NTFS Change Auditor – FAQs on Auditing Changes to User Permissions on Your Windows File Servers

  1. What permissions or privileges are required to view NTFS shared folder change information of Windows servers/workstations using NTFS Change Auditor?

    By default, NTFS Change Auditor uses the currently logged on user context to connect to a domain/server. If the currently logged on user does not have sufficient permissions, it uses the alternate domain credential (having domain administrator privileges) for managing all computers in each domain specified in the Domain Credentials Configuration Settings. In this case, NTFS Change Auditor establishes a session with the destination domain/server, using the specified user credential. NTFS Change Auditor requires the currently logged on user or the provided user credential to be member of local administrators group in the configured hosts to read event logs and report NTFS changes.

  2. What are the prerequisites needed to run NTFS Change Auditor?

    To use the NTFS Change Auditor application effectively, ensure the following points:

    • NTFS Listener Service is installed and running in the same computer where NTFS Change Auditor application is installed.
    • Audit policy is configured at the domain level or in a local computer where the shares reside.
    • SACL auditing is configured for folder or a file in which you wish to track the changes. To know more about configure SACL auditing for a folder or a file, refer question 3
  3. How can I configure SACL auditing for Folder or a File?

    To Setup SACL auditing for Folder or File, perform the following steps.

    • Open Windows Explorer.
    • Right-click the file or folder that you want to audit, click Properties.
    • Click the Security tab, click Advanced, and then click the Auditing tab.
    • Click Add, and under Enter the object name to select, type Authenticated Users (or any other security principal), and then click OK.
    • In Apply onto, click This folder, subfolders and files.
    • Under Access, select the Successful check box for Write attributes and Write extended attributes. If you want to audit creation and deletion of objects, select the Successful check box for Delete, Delete subfolders and files, Create files / write data and Create folders / append data. If you want to audit permissions changes in objects, select the Successful check box Change Permissions too. If you want to audit ownership changes in objects, select the Successful check box Take ownership too.
  4. How can I track changes to permissions on a Folder or a File?

    After enabling the SACL auditing as mentioned in question 3, you can track the permissions changes by configuring the event ID 4670, folder or file for which you want to track changes in Data Collector Settings.

  5. How can I track ownership changes to Folder or a File?

    After enabling the SACL auditing as mentioned in question 3, you can track ownership changes by configuring the event ID 4670, folder or file for which you want to track changes in Data Collector Settings.

  6. How can I monitor read/write/delete accesses to a folder, file or a share?

    After enabling the SACL auditing as mentioned in question 3, you can monitor read/write/delete actions by configuring the event IDs 4663, 5140 and folder, file or a share for which you want to track changes in Data Collector Settings.

  7. Can I track changes to Shares alone?

    Yes, you can track the changes made to NTFS Shares alone by configuring the Event IDs 5140, 5142, 5143 and 5144 in Data Collector Settings.

  8. Can I keep a complete audit trail of all changes to selected folders and files?

    Yes, you can keep a complete history of change data for the selected folders and files in the application database for several years.

  9. How long can I keep the Change History?

    You can keep that data as long as it is required. NTFS Change Auditor stores several years of change data in database for security, compliance and regulation purposes. You may also clean up some of the history using the Cleanup tool.

  10. Can I get real time alerts on changes to files and folders?

    Yes, you can get real time alerts through emails for any changes made to files and folders.

  11. What happens if there is an event flooding?

    Event flooding may cause some events to get missed out from storing in the application database. This will result in some loss of change data for folders or files while generating the reports. Event flooding may happen due to sudden significant changes across folders and files that are configured for change tracking with SACL auditing settings enabled.

  12. Does the application collect the entire Security event log data every time?

    No, the application collects only the relevant event log records that pertain to the changes detected in the configured hosts.

  13. Why does the ‘NTFS Listener Service’ get restarted by the application automatically?

    ‘NTFS Listener Service’ gets restarted by the application automatically in the following scenarios:

    • When any setting is modified in the ‘Event Configuration’ using ‘Data Collector Settings’ dialog.
    • When any setting is modified in ‘Domain Credentials’ or ‘Database Settings’ in ‘Configuration Settings’ dialog.
  14. Can I configure the event ID only for Security event log data collection? I don’t want to send an E-mail alert.

    Yes, you can configure event IDs only for Security event log data collection. The application allows you to do this by optionally allowing you to Send E-mail in ‘Event Configuration – Add Event Information’ dialog.

  15. I need to cleanup some part of the Events History database. How do I do it?

    You may use the Cleanup Change History tool in the application to cleanup your database.

  16. Why am I getting empty data in the reports even after enabling auditing and also having ‘Administrators’ group membership?

    This may be due to Windows Firewall setting that disallows reading of event log data from servers and workstations. Ensure that the remote event log read is allowed by the Windows Firewall in target servers and workstations by performing the following steps:

    • a) To enable Windows Firewall settings in a domain, click Start, point to Administrative Tools, and then Group Policy Management in the domain controller.
      b) In the console tree, double-click the name of the forest, double-click Domains, double-click the name of your domain, right-click Default Domain Policy, and then click Edit.
      (or)
      a) To enable Windows Firewall settings in a local computer, open the Local Group Policy object Editor console, click Start, click Run, type gpedit.msc, and then click OK.
      b) In the console tree, double-click Local Computer Policy to expand it.
    • Open Computer Configuration, open Administrative Templates, open Network, open Network Connections, open Windows Firewall, and then open either Domain Profile or Standard Profile, depending on which profile you want to configure.
    • In the details pane, double-click Windows Firewall: Allow inbound remote administration exception. (Windows 8.1, Windows 8, Windows 7, Windows 2008, Windows 2012, Windows 2012 R2.)
    • In the dialog box on the Settings tab, click Enabled.
  17. How can I monitor those who have accessed my company’s critical folders and files?

    Enable the SACL auditing as mentioned in question 3. You can monitor who has accessed the critical folders and files by doing the following actions:

    • Add the critical folders and files.
    • Configure the event ID 4663.

    Warning: Enable SACL Auditing for Read attributes only for the critical folders and files. Otherwise auditing this event on a large number of folders, say, on your root folder or other unwanted folders, may cause Event flooding.

WordPress Video Lightbox Plugin