How to Detect Who Read a File on Windows File Servers

Native Auditing vs.Netwrix Auditor for Windows File Servers

We never share your data. Privacy Policy
Native Auditing Netwrix Auditor for Windows File Servers
  1. Navigate to the required file share, right-click it and select "Properties".
  2. Select "Security" tab → "Advanced" button → "Auditing" tab → Click "Add" button.
  3. Configure the following settings: Principal: "Everyone"; Type: "All"; Applies to: "This folder, subfolders and files"; Advanced Permissions: "List folder / read data" → Click "OK" three times.
  4. Run gpmc.msc on your domain controller → Create a new GPO → Edit it: Go to Computer Policy → Computer Configuration → Windows Settings → Security Settings:
    • Local Policies → Audit Policy → Audit object access → Define → Success and Failures
    • Advanced Audit Policy Configuration → System Audit Policies → Object Access → Audit File System → Define → Success and Failures
    • Advanced Audit Policy Configuration → System Audit Policies → Object Access → Audit Handle Manipulation → Define → Success and Failures.
  5. Go to Event Log → Define:
    • Maximum security log size to 4gb
    • Retention method for security log to Overwrite events as needed.
  6. Link the new GPO to OU with File Servers: Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Choose the GPO that you’ve created.
  7. Force the group policy update: Go to "Group Policy Management" → Right-click the defined OU → Сlick "Group Policy Update".
  8. Open Event Viewer and search security log for event ID 4663 with "Accesses: ReadData (or ListDirectory)" string.
  1. Run Netwrix Auditor → Click "Search" → Advanced → Define the following filters:
    • Audited System = File Server
    • Action = Read
    • When = Today
  2. Click "Modify", type into search field the name of the file you want to check for read attempts and then click "Search".
  3. After that, you will see who read the specified file during the day.

Regularly Review Who Read Files to Secure Your Data

Sometimes users are granted access rights that enable them to read files containing sensitive data they shouldn’t have access to. For example, an office manager might mistakenly have permissions to read documents of the Accounting department, which could lead to a security breach. In addition, a user might attempt to read a file containing sensitive data but be denied for lack of proper permissions. Continuous monitoring of users who read or attempt to read files can help you keep access to sensitive information under control, thereby minimizing the risk of data exfiltration.

Netwrix Auditor for Windows File Servers delivers complete visibility into what’s happening on your Windows file servers, including both successful and failed read attempts. The subscription option enables IT pros to get reports via email or on their file shares so they can keep an eye on suspicious reads or access attempts and get detailed information about all changes. With the Interactive Search feature, they can easily investigate any particular activity. These capabilities help IT administrators stay in control of sensitive data and thwart information security attacks.