How to Detect Who Tried to Modify a File or a Folder on Your Windows File Server


Native Auditing vs. Netwrix Auditor for Windows File Servers

Native Auditing Netwrix Auditor for Windows File Servers
Steps
  1. Navigate to a required file share, right-click it and select "Properties".
  2. Go to the "Security" tab → "Advanced" button → "Auditing" tab → Click the "Add" button and define auditing settings:
    • Principal equals "Everyone"
    • Type equals "All"
    • Applies to: "This folder, subfolders and files".
  3. Select the following "Advanced Permissions":
    • "Traverse folder / execute file"
    • "List folder / read data"
    • "Create files /write data"
    • "Create folders / append data"
    • "Write attributes".
  4. Run gpedit.msc and go to the "Edit" menu.
  5. Create a new policy → Edit → Computer Configuration → Policies → Windows Settings → Security Settings → Local Policies → Audit Policy:
    • Audit object access → Define → Success and Failures.
  6. Go to "Advanced Audit Policy Configuration" → Audit Policies → Object Access:
    • Audit File System → Define → Success and Failures
    • Audit Handle Manipulation → Define → Success and Failures.
  7. Go to Event Log → Define:
    • Maximum security log size to 4gb
    • Retention method for security log to "Overwrite events as needed".
  8. Link the new GPO to the OU with File Servers → Go to "Group Policy Management" → Right-click the defined OU → Choose "Link an Existing GPO" → Select the GPO that you’ve created.
  9. Run gpupdate/force
  10. Open Event Viewer and search Security Log for event ID 4656 with "Audit Failed" keyword, "File Server" or "Removable Storage" task category and with "Accesses: READ_CONTROL" and Access Reasons: "WriteData (or AddFile) Not granted" strings. "Subject: Security ID" will show you who has tried to change a file.

  1. Run Netwrix Auditor and select the "Search" tile.
  2. Go to the "Advanced" menu and adjust the filter:
    • "Action" equals "Modify (Failed Attempt)".
  3. Click "Modify" and then click "Search" to view the report.

Keep an Eye on Who Tried to Modify Sensitive Files to Harden Your Data Security

Unauthorized modification of files can lead to business disruption or even the leakage or loss of sensitive data, such as personally identifiable information or medical records. Therefore, it’s essential to detect and investigate unauthorized attempts to modify files in a timely manner. By regularly reviewing failed file change attempts, IT pros can detect possible attacks and enhance data security by recognizing and revoking excessive permissions to modify sensitive data on their organization’s file servers.

Netwrix Auditor for Windows File Servers delivers complete visibility into what’s happening on your Windows file servers, including who tried to modify sensitive files or folders. Using the Interactive Search feature and predefined reports, IT pros can get detailed information about who tried to modify a file, when and where each modification attempt happened, and whether the attempt was successful. This information is critical for security investigations and compliance audits that require IT admins to prove that sensitive data is secure.

Join the discussion