Is Native Windows
File Auditing

Nearly every compliance mandate requires IT to establish, maintain, and demonstrate that security access controls are in place around protected data sets. And in networks leveraging Windows servers, the need to audit file servers is necessary to truly ensure compliance.

Microsoft provides plenty of log detail around permission changes, and file and folder access – which can all be used when attempting to meet compliance objectives.

So, the question becomes, can native tools actually help demonstrate compliance?

Shortcomings of Event Viewer

It’s important to remember, Microsoft didn’t design Event Viewer to be an auditing solution; it was designed to simply provide IT pros a centralized application in which to view event data. So, in a scenario where a given file server needs to be audited to demonstrate compliance, there are a few shortcomings:

  • Too much detail – If you’re like probably every single IT pro on the planet, the first time you saw the event data in Event Viewer, you were a bit overwhelmed at the magnitude of the number of events, how quickly them came in, and how difficult you thought it is going to be to find anything in that haystack-like pile of log entries. Fast-forward to today and nothing really has changed!
  • Not enough help – Event logging is about consolidating the raw event data and making it available centrally. But to find out something as simple as “Who accessed your protected files today and what did they do?” requires much more work than just skimming through the event log data; it requires meticulous research into specific field values within multiple log entries, all to “puzzle piece” your way to a potential answer. A single action in the file system can generate 5-10 log entries, each documenting a different aspect of what IT would consider a single activity.
  • Way too manual – While event viewer does leverage some “automation”- such as WMI filtering or the leveraging of the Task Scheduler to send alerts, but by and large, Event Viewer requires manual work to obtain the needed audit data.
  • Not audit-friendly – Auditors like to ask specific questions like “Who has accessed this folder in the last month?” Obtaining the answer to this seemingly simple question requires some complex filtering, consolidation of events, and digging into the event results to find the answer. In reality, Event Viewer isn’t designed to specifically meet the needs of auditors; there is no delegation of log access to given an external auditor the ability to run their own queries, there is no intelligent way to query the event data, and the data itself is presented at the operating system level and not at a level where an auditor can gain insight into what’s actually happening within your environment.

So, is native auditing compliance ready?

While this article has placed most of its focus on how bad a fit Event Viewer is for compliance needs, the answer to the question of whether it can help with a compliance audit really depends on the level of detail needed, how often audits occur, and how much time IT has to find the answer. Remember, the answers are in there; it just requires time, patience, some investigative know-how, and an ability to put multiple log entries together intelligently to get your answer.

To find out more about file auditing for compliance, as well as to understand how 3rd party solutions can assist with meeting compliance mandates, read the whitepaper The Role of File Auditing in Compliance.

Dashboard FileAudit

About FileAudit

Prove to regulators you are protecting data by comprehensively monitoring and alerting on, all file access activity across Windows Systems and in the cloud.

Installed in less than 3 minutes.

Learn more and free trial