How to Detect Who Read a File on Windows File Servers


Native Auditing vs.Netwrix Auditor for Windows File Servers

We never share your data. Privacy Policy
Native Auditing Netwrix Auditor for Windows File Servers
Steps
  1. Navigate to the required file share → Right-click it and select "Properties".
  2. Switch to the "Security" tab → Click the "Advanced" button → Go to the "Auditing" tab → Click the "Add" button.
  3. Configure the following settings: Principal: "Everyone"; Type: "All"; Applies to: "This folder, subfolders and files"; Advanced Permissions: "List folder / read data" → Click "OK" three times.
  4. Run gpmc.msc on your domain controller → Create a new GPO → Go to “Computer Policy” → Computer Configuration → Windows Settings → Security Settings:
    • Local Policies → Audit Policy → Audit object access → Define → Success and Failures
    • Advanced Audit Policy Configuration → System Audit Policies → Object Access → Audit File System → Define → Success and Failures
    • Advanced Audit Policy Configuration → System Audit Policies → Object Access → Audit Handle Manipulation → Define → Success and Failures
  5. Go to Event Log → Define:
    • Maximum security log size to 4gb
    • Retention method for security log to “Overwrite events as needed”.
  6. To link the new GPO to an OU with file servers, go to "Group Policy Management" → Right-click the defined OU → Click "Link an Existing GPO" → Select the GPO that you’ve created.
  7. To force the group policy update, go to "Group Policy Management" → Right-click the defined OU → Сlick "Group Policy Update".
  8. Open Event Viewer → Search the Security Windows Logs for the event ID 4663 with the "Accesses: ReadData (or ListDirectory)" string.

Detect Who Read a FIle with Native Auditing

  1. Run Netwrix Auditor → Navigate to “Search” → Click on “Advanced mode” if not selected → Set up the following filters:
    • Filter = “Data source”
      Operator = “Equals”
      Value = “File Servers”
    • Filter = “Action”
      Operator = “Equals”
      Value = “Read”
    • Filter = “When”
      Operator = “Equals”
      Value = “Today”
  2. Click the “Search” button and review who read files on your file server.

Detect Who Read a FIle with Netwrix Auditor

Regularly Review Who Read Files to Secure Your Data

Sometimes users are granted access rights that enable them to read files containing sensitive data they shouldn’t have access to. For example, an office manager might mistakenly have permissions to read documents of the Accounting department, which could lead to a security breach. In addition, a user might attempt to read a file containing sensitive data but be denied for lack of proper permissions. Continuous monitoring of users who read or attempt to read files can help you keep access to sensitive information under control, thereby minimizing the risk of data exfiltration.

Netwrix Auditor for Windows File Servers delivers complete visibility into what’s happening on your Windows file servers, including both successful and failed read attempts. The subscription option enables IT pros to get reports via email or on their file shares so they can keep an eye on suspicious reads or access attempts and get detailed information about all changes. With the Interactive Search feature, they can easily investigate any particular activity. These capabilities help IT administrators stay in control of sensitive data and thwart information security attacks.