Recently going through the HIPAA compliance standards and dealing with “accidentally” deleted items on a file share has lead to a need for a standard file server audit logging policy that can be deployed to all servers via Group Policy Object (GPO). Here is the summation of my research:
File Server Audit Logging Policy GPO
1. Create a GPO and name it File Server Audit Policy
2. Set the following settings to enable advanced features and disable shutdown:
[Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\]
Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings – Enabled
Audit: Shut down system immediately if unable to log security audits – Disabled
3. Move down the tree structure to the following and edit these various auditing settings:
[Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration\Audit Policies\]
Account Logon: Credential Validation – Success and Failure
Account Management: Computer Account Management – Success
Account Management: Other Account Management Events – Success and Failure
Account Management: Security Group Management – Success and Failure
Account Management: User Account Management – Success and Failure
Detailed Tracking: Process Creation – Success
Logon-Logoff: Logoff – Success
Logon-Logoff: Logon – Success and Failure
Logon-Logoff: Special Logon – Success
Object Access: File System – Success
Policy Change: Audit Policy Change – Success and Failure
Policy Change: Authentication Policy Change – Success
Privilege Use: Sensitive Privilege Use – Success and Failure
System: IPsec Driver – Success and Failure
System: Security State Change – Success and Failure
System: Security System Extension – Success and Failure
System: System Integrity – Success and Failure
4. Change the following Maximum Log Size (KB) settings according to http://support.microsoft.com/kb/957662:
[Computer Configuration\Administrative Templates\Windows Components\Event Log Service\Security\]
5. Open the Properties of the shared folder needing Auditing, click on Security tab and then on the Advanced button
6. Click on the Auditing tab, if there is UAC prompt then click Continue and then click on the Add button
7. Click on Select Principal, search for the Everyone security group and then click on the OK button
8. Change the Type to All, click on Show advanced permissions, check the boxes next to “Delete subfolders and files” and “Delete” and then click on the OK button
9. Put a check next to “Replace all child object auditing with inheritable auditing from this object then click on the OK button
If your company is using a Windows Server for network file access and need help getting the File Server Audit Logging setup property for HIPAA compliance, then contact us for assistance.