Why File Server Auditing is Important and Why Just Native Auditing is Not Enough
November 25, 2013 No CommentsFile server auditing ensures safe and secure File server environment where all the critical data stored remains safe and out of the reach of the rogue users. Native auditing through Windows File server provides basic logging of the events but that is just not enough considering the security and compliance requirements of the day. Administrators need a comprehensive auditing solution that can provide meaningful insights in easily understandable format.
File servers act as a storehouse of critical business data where all users with proper access rights contribute and take data as per requirement. It creates a collaborative environment which is almost a necessity in today’s world for the functioning of the organizations irrespective of the industry segment that they operate in. But this is only one side of the coin. In reality, File servers being a shared work space are vulnerable to security breach and unauthorized accesses by rogue elements within and outside organization. Considering the fact that a number of users connect to and disconnect from File Servers at any given time depending on their requirement, security of File Servers is of paramount importance for administrators.
File server auditing is an important step towards ensuring security of File servers. Tracking all successful and failed access attempts provides information about who all accessed the system from user perspective. Additionally, all changes being done to shared files and folders are recorded; this brings in the accountability factor. It can be easily determined which user executed the change thus helping in root cause analysis of the problem. Now that the importance of the auditing has been underlined, the next step is to find out what all approaches one can undertake for successful auditing of File Server environment.
Firstly, one can decide to go native alone. In this approach auditing is enabled on the systems and then event viewer can be used to go through all the collected logs. Enabling auditing on Windows File servers involves two steps: Enabling ‘Audit Object Access’ policy and Enabling audit on individual Files and Folders. ‘Audit Object Access’ policy can be enabled using both local security policy and through Group Policy if File server is member of a domain. Local policy settings can be set to either success or failure or both. Auditing on individual files and folders can be enabled by right – clicking on it and selecting Properties, then Advance and then Auditing. Here, you can add users whose actions need to be audited. Advantage of this approach is that no additional investment is required and Admins can make use of resources that comes with File Servers.
However, there are serious drawbacks of this approach that make it largely a non viable serious auditing option. Event logs are difficult to handle and understand; moreover, it’s very difficult to get meaningful information from such a large pile of data. Native event logs are system oriented and not user oriented. They are more of a reflection of how system views a particular incident. Hence, there is a large amount of unimportant data in the logs. It requires great deal of effort and time to figure out what exactly went wrong and who did it when investigating an event. Besides, Admins need to visit each File Server separately to analyze the logs as there is no means to audit all File servers from a central location. The way event logs are stored is also a concern. You can either chose to delete old logs or archive them. In the former case, there is chance of losing important information while in the later; a particular archive needs to be searched and looked into. These limitations raise serious questions on employability of native auditing as practical auditing solution.
Secondly, there are specialized tools that have been designed for auditing File servers and have their own exclusive way of capturing events and user actions. These tools don’t rely on native auditing and use their own means to track events. This approach overcomes all obstacles of native auditing but requires huge investment that is largely prohibitive for many organizations.
Thirdly, there are third-party tools that take a mixed approach. These tools rely on native auditing at their core but offer much more than what native resources ever could. There are canned reports that give answer to four ‘w’ questions of auditing i.e. who changed what, when and where. Information is presented in easily understandable format with the option to sort, filter and group records. There are automatic alerts on critical events and schedule reports to give information on required File Server changes periodically. LepideAuditor for File Server is one such software to take care of File Server auditing. These applications can be installed on any system in the network and can audit all File Servers from a central location. Such solutions are preferred choice for those who cannot rely on native auditing alone and at the same time are not willing to go for highly resource intensive applications.
Author’s Bio: Steve is a technology reviewer and has deep interest in exploring various new technical topics related to network and server management.