file activity — both in the cloud and on-premise — will reduce the risk associated with allowing users anytime, anywhere, any device access to cloud-based file data.
Take the overwhelm out of your file auditing
Windows file share auditing need not be time-consuming or overwhelming.
If managed carefully and correctly your chosen file auditing tool should do the work for you, so you can focus on more strategic IT issues and initiatives.