-| Computer | File Server Activity | **In the audited environment** - For a security principal (e.g., Everyone), the following options must be configured in the Advanced Security → Auditing settings for the audited shared folders: <br>- List Folder / Read Data (Files only): _"Success"_ and _"Fail"_<br>- List Folder / Read Data (This folder, subfolders and files): _"Fail"_<br>- Create Files / Write Data\* : _"Success"_ and _"Fail"_<br>- Create Folders / Append Data\* : _"Success"_ and _"Fail"_ <br>- Write Extended Attributes\* : _"Success"_ and _"Fail"_<br>- Delete Subfolders and Files\* : _"Success"_ and _"Fail"_<br>- Delete\* : _"Success"_ and _"Fail"_<br>- Change Permissions\* : _"Success"_ and _"Fail"_<br>- Take Ownership\* : _"Success"_ and _"Fail"_<br>- Select _"Fail_" only if you want to track failure events, it is not required for success events monitoring. If you want to get only state-in-time snapshots of your system configuration, limit your settings to the permissions marked with \* and set it to _"Success"_ (Apply onto: This folder, subfolders and files).<br><br>The following Advanced audit policy settings must be configured:<br>- The Audit: Force audit policy subcategory settings (Windows 7 or later) security option must be enabled.<br>- Depending on your OS version, configure the categories as follows:<br> - Windows Server 2008:<br> - Object Access; Audit File Share _"Success"_ ; Audit File System _"Success"_ and _"Failure"_ ; Audit Handle Manipulation _"Success"_ and _"Failure"_ ; Logon/Logoff ; Logon _"Success"_ ; Logoff _"Success"_ ;<br> - Policy Change: Audit Audit Policy Change: _"Success"_<br> - System: Security State Change: _"Success"_<br> - Windows Server 2008 R2 / Windows 7 and above<br> - Object Access:<br> - Audit File Share: _"Success"_<br> - Audit File System: _"Success"_ and _"Failure"_<br> - Audit Handle Manipulation: _"Success"_ and _"Failure"_<br> - Audit Detailed file share: _"Failure"_<br> - Logon/Logoff:<br> - Logon: _"Success"_<br> - Logoff: _"Success"_<br> - Policy Change:<br> - Audit Audit Policy Change: _"Success"_<br> - System:<br> - Security State Change: _"Success"_<br> - If you want to get only state-in-time snapshots of your system configuration, limit your audit settings to the following policies:<br> - Object Access:<br> - Audit File System: _"Success"_<br> - Audit Handle Manipulation: "Success"<br> - Audit File Share: "Success"<br> - Policy Change:<br> - Audit Audit Policy Change: "Success"<br> - The following legacy policies can be configured instead of advanced:<br> - Audit object access policy must set to _"Success"_ and _"Failure"_.<br> - Audit logon events policy must be set to _"Success"_.<br> - Audit system events policy must be set to _"Success"_.<br> - Audit policy change must be set to _"Success"_.<br> - The Security event log maximum size must be set to 4GB.<br> - The retention method of the Security event log must be set to _“Overwrite events as needed”_.<br> - The Remote Registry service must be started.<br> - The following inbound Firewall rules must be enabled:<br> - Remote Event Log Management (NP-In)\*<br> - Remote Event Log Management (RPC)\*<br> - Remote Event Log Management (RPC-EPMAP)\*<br> - Windows Management Instrumentation (ASync-In)<br> - Windows Management Instrumentation (DCOM-In)<br> - Windows Management Instrumentation (WMI-In)<br> - Network Discovery (NB-Name-In)<br> - File and Printer Sharing (NB-Name-In)<br> - File and Printer Sharing (Echo Request - ICMPv4-In)<br> - File and Printer Sharing (Echo Request - ICMPv6-In)<br> - The rules marked with \* are required only if you do not want to use network traffic compression for auditing.<br> - If you plan to audit Windows Server 2019 or Windows 10 Update 1803 without network compression service, make sure the following inbound connection rules are enabled:<br> - Remote Scheduled Tasks Management (RPC)<br> - Remote Scheduled Tasks Management (RPC-EMAP) |
0 commit comments