Monitoring Files and Folders

Monitoring who is accessing sensitive files and folders in Windows 7 is possible through local group policies. It is recommended to monitor or better audit critical files only such as, an organization employee’s salary spreadsheet or sensitive/personal word documents. If you audit a large number of files and folders you might miss valuable information in the massive log file filled with unnecessary events. Auditing can tell you who opened a document, who modified a document, and who tried to open a document and failed among many other options.

It is important to note that only volumes formatted with NTFS file systems can be audited, anyway, most systems use NTFS nowadays. In Windows XP you could audit 9 event categories but in Windows 7 you have 53 different event categories to choose from, which means that you can narrow your audit exercise to a specific task such as, to find out who is deleting a specific folder. To configure auditing to track which users access specific files and folders on clients running Windows 7 follow these steps:

  1. Start the local group policy editor by typing gpedit.msc in the Start search text box and go to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options node
  2. Set the Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings to Enabled – If the category level audit policy set here is not consistent with the events that are currently being generated, the cause might be that the registry key SCENoApplyLegacyAuditPolicy is set.
  3. Then, go to Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policies Configuration\System Audit Policies – Local Group Policy\Object Access node and set the Audit File System Policy as shown below:
  4. Then using Windows Explorer, go to the file or folder you want to audit and right click it and select Properties.
    From the Security tab of the Properties windows click the Advanced button and select the Auditing tab, and finally click Edit… button to open the Advanced Security Settings window.
  5. Click the Add… button and add the users or groups for which you want to audit access. If in doubt whom to audit, select the Everyone group.
  6. From the Auditing Entry window, select which of the special privileges you want to Audit as shown below:
  7. Now, Auditing events will be saved in the Security log of Windows 7 Event Viewer. To open Event Viewer, type Event Viewer in the Start menu search text box and press enter. Go to Windows Logs\Security node and you should be able to see File System Events.